Hosting:Proxmox:ProxmoxSSLCert

De MxWiki
Aller à la navigation Aller à la recherche

Prerequisites 

   A Proxmox VE server (I tested on version 8.3.4)
   Basic understanding of networking concepts
   Administrator access to your local network
   A Windows PC for certificate management (similar steps apply for Mac/Linux)
   Command line comfort for running basic Linux commands

Initial Setup 

   Proxmox VE server: Running at 192.168.x.61
   AdGuard Home: LXC container at 192.168.x.100
   NGINX Proxy Manager: LXC container at 192.168.x.103
   Domain: Custom local domain (homelab.local)

   Network Diagram: Clients → AdGuard Home DNS (192.168.x.100) → NPM (192.168.x.103) → Services (Proxmox/AdGuard)

Common Mistakes I Made

Before diving into the solution, let me share the pitfalls I encountered so you can avoid them: 

   Incorrect Proxy Host Configuration:

   Including protocols and ports in domain name fields
   Using the domain name as the forward hostname instead of the IP
   Configuring the wrong scheme (HTTP vs HTTPS)

2. Certificate Management Issues: 

   Not properly importing the CA certificate to Windows
   Not creating certificates with proper Subject Alternative Names (SAN)
   DNS entries pointing to service IPs instead of the proxy

3. Networking Configuration: 

   Missing proper DNS entries
   Connection refused errors due to misconfigured proxy settings

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — Step-by-Step Solution Step 1: Install NGINX Proxy Manager

First, let’s set up NGINX Proxy Manager in a Proxmox LXC container. The community scripts make this incredibly simple:

  1. On Proxmox host

bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/nginxproxymanager.sh)"

Follow the on-screen prompts, accepting defaults works well for most users. This script creates a new LXC container and installs NPM with all dependencies. Step 2: Create a Local Certificate Authority

Now we’ll create our own Certificate Authority that our browsers will trust:

  1. Create directory structure

mkdir -p ~/local-ca/certs ~/local-ca/private

  1. Generate CA private key

openssl genrsa -out ~/local-ca/private/ca.key 4096

This creates a strong 4096-bit private key. Next, let’s create the CA certificate that’s valid for 10 years:

  1. Generate CA certificate (valid for 10 years)

openssl req -x509 -new -nodes -key ~/local-ca/private/ca.key sha256 -days 3650 -out ~/local-ca/certs/ca.crt subj "/C=US/ST=State/L=City/O=HomeLab/OU=IT/CN=Local Root CA"

The CA certificate acts as your trusted root. Any certificate signed by this CA will be trusted by your devices once you import the CA certificate. Step 3: Generate Wildcard Certificate for Your Local Domain

With our CA ready, let’s create a wildcard certificate for all services under *.homelab.local:

  1. Create private key

openssl genrsa -out wildcard-homelab.key 2048

Next, create a Certificate Signing Request (CSR):

  1. Create CSR with wildcard domain

openssl req -new -key wildcard-homelab.key -out wildcard-homelab.csr \ 

 -subj "/C=US/ST=State/L=City/O=HomeLab/OU=IT/CN=*.homelab.local"

Create an extension file to specify Subject Alternative Names (SANs):

  1. Create config file for SAN

cat > wildcard-homelab.ext << EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names

[alt_names] DNS.1 = *.homelab.local DNS.2 = homelab.local EOF

Finally, sign the certificate with your CA:

  1. Sign the certificate with your CA

openssl x509 -req -in wildcard-homelab.csr -CA ~/local-ca/certs/ca.crt \ 

 -CAkey ~/local-ca/private/ca.key -CAcreateserial \
 -out wildcard-homelab.crt -days 730 -sha256 -extfile wildcard-homelab.ext

This creates a certificate valid for 2 years (730 days) that will work for any subdomain under homelab.local. Step 4: Update Proxmox Certificate (For Direct Access)

To make Proxmox directly accessible via HTTPS without warnings:

  1. Copy certificates to Proxmox

cp wildcard-homelab.crt /etc/pve/nodes/$(hostname)/pveproxy-ssl.pem cp wildcard-homelab.key /etc/pve/nodes/$(hostname)/pveproxy-ssl.key systemctl restart pveproxy

This allows secure direct access to your Proxmox interface using its domain name. — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — Step 5: Configure NGINX Proxy Manager

1. Access NPM at http://192.168.x.103:81 — Default login: admin@example.com / changeme Get Mantej Singh Dhanjal’s stories in your inbox

Join Medium for free to get updates from this writer.

2. Add SSL Certificate: — Go to “SSL Certificates” → “Add SSL Certificate” — Select “Custom” — Name: `Wildcard homelab.local` — Certificate file: Upload `wildcard-homelab.crt` — Key file: Upload `wildcard-homelab.key` — Save

3. Create Proxy Host for Proxmox: — Go to “Hosts” → “Proxy Hosts” → “Add Proxy Host” — Domain Name: `proxmox.homelab.local` (just the domain, no protocol or port) — Scheme: `https` — Forward Hostname/IP: `192.168.x.61` — Forward Port: `8006` — SSL: Enable and select your wildcard certificate — Save

4. Create Proxy Host for AdGuard Home: — Domain Name: `adguardhome.homelab.local` (just the domain, no protocol or port) — Scheme: `http` — Forward Hostname/IP: `192.168.x.100` — Forward Port: `80` — SSL: Enable and select your wildcard certificate — Save

Récupérée de « https://mxwiki.ovh:443/index.php?title=Hosting:Proxmox:ProxmoxSSLCert&oldid=22 »