Difference between revisions of "HTTPS Certificate Configuration (Version 3.x and earlier)"

From Proxmox VE
Jump to navigation Jump to search
(Updated for 3.0)
Line 2: Line 2:
  
 
This is a mini-howto for changing the web server certificate in Proxmox, so that you can have a certificate created with a custom CA.
 
This is a mini-howto for changing the web server certificate in Proxmox, so that you can have a certificate created with a custom CA.
It has been tested on a Proxmox 2.1 installation.
+
It has been tested on a Proxmox VE 3.0 installation, using certificates from https://www.cacert.org/.
 
          
 
          
 
3 files are needed:
 
3 files are needed:
Line 14: Line 14:
 
1. Backup PVE created files
 
1. Backup PVE created files
 
  cp /etc/pve/pve-root-ca.pem  /etc/pve/pve-root-ca.pem.orig
 
  cp /etc/pve/pve-root-ca.pem  /etc/pve/pve-root-ca.pem.orig
cp /etc/pve/pve-www.pem      /etc/pve/pve-www.pem.orig
 
 
  cp /etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.key.orig
 
  cp /etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.key.orig
 
  cp /etc/pve/local/pve-ssl.pem /etc/pve/local/pve-ssl.pem.orig
 
  cp /etc/pve/local/pve-ssl.pem /etc/pve/local/pve-ssl.pem.orig
 
          
 
          
 
2. Copy your own certificates
 
2. Copy your own certificates
cp server.key /etc/pve/pve-www.pem
 
 
  cp server.key /etc/pve/local/pve-ssl.key
 
  cp server.key /etc/pve/local/pve-ssl.key
 
  cp server.pem /etc/pve/local/pve-ssl.pem
 
  cp server.pem /etc/pve/local/pve-ssl.pem
 
  cp ca.crt    /etc/pve/pve-root-ca.pem
 
  cp ca.crt    /etc/pve/pve-root-ca.pem
 
          
 
          
3. Restart the API server
+
3. Restart the API server and pvedaemon
 
  service pveproxy restart
 
  service pveproxy restart
 +
service pvedaemon restart
 
          
 
          
That's it. It is important to change ''/etc/pve/pve-www.pem'' and ''/etc/pve/pve-root-ca.pem'' because otherwise VM console won't load due to a Java cert validation error.
+
That's it.
  
If you have a Promox cluster, this has to be done on all nodes. To test the changes in one node before changing configuration in other nodes, please make sure you log in the web interface in the correct node.
+
If you have a Proxmox cluster, this has to be done on all nodes (only the /etc/pve/local part). To test the changes in one node before changing configuration in other nodes, please make sure you log in the web interface in the correct node.
  
 
[[Category: HOWTO]]
 
[[Category: HOWTO]]

Revision as of 13:10, 28 May 2013

HTTPS Certificate Configuration

This is a mini-howto for changing the web server certificate in Proxmox, so that you can have a certificate created with a custom CA. It has been tested on a Proxmox VE 3.0 installation, using certificates from https://www.cacert.org/.

3 files are needed:

  • ca.crt : CA certificate file in PEM format
  • server.key : non-password protected private key
  • server.pem : server certificate from CA in PEM format

You can create the previous files following any standard openssl certificate generation HOWTO.

1. Backup PVE created files

cp /etc/pve/pve-root-ca.pem   /etc/pve/pve-root-ca.pem.orig
cp /etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.key.orig
cp /etc/pve/local/pve-ssl.pem /etc/pve/local/pve-ssl.pem.orig
       

2. Copy your own certificates

cp server.key /etc/pve/local/pve-ssl.key
cp server.pem /etc/pve/local/pve-ssl.pem
cp ca.crt     /etc/pve/pve-root-ca.pem
       

3. Restart the API server and pvedaemon

service pveproxy restart
service pvedaemon restart
       

That's it.

If you have a Proxmox cluster, this has to be done on all nodes (only the /etc/pve/local part). To test the changes in one node before changing configuration in other nodes, please make sure you log in the web interface in the correct node.