certificate
Google Cloud Platform

Proxmox management certificate with gcloud

Patrik Jonsson

Built-in Let’s Encrypt signed certificates is very nice, but setting it up was a bit of a pain. Here’s a guide on how to do it with Gcloud (based on this excellent forum post) and some generic Proxmox certificate guides.

Begin by creating a service account in your google cloud console. Give it minimum permissions to handle DNS records and download the service account key.

Then, start a shell and run these commands while replacing the service account name with that of your service account:

# Add the Cloud SDK distribution URI as a package source
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] http://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list

# Import the Google Cloud Platform public key
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -

# Update the package list and install the Cloud SDK
apt-get update && apt-get install google-cloud-sdk

mkdir -p /home/nobody/.config
cp dns-google-creds-mine.json /home/nobody/
chown -R nobody:nogroup /home/nobody/

# to activate service account:
setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /usr/bin/gcloud auth activate-service-account proxmox@my-project.iam.gserviceaccount.com --key-file=/home/nobody/dns-google-creds-mine.json

Once you have done the activation you should see this output:

Activated service account credentials for: [proxmox@my-project.iam.gserviceaccount.com]

Then, go to your Proxmox interface, and click on Data Center at the top left. Scroll down the settings list until you find an option called ACME.

Under Challenge Plugins, click on Add. Then give the plugin an id of your choosing, pick gcloud as DNS API and finally paste these lines (replace my-project with your gcloud project id):

HOME=/home/nobody
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/home/nobody/dns-google-creds-mine.json
CLOUDSDK_CORE_PROJECT=my-project

Then go to your server in the Web UI and pick the setting Certificate. Click Add and pick DNS as Challend Type, pick your plugin from the list, enter the fqdn of your proxmox server and click on create.

Finally, click on Order Certificates Now and wait for Let’s encrypt to pick up and confirm the answer to their DNS01 challenge.

Good luck!

Related Posts

Google Assistant Google Cloud Platform

Writing a custom integration for the Google assistant

Patrik Jonsson

Leave a Reply

Your email address will not be published. Required fields are marked *