Proxmox Virtual Environment
In my company, we decided to use Proxmox VE as virtualization System. Proxmox is an open source virtualization platform which uses KVM and LXC container.
Proxmox is very easy to setup and maintain not least cause a very good and up-to-date wiki which is maintained by the developers. Also the forums are well maintained and have an active community which is very important to an open source product I think.
After approximate one year of productive use we´re still very happy with our decision to use Promox. Currently we are setting up a second productiv cluster, which is used for another type of our servers.
TLS Certs for PVE with Let´s Encrypt and dehydrated
If you have a Proxmox cluster it does not matter to which host you connect, you can administrate the whole cluster from every node (web gui). The Promox web gui is always encrypted with https, so you have to accept an unvalidated certificate (or import the CA) or you can use your own validated certificates for proxmox, for example from the Let´s Encrypt.
In our case i don´t want to connect to only one node (what if this node is rebooting?) so i set up a dns address which has round robin to all our proxmox nodes.
But now we need the same certificate on all nodes and cause we´re using LE they are changing about every 30 days.
The last problem is that our cluster is of course only reachable from our protected local network, which means the standard challenge of LE will not work.
For the last problem the solution is the small but very nice project dehydrated. With dehydrated we can use the DNS challenge from LE. There is a hook for our DNS provider so we only need to do some little config to get a certificate. Dehydrated can also run as a cronjob so we aren´t needed to interact here.
The other problem is how to spread the certificate to all proxmox nodes, cause very node has their own certificate directory. For that i wrote a little script:
The script is executed every day via a cronjob. First, the script runs dehydrated to check if the certificates need to renew. If that’s the case this will also be done by dehydrated. Then it checks if the certificates has changed, if not, nothing will happen, else it will copy the new certificate into each node certificate directory. At least it will restart the service which delivers the web gui on each node to use the new certificate.