Learn how to automatically deploy SSL certificates to Proxmox using the ACME client on OPNsense. A step-by-step guide with automation tips for seamless certificate management. This guide assumes that you have already installed and set up the ACME plugin on OPNsense.
Follow the tutorial below if you have not yet installed and set up the ACME plugin on OPNsense
Here is the video version of this written tutorial:
Step 1: Create an API User in Proxmox
To allow OPNsense to push certificates to Proxmox, we need to create an API user with limited permissions.
1.1 Create a Proxmox API User
- Log in to your Proxmox Web UI.
- Navigate to Datacenter → Permissions → Users.
- Click Add and enter:
- User name:
acme-api - Realm:
Proxmox VE authentication server - Create and confirm the password
- Expire: (Optional) Set an expiration date if needed.
- User name:
1.2 Create Acme-API-only role
- Navigate to Datacenter → pve
- Open Shell
- Enter the following command:
pveum role add AcmeAPI-only --privs "Sys.Modify"
- Close Shell
1.3 Assign Sys.Modify Permission to the User
- Navigate to Datacenter → Permissions
- Click Add, select User Permission, and configure:
- Path:
/nodes/pve - User:
acme-api@pve - Role:
Acme-API-only - Propagation: Checked
- Path:
- Click Add to save.
1.4 Assign API Token to the User
- Go to Datacenter → Permissions → API Tokens.
- Click Add and select:
- User:
acme-api@pve - Token ID:
acme-token - Privilege separation: Disabled (unchecked)
- User:
- Copy the generated API token secret, as you won’t be able to retrieve it again.
Step 2: Configure ACME Client on OPNsense
With the Proxmox API user created, we can configure the ACME plugin to automatically deploy certificates.
2.1 Add a Proxmox Automation Task
- Navigate to Services → ACME Client → Automations.
- Click Add and configure:
- Name:
Proxmox Certificate Deployment - Description:
Automate certificate deployment to Proxmox - Run Command: Upload certificate to Proxmox VE
- Promox VE user:
acme-api - Proxmox VE server:
pve.yourdomain.com - Proxmox VE server port:
8006 (default) - Proxmox VE node name:
pve - Proxmox VE realm:
pve - Proxmox VE token name:
acme-token - Proxmox VE token key: copy and paste from step 1.4.
- Name:
2.2 Set Automation to Run After Certificate Renewal
- Go to ACME Client → Certificates.
- Edit your Let’s Encrypt certificate.
- Under Automations, select the
Proxmox Certificate Deploymentautomation. - Save.
2.3 Run Automation to deploy certificates to Promox
- Go to ACME Client → Certificates.
- Click the icon Run automation under the Command tab
Conclusion
Automating SSL certificate deployment to Proxmox using the ACME client on OPNsense simplifies security management, ensuring your hypervisor stays protected without manual intervention. By following this guide, you’ve successfully configured OPNsense to issue, renew, and push SSL certificates directly to Proxmox, reducing downtime and improving system security.
For more tutorials on networking, cybersecurity, and automation, stay tuned to SysAdmin102! If you found this guide helpful, share it with your fellow sysadmins and homelab enthusiasts.
🔹 Got questions or feedback? Drop a comment on our Facebook Page or YouTube!
🔹 Want more automation tips? Follow #SysAdmin102 on social media!
#Proxmox #OPNsense #ACMEClient #SSLAutomation #LetsEncrypt #Homelab #SysAdmin #Networking #Cybersecurity 🚀
💙 Want to support my channel? Check out ways to help here:
Your support helps keep valuable tech content coming! 🚀