Installing certbot
certbot is packaged in Debian (the building base of Proxmox VE), so you may just install it with apt:
apt install certbotIf you run PVE 4.X (Debian Jessie) or run into any problems which are fixed by a newer version, you may enable the backports repository ( http://backports.debian.org/Instructions/ ) and run:
apt -t stretch-backports install certbotor respectively:
apt -t jessie-backports install certbotObtaining your certificate
Just run the following command and follow the on screen output to obtain your certificate.
certbot certonlyGetting your certificate into Proxmox
You need to copy the certificate from the LE directory to the PVE directory:
cp /etc/letsencrypt/live/<domain>/fullchain.pem /etc/pve/local/pveproxy-ssl.pem
cp /etc/letsencrypt/live/<domain>/privkey.pem /etc/pve/local/pveproxy-ssl.keyThan restart the PVE proxy:
systemctl restart pveproxySetting up renewal
Create a new bash script with the commands used to copy the certificate and restart the proxy from the previous step and make it executable, lets assume that you put it into /usr/local/bin/renew-pve-certs.sh
Than edit your /etc/crontab with the editor your like and add the following line:
30 6 1,15 * * root /usr/bin/certbot renew --quiet --post-hook /usr/local/bin/renew-pve-certs.shThis will check two times each month (on the first and the 15th) at 06:30 AM if it needs to issue a new certificate. As certificates are valid for three months, this frequency should be high enough to ensure a certificate gets always renewed on time.
Let’s Encrypt using other Clients
It should also be possible to use other Let’s Encrypt clients, as long as care is taken that the issued as well as renewed certificates and the associated keys are copied to the correct locations, and the pveproxy service is restarted afterwards.
