How to Use Cloudflare API Token for Lets Encrypt SSL on Proxmox

Photo of author
Written By John Ruhlin

Love to write Tech related content

 

 

 

The digital world is evolving fast, and with it, so are the complexities surrounding security and accessibility. One area where many professionals often find themselves is setting up SSL certificates.

It’s essential, especially if you’re running Proxmox Virtual Environment (PVE) with a web interface accessible over the internet. Ensuring your connection is encrypted and secure is critical to protecting sensitive information.

Fortunately, Let’s Encrypt provides free SSL certificates, but the process can be tedious if you’re unfamiliar with the steps.

Adding Cloudflare into the mix as your DNS provider simplifies things, allowing for automatic certificate management. In this article, I’ll guide you through how to use a Cloudflare API token to obtain and renew a Let’s Encrypt SSL certificate on Proxmox.

Why Use Let’s Encrypt SSL and Cloudflare on Proxmox?

Before diving into the technicalities, let’s quickly review why you would use Let’s Encrypt SSL with Cloudflare for your Proxmox server.

  1. Cost-Effective: Let’s Encrypt provides SSL certificates for free, eliminating the need to pay for premium SSL certificates.
  2. Automatic Renewal: With the right setup, Let’s Encrypt certificates can renew automatically, making security maintenance hands-free.
  3. Cloudflare Integration: If you’re using Cloudflare as your DNS provider, it becomes easier to update DNS records, allowing for automated SSL issuance with minimal manual intervention.
  4. Enhanced Security: Cloudflare offers additional security layers, such as DDoS protection, web application firewall (WAF), and more.

Now that we understand why it’s beneficial, let’s jump into how to set up Let’s Encrypt SSL on Proxmox using a Cloudflare API token.

Step 1: Preparing Proxmox for SSL Configuration

The first thing you need to do is prepare your Proxmox environment to support SSL through Let’s Encrypt. Here’s how you can get started.

1. Ensure Proxmox is Up to Date Before making any changes, ensure that your Proxmox server is running the latest version. Run the following commands to update your system:

"apt update && apt dist-upgrade"

After updating, reboot the server to apply any kernel or Proxmox VE updates:

"reboot"

2. Install Required Packages You’ll need Certbot (the official Let’s Encrypt client) and the DNS plugin for Cloudflare. Install both by running the following command:

"apt install certbot python3-certbot-dns-cloudflare"

These packages allow your Proxmox server to request and manage SSL certificates from Let’s Encrypt while using Cloudflare’s DNS API for domain validation.

Step 2: Setting Up a Cloudflare API Token

For Let’s Encrypt to manage SSL certificates via Cloudflare, you’ll need an API token from Cloudflare. This token allows Certbot to update your DNS records automatically.

1. Create an API Token on Cloudflare

  • Go to your Cloudflare dashboard and navigate to the “API Tokens” section.
  • Click on “Create Token.”
  • Under “Template,” select the “Edit zone DNS” option.
  • Set the permissions to allow the token to edit DNS records for the domain you are working with.

2. Generate and Copy the Token Once your API token is configured, click “Create Token.” After creation, copy the token to a secure location as you’ll need it later in the process.

3. Store the API Token on Your Proxmox Server On your Proxmox server, create a Cloudflare credentials file in a secure location. For example, in the /root directory:

"nano /root/.cloudflare.ini"

Inside the file, add the following lines:

"dns_cloudflare_api_token = <Your Cloudflare API Token>"

Replace <Your Cloudflare API Token> with the actual token you copied earlier.

Change the permissions of the file to ensure that only the root user can access it:

chmod 600 /root/.cloudflare.ini"

Step 3: Requesting the Let’s Encrypt SSL Certificate

Now that your environment is prepared and your Cloudflare API token is set up, it’s time to request the SSL certificate from Let’s Encrypt.

1. Run Certbot with Cloudflare Plugin

Use Certbot with the Cloudflare DNS plugin to request an SSL certificate. In this case, you will specify the Cloudflare credentials and the domain you wish to secure. Here’s the command:

"certbot certonly \
--dns-cloudflare \
--dns-cloudflare-credentials /root/.cloudflare.ini \
-d yourdomain.com \
-d www.yourdomain.com"

Replace yourdomain.com with your actual domain name. This command will handle the DNS challenge by automatically updating your DNS records through the Cloudflare API, verifying your ownership of the domain.

2. Verify Certificate Installation Once the certificate request is completed, Certbot will inform you of the location where the SSL certificate and the private key are stored. Typically, they will be saved in the /etc/letsencrypt/live/yourdomain.com/ directory.

You can manually check the certificate files by running:

"ls /etc/letsencrypt/live/yourdomain.com/"

Step 4: Configuring Proxmox to Use SSL

Now that you have the SSL certificate, the next step is configuring Proxmox to use it.

1. Backup Existing Certificates It’s always a good idea to back up your current SSL certificates before making any changes. Run the following command to create a backup:

"cp /etc/pve/local/pve-ssl.pem /etc/pve/local/pve-ssl.pem.bak cp /etc/pve/local/pve-ssl.key /etc/pve/local/pve-ssl.key.bak"

2. Symlink the Let’s Encrypt Certificate Create symbolic links from the Let’s Encrypt certificate and key to proxmox’s certificate directory:

"ln -sf /etc/letsencrypt/live/yourdomain.com/fullchain.pem /etc/pve/local/pve-ssl.pem ln -sf /etc/letsencrypt/live/yourdomain.com/privkey.pem /etc/pve/local/pve-ssl.key"

Restart Proxmox Services To apply the new SSL certificate, restart the Proxmox web service:

"systemctl restart pveproxy"

4. Access Proxmox Web Interface After restarting, navigate to your Proxmox web interface (e.g., https://yourdomain.com:8006). You should see a secure SSL connection with the certificate issued by Let’s Encrypt.

Step 5: Automating SSL Renewal

Let’s Encrypt certificates are only valid for 90 days, but you can automate their renewal process using Certbot’s renewal system.

1. Test Automatic Renewal To test if the renewal process works without issues, run the following command:

"certbot renew --dry-run"

If no errors appear, you’re ready for automated renewals.

2. Enable Automatic Renewal Certbot automatically adds a cron job for certificate renewal. To ensure it runs properly, you can check the contents of the cron job:

"crontab -l"

Certbot will check and renew the SSL certificate before it expires, ensuring continued security for your Proxmox server.

Conclusion

Setting up Let’s Encrypt SSL on Proxmox with a Cloudflare API token might seem complex at first, but by following this guide, the process becomes straightforward.

Not only does this ensure your Proxmox web interface is secure, but it also saves you time and money, thanks to the automatic management features of Let’s Encrypt and Cloudflare.

Whether you’re a seasoned system administrator or just learning the ropes, this combination offers an efficient and secure solution for your Proxmox environment.

With your SSL certificate now set up, your Proxmox server is protected, and you can enjoy peace of mind knowing that your web interface is safeguarded by industry-standard encryption.