Lets Encrypt - 4 Server behind Nethserver


Quite difficult to describe. This is neither a real request for support nor it is a bug or support. But lets describe step by step:

I do have Nethserver running as a VM Guest on Proxmox. My router’s open ports (80, 443 …) are all redirected to Nethserver. Nethserver has vhosts and reverse proxy installed to share the requests based on domain names, e.g. dms.mydomain.tld is redirected to 172.x.y.z:8080 (the respective IP of my DMS-Server. Other domain names (e.g. www.mydomain.tld, intranet.mydomain.tld, mail.mydomain.tld) are handled by Nethserver itself. I have an “all in one” LE certificate of Nethserver covering approx. 10 different names. This works perfectly.

Now I would like to integrate al LE certificate within Proxmox. Proxmox offers to call its own LE certificate. My initial idea was to generate a reverse proxy for proxmox.mydomain.tld and point it to the respective IP of the proxmox server - all I get is an error during http validation. Does anybody has an idea on how to set up correctly?

I think the basic question is “how to foreward LE requests and validation answers via Nethserver to an internal IP”.

Here is the respective proxy configuration on NS:


Another idea would be to integrate proxmox.mydomain.tld in the LE Nethserver certificate - but how do I get the server transferred regularly upon renewal from NS to Proxmox?



Hi Thorsten


Exposing the Proxmox interface to the Web is NOT a good idea, even if you install Fail2ban, etc. on Proxmox.
For all my clients, and at home, it’s mandatory to have either VPN, or an internally accessible PC, eg via Anydesk or RDP, again ideally over VPN to access the Proxmox Interface.

You could use a so called “programming hook” on the LetsEncrypt Script (at the end of the script) to copy over the SSL certs over to whatever host you may need, eg your AD (On NethServer!).

This procedure does work, and has been described several times here, but almost only for OPNsense and AD (Using AD users in OPNsense for OpenVPN…).

My 2 cents

Hi @Andy,

thank you for your concern about security. But this is not my point.

  • I do not intend to forward port 8006 but I want a valid certificate. It is annoying to install the self-signed certificate and especially the Proxmox IOS app.
  • I activated 2FA within Proxmox. I do even use it internally for security purposes. So if I decide differently (and use the Proxmox web interface over the internat), I feel quite safe.

The other point seems to be quite interesting - I would like e.g. to apply this solution to my router. I really like to us it within AD. Do you have any details on the “programming hook”?



You’ld need to ask our Forum User @Elleni - I gave him the initial idea, and Mrmarkuz also helped with details.

But he has it working so far… :slight_smile:

I am quite sure he’ll help with a few “pointers” to get you going in the right direction…

I intend on doing this too, but am waiting for newer hardware end of Sept…


There is an internal script LetsEncrypt uses and calls when it’s time for renewal.
A programming hook is basically using an existing piece of code as trigger, to call your own script at the right moment.
And who or what knows better than LetsEncrypt on your NethServer, when it renews certificates?
If they’re copied over (eg scp/rsync) right after the renewal, you have almost zero interruption…

You still need an external DNS entry, eg for your Proxmox, pointing to your external IP (I call this gateway, eg gw.domainname.com). The 80 and 443 Ports are forwarded to your NethServer, which forwards (correct: reverse proxies) them to the right internal hosts.

My 2 cents

1 Like

Yes, to the best of my knowledge, Proxmox uses port 80 only and the server is open only during certificate request / renewal: At least during initial request, the http server on proxmox is available just for 5 seconds. I tried http://proxmox.mydomin.tld during check and it gave an 404 error outside the 5 seconds window. This makes me quite confident that the system seems to be relatively safe.

Best regards

AFAIK, Proxmox is as solid as Linux get’s! :slight_smile:

I’d also add in fail2ban, screen, nano, htop and mc as tools, but I’m quite happy with Proxmox as it is.
As a monitoring freak, I always add in snmp and zabbix… :slight_smile:

If NethServer is handling your LetsEncrypt, no need for Proxmox to open up ports! (Don’t set LetsEncrypt on Proxmox, Proxmox doesn’t need to know LetsEncrypt is providing the certs, they are valid, that’s enough!)

My 2 cents

My solution to this basic problem is to use DNS validation, and usually acme.sh. If your DNS host has an API that acme.sh supports, well and good. If not, you can use acme-dns for this purpose–see https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns

As to obtaining the cert itself, it looks like Proxmox has built-in support for DNS validation:

Otherwise it’s simple enough to just add a systemctl restart pveproxy as your reload command once a new cert has been issued.


I really like the wildcard solution. I think I got the core, but it is a little beyond my Linux horizon. I do not dare to apply it manually on my productive system. I will need much more understanding on DNS Record setup, ACME.SH and so on. I hope that wildcard LE Certificats will be included in the server manager.


Since they can only be issued with DNS validation, it seems unlikely–unless Neth begins to operate their own acme-dns instance, as I’ve long advocated. But barring that, they’re something that will have to be done at the CLI.

1 Like

I am not sure if I can be of any help here, but at least on the question how to transfer a certificate from nethserver to another server upon renewal, I got the hint from Giacomo, which works fine for me. :slight_smile:


I think the previous reply by @elleni is a good solution! :white_check_mark:

Credits go to @giacomo for his answer:

You can obtain the same behavior by adding a script inside the certificate-update event, which is fired every time the certificate changes.
Example: /etc/e-smith/events/certificate-update/S80push2router


scp /etc/letsencrypt/live/<fqdn>/{fullchain.pem,privkey.pem} root@router:/etc/<your_file>/

I think so, too. But I think the command should be:

sshpass -p “foobar.” scp /etc/letsencrypt/live/ebb-s01.ebbinghaus.world-0004/{fullchain.pem,privkey.pem} root@server:/etc/tfolder/

1 Like

Well I added a key so I can do an passwordless ssh/scp :slight_smile: