docs: certificates
manually adapt to differences between PMG and PBS Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
This commit is contained in:
Stoiko Ivanov
Thomas Lamprecht
parent
6189b956b6
commit
cbd7db1d7f
@ -3,32 +3,28 @@
|
|||||||
Certificate Management
|
Certificate Management
|
||||||
----------------------
|
----------------------
|
||||||
|
|
||||||
Access to the web-based administration interface is always encrypted
|
Access to the API and thus the web-based administration interface is always
|
||||||
through ``https``. Each `Proxmox Backup`_ host creates by default its
|
encrypted through ``https``. Each `Proxmox Backup`_ host creates by default its
|
||||||
own (self-signed) certificate. This certificate is used for encrypted
|
own (self-signed) certificate. This certificate is used for encrypted
|
||||||
communication with the host’s ``proxmox-backup-proxy`` service, for any API call
|
communication with the host’s ``proxmox-backup-proxy`` service, for any API
|
||||||
between a user and the web-interface or between nodes in a cluster.
|
call between a user or backup-client and the web-interface.
|
||||||
|
|
||||||
Certificate verification in a `Proxmox Backup`_ cluster is done based
|
Certificate verification when sending backups to a `Proxmox Backup`_ server
|
||||||
on pinning the certificate fingerprints in the cluster configuration and
|
is either done based on pinning the certificate fingerprints in the storage/remote
|
||||||
verifying that they match on connection.
|
configuration, or by using certificates, signed by a trusted certificate authority.
|
||||||
|
|
||||||
.. _sysadmin_certs_api_gui:
|
.. _sysadmin_certs_api_gui:
|
||||||
|
|
||||||
Certificates for the API and SMTP
|
Certificates for the API and SMTP
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
`Proxmox Backup`_ uses two different certificates:
|
`Proxmox Backup`_ stores it certificate and key in:
|
||||||
|
|
||||||
- ``/etc/proxmox-backup/proxy.pem``: the required certificate used for Proxmox
|
- ``/etc/proxmox-backup/proxy.pem``
|
||||||
Mail Gateway API requests.
|
|
||||||
|
|
||||||
- ``/etc/pmg/pmg-tls.pem``: the optional certificate used for SMTP TLS
|
- ``/etc/proxmox-backup/proxy.key``
|
||||||
connections, see `mailproxy TLS
|
|
||||||
configuration <#proxmox-backup-manager_mailproxy_tls>`_
|
|
||||||
`??? <#proxmox-backup-manager_mailproxy_tls>`_ for details.
|
|
||||||
|
|
||||||
You have the following options for these certificates:
|
You have the following options for the certificate:
|
||||||
|
|
||||||
1. Keep using the default self-signed certificate in
|
1. Keep using the default self-signed certificate in
|
||||||
``/etc/proxmox-backup/proxy.pem``.
|
``/etc/proxmox-backup/proxy.pem``.
|
||||||
@ -37,8 +33,8 @@ You have the following options for these certificates:
|
|||||||
commercial Certificate Authority (CA)).
|
commercial Certificate Authority (CA)).
|
||||||
|
|
||||||
3. Use an ACME provider like Let’s Encrypt to get a trusted certificate
|
3. Use an ACME provider like Let’s Encrypt to get a trusted certificate
|
||||||
with automatic renewal; this is also integrated in the Proxmox Mail
|
with automatic renewal; this is also integrated in the `Proxmox Backup`_
|
||||||
Gateway API and web interface.
|
API and web interface.
|
||||||
|
|
||||||
Certificates are managed through the `Proxmox Backup`_
|
Certificates are managed through the `Proxmox Backup`_
|
||||||
web-interface/API or using the the ``proxmox-backup-manager`` CLI tool.
|
web-interface/API or using the the ``proxmox-backup-manager`` CLI tool.
|
||||||
@ -109,7 +105,7 @@ ACME Plugins
|
|||||||
^^^^^^^^^^^^
|
^^^^^^^^^^^^
|
||||||
|
|
||||||
The ACME plugin’s role is to provide automatic verification that you,
|
The ACME plugin’s role is to provide automatic verification that you,
|
||||||
and thus the `Proxmox Backup`_ cluster under your operation, are the
|
and thus the `Proxmox Backup`_ server under your operation, are the
|
||||||
real owner of a domain. This is the basic building block of automatic
|
real owner of a domain. This is the basic building block of automatic
|
||||||
certificate management.
|
certificate management.
|
||||||
|
|
||||||
@ -129,7 +125,6 @@ box, you can configure plugins either over the web interface under
|
|||||||
``proxmox-backup-manager acme plugin add`` command.
|
``proxmox-backup-manager acme plugin add`` command.
|
||||||
|
|
||||||
ACME Plugin configurations are stored in ``/etc/proxmox-backup/acme/plugins.cfg``.
|
ACME Plugin configurations are stored in ``/etc/proxmox-backup/acme/plugins.cfg``.
|
||||||
A plugin is available for all nodes in the cluster.
|
|
||||||
|
|
||||||
.. _domains:
|
.. _domains:
|
||||||
|
|
||||||
@ -146,10 +141,7 @@ desired ACME account is selected, you can order your new certificate
|
|||||||
over the web-interface. On success, the interface will reload after
|
over the web-interface. On success, the interface will reload after
|
||||||
roughly 10 seconds.
