Differences

This shows you the differences between two versions of the page.

--- infra:operations:proxmox-acme-dns [2026/05/24 18:39] – created atluxity_idp.hackeriet.no
+++ infra:operations:proxmox-acme-dns [2026/05/24 18:59] (current) – atluxity_idp.hackeriet.no
@@ Line 1: / Line 1: @@
 ====== Proxmox ACME DNS automation ======
-This page documents the certificate renewal problem for the Proxmox management hosts and the preferred automation direction. It is a design note and operational plan, not an inventory source of truth.
+I think we should have valid HTTPS also for internal services. I think it makes life easier for everyone. My one usecase here is Proxmox and the klynge001, but there is no reason for this to only be usable for those hosts.
 ===== Problem =====
-The Proxmox web interfaces on host006 and host007 were observed serving expired Let's Encrypt certificates:
+The Proxmox web interfaces on host006 and host007 were observed serving expired Let's Encrypt certificates.
-  * host006.hackeriet.no:8006 served a certificate that expired in 2025-05.
-  * host007.hackeriet.no:8006 served a certificate that expired in 2025-04.
 Both nodes have Proxmox ACME configuration, but renewal attempts failed with invalid ACME challenge status.
-Current DNS for the node names resolves to internal management addresses:
+Current DNS for the node names resolves to internal management addresses.
-  * host006.hackeriet.no -> 10.10.50.26
-  * host007.hackeriet.no -> 10.10.50.27
 This means HTTP-01 validation is not a good fit. Let's Encrypt cannot validate an internal/VPN-only Proxmox management endpoint unless that endpoint is deliberately exposed or routed from the public internet. We do not want to expose Proxmox management publicly just to renew certificates.
-Expired browser-facing TLS on Proxmox can also interfere with browser-based Hacker-ID/OpenID login flows. The Hacker-ID OIDC metadata endpoint was reachable when checked, so the obvious first fix is Proxmox TLS, not changing Hacker-ID.
+Expired browser-facing TLS on Proxmox can also interfere with browser-based Hacker-ID/OpenID login flows, I think. Not confirmed thats the issue, but anyways
 ===== Current DNS setup =====
@@ Line 25: / Line 19: @@
 Hackeriet hosts authoritative DNS for hackeriet.no on blade using NSD.
-Observed paths on blade:
+The hackeriet.no zone is also transferred to external secondary, ns.hyp.net.
-  * NSD config: /etc/nsd/nsd.conf.d/hackeriet.conf
-  * Zone file: /etc/nsd/pz/hackeriet.no
-  * Zone repository: /etc/nsd/pz
-  * Git remote: git@github.com:hackeriet/ns
-The hackeriet.no zone is also transferred to external secondaries, including ns.hyp.net.
 Safe manual DNS changes should:
@@ Line 81: / Line 68: @@
 Use DNS-01 challenge delegation for Proxmox node certificates.
-Add stable CNAME records in hackeriet.no for each Proxmox node that needs automated certificates. The CNAME targets should live in an automation-friendly validation zone or service such as acme-dns.
+Add stable CNAME records in hackeriet.no for each Proxmox node that needs automated certificates. The CNAME targets should live in an automation-friendly validation zone or service such as acme-dns - [[https://github.com/acme-dns/acme-dns]] .
 Security properties:
@@ Line 92: / Line 79: @@
 This should be preferred over exposing Proxmox management publicly or giving host006/host007 broad DNS write access.
-===== Suggested rollout =====
-  - Pick or deploy the validation backend. acme-dns is a common small service for this purpose.
-  - Create per-host validation names and credentials.
-  - Add CNAME records in hackeriet.no for host006 and host007 _acme-challenge names.
-  - Bump SOA serial, check the zone, reload NSD, and verify secondaries.
-  - Configure Proxmox ACME DNS validation for host006 first.
-  - Issue or renew the host006 certificate.
-  - Verify pveproxy serves the new certificate.
-  - Test Hacker-ID login against host006 after TLS is fixed.
-  - Repeat for host007.
-===== Verification commands =====
-Check authoritative DNS:
-  * dig @ns0.hackeriet.no SOA hackeriet.no
-  * dig @ns.hyp.net SOA hackeriet.no
-Check challenge delegation and TXT visibility:
-  * dig @ns0.hackeriet.no CNAME _acme-challenge.host006.hackeriet.no
-  * dig @ns.hyp.net CNAME _acme-challenge.host006.hackeriet.no
-  * dig @ns0.hackeriet.no TXT _acme-challenge.host006.hackeriet.no
-  * dig @ns.hyp.net TXT _acme-challenge.host006.hackeriet.no
-Check the served Proxmox certificate:
-  * echo | openssl s_client -connect host006.hackeriet.no:8006 -servername host006.hackeriet.no 2>/dev/null | openssl x509 -noout -subject -issuer -dates -ext subjectAltName
-  * echo | openssl s_client -connect host007.hackeriet.no:8006 -servername host007.hackeriet.no 2>/dev/null | openssl x509 -noout -subject -issuer -dates -ext subjectAltName
-===== Risks and constraints =====
-  * Do not expose Proxmox port 8006 publicly just to make HTTP-01 work.
-  * Do not put broad hackeriet.no DNS credentials on Proxmox hosts.
-  * Do not change Hacker-ID/OpenID configuration until TLS is fixed and retested.
-  * Do not document ACME account keys, DNS update credentials, or client secrets in the wiki.
-  * Remember that blade hosts DNS and is itself a VM on host007. Keep local notes before maintaining host007.
-===== References =====
-  * [[infra:operations:proxmox-maintenance|Proxmox maintenance]]
-  * [[infra:clusters:klynge001|klynge001]]
-  * [[infra:hosts:blade|blade]]
-  * [[infra:services:hacker-id|Hacker-ID]]