proxmox-mirrors/pmg-docs
1
0
Fork 0
mirror of https://git.proxmox.com/git/pmg-docs synced 2025-07-27 14:34:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

certs: further typo/lang fixes and residual s/pve/pmg/ cleaning

Browse Source 
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2021-03-18 08:56:22 +01:00
parent ce64ae40cc
commit c7fd1dd851
1 changed files with 26 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
pmg-ssl-certificate.adoc
View File

@ -3,11 +3,14 @@ Certificate Management
---------------------- ----------------------
Access to the administration web-interface is always encrypted through `https`. Access to the administration web-interface is always encrypted through `https`.
Each {pmg} host creates by default its own (self-signed) certificate. This Each {pmg} host creates by default its own (self-signed) certificate.
certificate is used for encrypted communication with the host's `pmgproxy` This certificate is used for encrypted communication with the host's `pmgproxy`
service for any API call, between an user and the web-interface or between service for any API call, between an user and the web-interface or between
nodes in a cluster. Certificate verification in a {pmg} cluster is done based nodes in a cluster.
on pinning the certificate fingerprints in the cluster configuration.
Certificate verification in a {pmg} cluster is done based on pinning the
certificate fingerprints in the cluster configuration and verifying that they
match on connection.
[[sysadmin_certs_api_gui]] [[sysadmin_certs_api_gui]]
Certificates for the API and SMTP Certificates for the API and SMTP
@ -48,10 +51,11 @@ Trusted certificates via Let's Encrypt (ACME)
{PMG} includes an implementation of the **A**utomatic **C**ertificate {PMG} includes an implementation of the **A**utomatic **C**ertificate
**M**anagement **E**nvironment **ACME** protocol, allowing {pmg} admins to **M**anagement **E**nvironment **ACME** protocol, allowing {pmg} admins to
interface with Let's Encrypt for easy setup of trusted TLS certificates which use an ACME provider like Let's Encrypt for easy setup of trusted TLS
are accepted out of the box on most modern operating systems and browsers. certificates which are accepted and trusted from modern operating systems
and web browsers out of the box.
Currently the two ACME endpoints implemented are the Currently, the two ACME endpoints implemented are the
https://letsencrypt.org[Let's Encrypt (LE)] production and its staging https://letsencrypt.org[Let's Encrypt (LE)] production and its staging
environment. Our ACME client supports validation of `http-01` challenges using environment. Our ACME client supports validation of `http-01` challenges using
a built-in web server and validation of `dns-01` challenges using a DNS plugin a built-in web server and validation of `dns-01` challenges using a DNS plugin
@ -87,20 +91,20 @@ the {pmg} cluster under your operation, are the real owner of a domain. This is
the basis building block for automatic certificate management. the basis building block for automatic certificate management.
The ACME protocol specifies different types of challenges, for example the The ACME protocol specifies different types of challenges, for example the
`http-01` where a webserver provides a file with a certain content to prove that `http-01` where a web server provides a file with a certain content to prove
it controls a domain. Sometimes this isn't possible, either because of that it controls a domain. Sometimes this isn't possible, either because of
technical limitations or if the address a domain points to is not reachable technical limitations or if the address of a domain points too is not reachable
from the public internet. The `dns-01` challenge can be used in these cases. from the public internet. The `dns-01` challenge can be used in these cases.
The challenge is fulfilled by creating a certain DNS record in the domain's The challenge is fulfilled by creating a certain DNS record in the domain's
zone. zone.
[thumbnail="pmg-gui-acme-create-challenge-plugin.png"] [thumbnail="pmg-gui-acme-create-challenge-plugin.png"]
{pve} supports both of those challenge types out of the box, you can configure {pmg} supports both of those challenge types out of the box, you can configure
plugins either over the web interface under `Datacenter -> ACME`, or using the plugins either over the web interface under `Certificates -> ACME Challenges`,
`pvenode acme plugin add` command. or using the `pmgconfig acme plugin add` command.
ACME Plugin configurations are stored in `/etc/pve/priv/acme/plugins.cfg`. ACME Plugin configurations are stored in `/etc/pmg/acme/plugins.cfg`.
A plugin is available for all nodes in the cluster. A plugin is available for all nodes in the cluster.
Domains Domains
@ -150,10 +154,9 @@ records via an API.
Configuring ACME DNS APIs for validation Configuring ACME DNS APIs for validation
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
{PVE} re-uses the DNS plugins developed for the `acme.sh` {pmg} re-uses the DNS plugins developed for the `acme.sh`
footnote:[acme.sh https://github.com/acmesh-official/acme.sh] footnote:[acme.sh https://github.com/acmesh-official/acme.sh] project, please
project, please refer to its documentation for details on configuration of refer to its documentation for details on configuration of specific APIs.
specific APIs.
The easiest way to configure a new plugin with the DNS API is using the web The easiest way to configure a new plugin with the DNS API is using the web
interface (`Certificates -> ACME Accounts/Challenges`). interface (`Certificates -> ACME Accounts/Challenges`).
@ -169,10 +172,10 @@ wiki for more detailed information about getting API credentials for your
provider. Configuration values do not need to be quoted with single or double provider. Configuration values do not need to be quoted with single or double
quotes, for some plugins that is even an error. quotes, for some plugins that is even an error.
As there are many DNS providers and API endpoints {pmg} autogenerates the form As there are many DNS providers and API endpoints {pmg} automatically generates
for the credentials, but not all providers are annotated yet. For those you the form for the credentials, but not all providers are annotated yet. For
will see a bigger text area, simply copy all the credentials `KEY`=`VALUE` those you will see a bigger text area, simply copy all the credentials
pairs in there. `KEY`=`VALUE` pairs in there.
DNS Validation through CNAME Alias DNS Validation through CNAME Alias
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^