Differences

This shows you the differences between two versions of the page.

--- infra:operations:proxmox-acme-dns [2026/05/24 18:47] – atluxity_idp.hackeriet.no
+++ infra:operations:proxmox-acme-dns [2026/05/24 18:59] (current) – atluxity_idp.hackeriet.no
@@ Line 68: / Line 68: @@
 Use DNS-01 challenge delegation for Proxmox node certificates.
-Add stable CNAME records in hackeriet.no for each Proxmox node that needs automated certificates. The CNAME targets should live in an automation-friendly validation zone or service such as acme-dns.
+Add stable CNAME records in hackeriet.no for each Proxmox node that needs automated certificates. The CNAME targets should live in an automation-friendly validation zone or service such as acme-dns - [[https://github.com/acme-dns/acme-dns]] .
 Security properties:
@@ Line 79: / Line 79: @@
 This should be preferred over exposing Proxmox management publicly or giving host006/host007 broad DNS write access.
-===== Suggested rollout =====
-  - Pick or deploy the validation backend. acme-dns is a common small service for this purpose.
-  - Create per-host validation names and credentials.
-  - Add CNAME records in hackeriet.no for host006 and host007 _acme-challenge names.
-  - Bump SOA serial, check the zone, reload NSD, and verify secondaries.
-  - Configure Proxmox ACME DNS validation for host006 first.
-  - Issue or renew the host006 certificate.
-  - Verify pveproxy serves the new certificate.
-  - Test Hacker-ID login against host006 after TLS is fixed.
-  - Repeat for host007.
-===== Risks and constraints =====
-  * Do not expose Proxmox port 8006 publicly just to make HTTP-01 work.
-  * Do not put broad hackeriet.no DNS credentials on Proxmox hosts.
-===== References =====
-  * [[infra:operations:proxmox-maintenance|Proxmox maintenance]]
-  * [[infra:clusters:klynge001|klynge001]]
-  * [[infra:hosts:blade|blade]]
-  * [[infra:services:hacker-id|Hacker-ID]]