I have (somewhat) rebuilt my Proxmox cluster and learned a couple things while doing so: an approach to migrating VMs/containers to a new cluster and renaming storage pools.
Continue readingTag Archives: Proxmox
Running a reverse proxy to serve services on the Internet
I have the occasional need to make a local/self-hosted service be reachable on the world wide web. However, I do not want to host them on my cloud VMs for reasons such as:
- RAM: I am currently using the lowest-priced tier of VMs, which means that I get only 1 GB of RAM
- Storage: For the similar reason as RAM, my disk is 25 GB
- CPU: Having access to more than 1 core would be nice
Although the easy answer is to provision a bigger VM, I have a small Proxmox cluster that is more than capable of running VMs and (LXC) containers with access to more compute, RAM, and storage. Also, running them in separate instances is also great for separation.
While services like Tailscale Funnel or Cloudflare Tunnel exists, I wanted to roll my own as a learning exercise.
Continue readingProxmox VE and Let’s Encrypt with DNS-01 Validation
One of the appealing reasons for using Proxmox VE as your hypervisor is that one can configure their system to obtain a TLS certificate for https from Let’s Encrypt on a regular basis.
The Environment
At the time of writing, I am running Proxmox VE version 7.2-4. The name of the node for this article will be pve.
I have a dynamic DNS zone (i.e. acme.example.net) running BIND for the purposes of enabling ACME clients (acme.sh) to update the dynamic zone with the appropriate TXT record. A CNAME will be created in the “top-level” zone (example.net) such that querying _acme-challenge.pve.example.net will be answered by _acme-challenge.pve.acme.example.net.
Configuration
In PVE, go to Datacenter > ACME and then click Add under Accounts to register an ACME account.
The next step is to add a Challenge Plugin. On the same screen click Add under Challenge Plugins.
Plugin ID: nsupdate
Validation Delay: 30 (default)
DNS API: nsupdate (RFC 2136)
NSUPDATE_KEY=/var/lib/pve/nsupdate.key
NSUPDATE_SERVER=acme.ns.example.net
Since I am using nsupdate as the DNS API, I generate a key locally:
$ ddns-confgen -a hmac-sha256 -k pve.example.net. -q > pve.key
Transfer the key to PVE to the location specified in NSUPDATE_KEY. Below are the user/group and permissions for reference.
# ls -l /var/lib/pve/nsupdate.key
-rw-r--r-- 1 root root 128 Jun 21 19:43 /var/lib/pve/nsupdate.key
Now go to the node itself under Datacenter. Go to System > Certificates. Under ACME, click Add.
Select DNS as the Challenge Type, select nsupdate as the plugin, and enter the PVE host’s domain.
Since we have delegated the actual records to another DNS zone, we need to make one small change to the (PVE) node’s configuration. Under the DNS Validation through CNAME Alias of the documentation:
set the
https://pve.proxmox.com/wiki/Certificate_Management#sysadmin_certs_acme_dns_challengealiasproperty in the Proxmox VE node configuration file
To do that, I ssh-ed into the node (as root), opened /etc/pve/local/config in nano, and added alias=pve.acme.example.net to the end of the line that has the domain (in my case, it was the line that started with acmedomain0)
# cat /etc/pve/local/config acme: account=default acmedomain0: pve.example.net,plugin=nsupdate,alias=pve.acme.example.net
Save (CTRL+O) and Exit (CTRL+X)
Back in the web interface, in the Certificates screen (Datacenter > Your node (pve) > System > Certificates) you should be able to select the domain and click Order Certificates Now.
At this point PVE should be able to create a TXT _acme-challenge record in the (delegated) dynamic DNS zone, Let’s Encrypt should be able to validate it, and we should be able to get an TLS certificate for https.