Changing/Adding SSL certificates to Proxmox

I decided to add custom CA-signed certificates to my Proxmox cluster, but the last time I did that, I managed to get my cluster all screwed up (I did what I wasn't supposed to do!)

In a nutshell, it is quite easy to actually update existing host SSL certificates. What you want to do is create a new file for your key and for your certificate in /etc/pve/local/ directory called pveproxy-ssl.key and pveproxy-ssl.pem, respectively.

You should immediately see those changes in GUI under Host -> System -> Certificates.

This action should also be doable through GUI by clicking on Upload Custom Certificate, but I prefer to do it in CLI. Repeat this for all of your hosts.

I created a certificate that covers all of my hosts, including all host domain names, all host IP addresses and an alias that covers all of them (configured in DNS). This allows me to use one certificate file and one key file and also makes it easy to configure my IdP to authenticate against to gain access to my Proxmox cluster.

If you run into an error saying something like Connection error 596: error:0A000086:SSL routines::certificate verify failed, that just means that you need to update certificate files and restart pvedaemon and pveproxy:

pvecm updatecerts -F && systemctl restart pvedaemon pveproxy

If anything goes wrong when doing this (problems in cluster communication), you should be able to recreate cluster communication certificates by running pvecm updatecerts --force command.

And that's it. If you are running your own CA, the only thing left is to trust your root certificate on your client machines and at this point, you should be able to access your Proxmox cluster without warning messages.