Secure your Proxmox instance quickly with an SSL through LetsEncrypt when using Cloudflare.
Getting Started
Before you can continue, you will need the following
- A Domain Name (You can also register for a domain directly with Cloudflare)
- Proxmox instance with admin permissions
Once we have those bits, lets get started!
Open Cloudflare for your Domain
First open Cloudflare and select your account and website/domain.
On the bottom right there should be a section called “API” which has “Zone ID” and “Account ID”. Make a note of your “Account ID”, you’ll be needing this later when you return to Proxmox.
Create a DNS A Record on Cloudflare
First create a DNS record with Cloudflare, navigate to your domain then select “Records” under the “DNS” option.
From here, press Add a record.
Set your name (i.e. this-part.example.com) and the IP address you want to point it at. You’ll have the option to proxy it through Cloudflare, if you’ll be accessing the IP address (via the domain) using a non-standard port (Such as 8006) then uncheck the Proxy Status.
First part done! You should now be able to access your proxmox instance via A Record you set, e.g. https://proxmox.example.com:8006. You’ll still have a certificate warning for now.
Creating the Cloudflare API token
Now that we have the domain set, lets get the necessary details from Cloudflare to tell LetsEncrypt to create the SSL certificate for us.
Click on the Get your API token link on the bottom right of the “Overview” Page and then click on Create Token. You can also access this by clicking the top right icon, selecting “My Profile” and then clicking on “API Tokens”.
After clicking on Create Token, you’ll be able to use the “Edit zone DNS” template. Use this template.
and select the appropriate values under Zone Resources. You can restrict this token further for security if you wish.
Once you have created your token, make sure you copy it as it will not be shown again.
This now completes the Cloudflare section, you should have an API token with “Edit Zone DNS” permissions at this point.
Configuring Proxmox
The part you’ve been waiting for. Return to proxmox (Using the new domain if you wish!) and navigate to the ACME section which can be found under Datacenter and then ACME.
Here we’ll press Add under “Challenge Plugins”
Populate CF_ACCOUNT_ID and CF_TOKEN with the values copied earlier and press Add.
Next press Add under Accounts and complete the registration.
You should receive an output as follows
Finally, go to your Node and click on Certificates under System. Create a domain by press Add under the ACME header
Change the challenge type of HTTP to DNS, select the plugin created when the dropdown appears and finally set the domain created earlier.
After creating, you can now press Order Certificates Now and thats it, you’re finished! You should now be able to access your Proxmox instance via the domain rather than an IP address. Note that if you have not changed the port configuration you will still have to access it with the port appended, such as https://prox.example.com:8006.
Next Steps
With a proper certificate installed, you can now setup WebAuthn for your 2FA. Give it a go!
