Xen Orchestra from source with Let's Encrypt certificates
-
Ping @julien-f about XO, if we can have this documented and if it's the best way
Regarding XCP-ng, I'm aware about some related work from XAPI developers. Pinging @psafont
-
I think when I last asked @julien-f about this he said it work work (just as you described), but the issue is xo-server will not reload certs without restarting the process. So the next time your let's encrypt instance updates those certs, xo-server will have no idea and you'll need to schedule a restart of that service after certs are updated
-
@fohdeesha just realized that I forgot to mention two steps (key- based ssh authentification from pfsense to
xofor useracme@xo.myplaylab.netand makingacmemember of sudo onxowith limited sudo rights). The acme plugin configuration allows adding shell commands which are executed after the LE certification renewal (e.g.ssh acme@xo.myplaylab.net "sudo /bin/systemctl restart xo-server"to force xo-server to reload the certififcates).Wow, this now reads more complicated than it realy is
-
Did a complete rewrite with better structure and focus on the interaction between pfsense and Xen Orchestra. Skipped the part of setting up the acme plugin for Webroot FTP as well, because it is very specific to my setup.
-
@olivierlambert Regarding XCP-ng - just generated a Let's Encrypt certificate for one of my xcp-ng test hosts
xcp01.myplaylab.net(XCP-ng 8.2 beta fully patched), replaced the/etc/xensource/xapi-ssl.pemwith the LE certificatexcp01.myplaylab.net.all.pemwhile keeping the namexapi-ssl.pemand did axe-toolstack-restart. That seems to work, since I get a valid LE certificate and secure connection when accessinghttps://xcp01.myplaylab.net. Could it be that simple
? Do not have a pool and xo available right now, so just wondering...I was just too curious - the xcp-ng test host can be added to Xen Orchestra with the LE certificate - no need to accept unauthorized certificates anymore
-
Now you can even replace the cert via XO web UI (see https://xen-orchestra.com/blog/xen-orchestra-5-52/#xcpngxenserverhostscertificatesmanager)
-
Hi,
I'm testing using certbot to install SSL cert for XOCE using Lets Encrypt instructions but need to know what is the path for XOCE webroot?
Thx,
SW
-
@stevewest15 those instructions will not work as XOA is running on node and does not have a physical "web root" folder like you are thinking of. Also @gskger please be cautious about scheduling xo-server restarts, doing so interrupts and breaks any task xo-server is running at that time, like backups etc. I believe this is one of the main reasons we haven't implemented let's encrypt integration into XOA, it's not as simple as just firing off an xo-server restart everytime LE certs are updated - this would break a lot of important backups for the majority of our customers. We would need to add some type of sensing to see xo-server's current status, and schedule the restart for when there's no longer any tasks running
-
@fohdeesha good to know, thank you. Maybe setting some xo flag through cli telling xo-server to restart when convinient might be a way to automate the process of cert updates?
-
H hellst0rm referenced this topic on
-
@gskger Why don't you install acme.sh or something similar on XO host and deploy from there. No need to use pfSense.
-
@fohdeesha Does a HUP signal reload the config? Can it also check for updated certs?
It's not a restart it's just a config change check.
-
@kevdog Internal server can not be reached from the internet (no port forwarding so no HTTP challenge) and my hosting provider does not have an API for DNS challenges. Thats why I use pfSense "on the edge" at the moment. I admit that a cheap VPS runing acme.sh could do the trick, but my automation works and I am lazy
. -
The real solution will be to get XOA as a certification authority and then manage all XCP-ng's hosts certs
-
Having XO from source or XOA act as a certification authority for the XCP-ng hosts is for sure a good approach. Would be great if that could include the VMs running on the XCP-ng hosts, which is my main goal (apart from being able to HTTPS into XO from source of course).
