[pve-devel] [PATCH manager] Allow non-self-signed override certificate for API

[Fabian Grünbichler]

if the files pveproxy-ssl.pem and pveproxy-ssl.key are
available for a node (i.e., in /etc/pve/<node>/), they will
be used as TLS certificate and private key for the web
interface and API of this node.

Note: the Spice and non-websocket VNC connections are still
using the self-signed certificate and key in pve-ssl.pem
and pve-ssl.key.
---
This would allow us to support commercial and Let's Encrypt
certificate setups with far less complications, but installations
using the old PVE 3 setup from the wiki will need to manually
migrate their certificates to benefit from this.

If applied, I will update the wiki and other documentation.

Tested using a two node cluster:
- Shell (noVNC and Spice)
- proxied Shell (noVNC and Spice)
- Console (LXC and Qemu, noVNC and Spice)
- proxied Console (LXC and Qemu, noVNC and Spice)
- online migration (Qemu)

 PVE/Service/pveproxy.pm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index a4080a0..0bc2f5a 100755
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -131,6 +131,12 @@ sub init {
     } else {
 	$self->{server_config}->{ssl}->{dh} = 'skip2048';
     }
+
+    if (-f '/etc/pve/local/pveproxy-ssl.pem' && -f '/etc/pve/local/pveproxy-ssl.key') {
+	$self->{server_config}->{ssl}->{cert_file} = '/etc/pve/local/pveproxy-ssl.pem';
+	$self->{server_config}->{ssl}->{key_file} = '/etc/pve/local/pveproxy-ssl.key';
+	syslog('info', 'Using \'/etc/pve/local/pveproxy-ssl.pem\' as certificate for the web interface.');
+    }
 }
 
 sub run {
-- 
2.1.4