|
roughly 10 seconds.
|
||||||
|
|
||||||
Renewal will happen
|
Renewal will happen `automatically <#sysadmin-certs-acme-automatic-renewal>`_
|
||||||
`automatically <#sysadmin_certs_acme_automatic_renewal>`_ `Automatic
|
|
||||||
renewal of ACME
|
|
||||||
certificates <#sysadmin_certs_acme_automatic_renewal>`_.
|
|
||||||
|
|
||||||
.. _sysadmin_certs_acme_http_challenge:
|
.. _sysadmin_certs_acme_http_challenge:
|
||||||
|
|
||||||
@ -163,8 +155,7 @@ port 80.
|
|||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
The name ``standalone`` means that it can provide the validation on
|
The name ``standalone`` means that it can provide the validation on
|
||||||
its own, without any third party service. So this plugin also works
|
its own, without any third party service.
|
||||||
for cluster nodes.
|
|
||||||
|
|
||||||
There are a few prerequisites to use this for certificate management
|
There are a few prerequisites to use this for certificate management
|
||||||
with Let’s Encrypts ACME.
|
with Let’s Encrypts ACME.
|
||||||
@ -269,7 +260,7 @@ Automatic renewal of ACME certificates
|
|||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
If a node has been successfully configured with an ACME-provided
|
If a node has been successfully configured with an ACME-provided
|
||||||
certificate (either via proxmox-backup-manager or via the web-interface/API), the
|
certificate (either via ``proxmox-backup-manager`` or via the web-interface/API), the
|
||||||
certificate will be renewed automatically by the ``proxmox-backup-daily-update.service``.
|
certificate will be renewed automatically by the ``proxmox-backup-daily-update.service``.
|
||||||
Currently, renewal is triggered if the certificate either has already
|
Currently, renewal is triggered if the certificate either has already
|
||||||
expired or if it will expire in the next 30 days.
|
expired or if it will expire in the next 30 days.
|
||||||
@ -296,7 +287,7 @@ Follow the instructions on the screen, for example:
|
|||||||
State or Province Name (full name) [Some-State]:Vienna
|
State or Province Name (full name) [Some-State]:Vienna
|
||||||
Locality Name (eg, city) []:Vienna
|
Locality Name (eg, city) []:Vienna
|
||||||
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Proxmox GmbH
|
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Proxmox GmbH
|
||||||
Organizational Unit Name (eg, section) []:`Proxmox Backup`_
|
Organizational Unit Name (eg, section) []:Proxmox Backup
|
||||||
Common Name (eg, YOUR name) []: yourproxmox.yourdomain.com
|
Common Name (eg, YOUR name) []: yourproxmox.yourdomain.com
|
||||||
Email Address []:support@yourdomain.com
|
Email Address []:support@yourdomain.com
|
||||||
|
|
||||||
@ -309,12 +300,12 @@ file ``req.pem`` to your Certification Authority (CA). The CA will issue
|
|||||||
the certificate (BASE64 encoded), based on your request – save this file
|
the certificate (BASE64 encoded), based on your request – save this file
|
||||||
as ``cert.pem`` to your `Proxmox Backup`_.
|
as ``cert.pem`` to your `Proxmox Backup`_.
|
||||||
|
|
||||||
To activate the new certificate, do the following on your Proxmox Mail
|
To activate the new certificate, do the following on your `Proxmox Backup`_
|
||||||
Gateway:
|
|
||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
cat key.pem cert.pem >/etc/proxmox-backup/proxy.pem
|
cp key.pem /etc/proxmox-backup/proxy.key
|
||||||
|
cp cert.pem /etc/proxmox-backup/proxy.pem
|
||||||
|
|
||||||
Then restart the API servers:
|
Then restart the API servers:
|
||||||
|
|
||||||
@ -331,25 +322,6 @@ Test your new certificate, using your browser.
|
|||||||
command line tool. If your desktop PC runs windows, please use an scp
|
command line tool. If your desktop PC runs windows, please use an scp
|
||||||
client like WinSCP (see https://winscp.net/).
|
client like WinSCP (see https://winscp.net/).
|
||||||
|
|
||||||
.. _change_certificate_for_cluster_setups:
|
|
||||||
|
|
||||||
Change Certificate for Cluster Setups
|
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
If you change the API certificate of an active cluster node manually,
|
|
||||||
you also need to update the pinned fingerprint inside the cluster
|
|
||||||
configuration.
|
|
||||||
|
|
||||||
You can do that by executing the following command on the host where the
|
|
||||||
certificate changed:
|
|
||||||
|
|
||||||
::
|
|
||||||
|
|
||||||
pmgcm update-fingerprints
|
|
||||||
|
|
||||||
Note, this will be done automatically if using the integrated ACME (for
|
|
||||||
example, through Let’s Encrypt) feature.
|
|
||||||
|
|
||||||
.. [1]
|
.. [1]
|
||||||
acme.sh https://github.com/acmesh-official/acme.sh
|
acme.sh https://github.com/acmesh-official/acme.sh
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user