How to Install SSL Certificates in Proxmox VE

Why Replace the Default Certificate

Every Proxmox VE installation ships with a self-signed SSL certificate. While this provides encrypted communication, browsers display prominent security warnings because the certificate is not issued by a trusted certificate authority. This creates two problems: it trains users to click through security warnings (a dangerous habit), and it makes it impossible to distinguish between a legitimate Proxmox interface and a man-in-the-middle attack.

You have two options for replacing the default certificate:

• Let's Encrypt (ACME) – free, automated certificates with built-in Proxmox support.
• Custom certificates – certificates from a commercial CA or an internal PKI.

Option 1: Let's Encrypt with ACME

Proxmox has native ACME (Automated Certificate Management Environment) support. It can request, install, and automatically renew Let's Encrypt certificates without any external tools.

Step 1: Register an ACME Account

First, register an account with the Let's Encrypt CA. This only needs to be done once per cluster.

# Register a new ACME account
pvenode acme account register default mail@example.com

# List registered accounts
pvenode acme account list

# View account details
pvenode acme account info default

Step 2: Configure a Challenge Plugin

ACME requires domain validation. The two common methods are HTTP challenge (standalone) and DNS challenge. The standalone plugin works out of the box if port 80 is reachable from the internet.

# The standalone plugin is built in and needs no configuration
# For DNS challenges, configure a DNS plugin:
pvenode acme plugin add dns cloudflare-plugin \
    --api cf \
    --data "CF_Token=your-api-token-here,CF_Zone_ID=your-zone-id"

# List configured plugins
pvenode acme plugin list

Step 3: Configure the Domain on the Node

# Set the domain for the certificate using the standalone HTTP challenge
pvenode config set --acme domains=proxmox.example.com

# Or use a DNS plugin for the challenge
pvenode config set \
    --acme domains=proxmox.example.com \
    --acmedomain0 domain=proxmox.example.com,plugin=cloudflare-plugin

Step 4: Order the Certificate

# Request and install the certificate
pvenode acme cert order

# The certificate is automatically installed and the web server restarts
# You should now be able to access the GUI without browser warnings

Auto-Renewal

Proxmox automatically sets up a systemd timer to renew ACME certificates before they expire. You can verify this is active:

# Check the renewal timer status
systemctl status pve-daily-update.timer

# View upcoming timer events
systemctl list-timers | grep pve

# Manually trigger a renewal check
pvenode acme cert renew

Let's Encrypt certificates are valid for 90 days. The automatic renewal process runs daily and renews certificates when they have fewer than 30 days remaining.

Option 2: Custom Certificates

If you use an internal certificate authority, a commercial CA, or need wildcard certificates, you can install custom certificates manually.

Step 1: Prepare Your Certificate Files

You need two files: the certificate (including the full chain) and the private key. The certificate file should contain your server certificate followed by any intermediate certificates.

# Typical file structure:
# /etc/pve/nodes/<nodename>/pveproxy-ssl.pem  (certificate + chain)
# /etc/pve/nodes/<nodename>/pveproxy-ssl.key  (private key)

# Verify your certificate chain is complete
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt your-cert.pem

# Check that the certificate matches the key
openssl x509 -noout -modulus -in your-cert.pem | openssl md5
openssl rsa -noout -modulus -in your-key.pem | openssl md5
# Both MD5 hashes should match

Step 2: Install the Certificate

# Install using pvenode (recommended method)
pvenode cert set your-cert.pem your-key.pem --force --restart

# Or manually copy files and restart
cp your-cert.pem /etc/pve/nodes/$(hostname)/pveproxy-ssl.pem
cp your-key.pem /etc/pve/nodes/$(hostname)/pveproxy-ssl.key
systemctl restart pveproxy

Step 3: Verify the Installation

# Check the certificate currently in use
pvenode cert info

# Test the connection with openssl
openssl s_client -connect localhost:8006 -servername proxmox.example.com < /dev/null 2>/dev/null | openssl x509 -noout -subject -dates

# Check from a remote machine
curl -vI https://proxmox.example.com:8006 2>&1 | grep -E "subject|expire|issuer"

Certificates in a Cluster

In a Proxmox cluster, each node has its own certificate. You must configure and order certificates on every node individually. ACME accounts are shared across the cluster (stored in /etc/pve/priv/acme), but the domain configuration and certificate files are per-node.

# On each node in the cluster:
pvenode config set --acme domains=node1.example.com
pvenode acme cert order

# Repeat for node2, node3, etc. with their respective FQDNs

Troubleshooting Certificate Issues

ACME Challenge Failures

# Check if port 80 is reachable (for HTTP challenge)
ss -tlnp | grep :80

# Check firewall rules
pve-firewall status

# Test HTTP challenge manually
curl -I http://proxmox.example.com/.well-known/acme-challenge/test

# View ACME logs for detailed error messages
journalctl -u pveproxy --since "1 hour ago" | grep -i acme

Certificate Chain Issues

# Verify the full chain
openssl s_client -connect localhost:8006 -showcerts < /dev/null 2>/dev/null

# Check for missing intermediate certificates
openssl verify -verbose your-cert.pem

# If the chain is incomplete, concatenate the certificates in order:
cat server-cert.pem intermediate-cert.pem > full-chain.pem
pvenode cert set full-chain.pem server-key.pem --force --restart

Checking Certificate Status Remotely

Certificate expiration is one of those issues that causes outages precisely because nobody was watching. Beyond automated monitoring, having quick access to your node status while away from your desk can help catch problems early. ProxmoxR allows you to check on your Proxmox nodes from your phone, so you can verify services are running normally after a certificate renewal or spot connection issues before they become critical.

Best Practices

• Use Let's Encrypt when possible. Automated renewal eliminates the risk of expired certificates causing downtime.
• Use DNS challenges for nodes behind firewalls. If your Proxmox node is not reachable on port 80 from the internet, the DNS challenge method avoids the need to open ports.
• Monitor certificate expiration. Even with auto-renewal, set up alerts for certificates approaching their expiration date. Renewal failures can go unnoticed.
• Keep your certificate chain complete. Missing intermediate certificates cause trust errors in browsers and API clients.
• Back up your private keys securely. If you use custom certificates, ensure the private key is backed up and protected. Losing it means you need to reissue the certificate.
• Use separate certificates per node rather than sharing a single wildcard certificate, as this limits the blast radius if a key is compromised.

Summary

Replacing the default self-signed certificate in Proxmox VE is a straightforward but important security step. Let's Encrypt with ACME provides the easiest path with automatic issuance and renewal, while custom certificates give you flexibility for internal CAs and specific requirements. Whichever method you choose, verify the full certificate chain, confirm auto-renewal is working, and monitor expiration dates to avoid unexpected outages.