SSL Certificates for Proxmox Backup Server through Cloudflare

SSL Certificates for Proxmox Backup Server through Cloudflare

When accessing the Proxmox Backup Server web interface, by default you'll get a warning about the SSL certificate not being valid. If you have a domain in Cloudflare then you can use their API with the help of Lets Encrypt to generate a valid certificate. Note once you've done this you also won't be required to enter a fingerprint on your Proxmox VE hosts for backing up as you'll be using a valid SSL certificate.

Cloudflare

To get started, login to the Cloudflare Dashboard to generate an API token.

Login and go to My Profile by clicking on your profile picture in the top-right corner then choosing My Profile.

Choose API Tokens on the left hand side then choose Create Token.

Under API token templates, choose 'Edit zone DNS' - this will give Certbot permission to make a temporary DNS record to validate your domain ownership.

In the next window titled Create Token, you can choose to give your token a name and specify the domain that you want to generate a certificate for. If you have a static public IP where your Proxmox server resides then you can put this into the Client IP Address Filtering box. If you're not sure then just leave this as the default which is nothing.

Once all filled in, it should look similar to this...

Now choose Continue to Summary, then Create Token.

Your new API token should then be shown on screen, keep this somewhere safe for later.

Proxmox Backup Server

Login to your Proxmox Backup Server web GUI and down the left hand side go to Configuration -> Certificates -> ACME Accounts

Then under the Accounts section, click Add.

Fill out the Register Account prompt by entering an account name, email address and accepting the terms of service as below. Click on Register once done.

Next, click on Add under Challenge Plugins, then fill this out similar to the below.

Replace yourtokenhere with the token you generated earlier in Cloudflare.

Once done click Add then go back to the Certificates tab at the top.

Under ACME, click Add, then fill this out similar to the below.

Click Create once you're finished.

Now click Order Certificates Now.

Once this process has been completed you will see TASK OK in the log.

Now you can create a local DNS record that points what you put in the Domain box previously to the IP address of your Proxmox Backup Server. For example I would create a record that points PBS.jdbnet.co.uk to 192.168.1.2

If you don't have a local DNS server, you could create this in the hosts file on your computer instead.

That's it, you should now have a valid SSL certificate in Proxmox Backup Server.

Proxmox VE

Finally, to backup your Proxmox VMs to this Proxmox Backup Server without having to change a fingerprint every time your certificate renews, follow these instructions.

Login to your Proxmox VE web GUI.

At the Datacenter level, go to Storage -> Add -> Proxmox Backup Server

Fill out the window a little something like this making sure to enter the correct URL for PBS, and username and password for your PBS server.

Make sure to leave the fingerprint blank.

Click Add, if you get an error then it's likely that you either don't have local DNS or it isn't working correctly.

If you don't have local DNS then come out of this and go to Your Node -> Hosts

Create a new line for your PBS such as... 192.168.1.2 PBS.jdbnet.co.uk

Then retry the previous step of adding the Proxmox Backup Server.