PVE SSL Access Eanble¶

1. VIP IP apply¶

• 1.1 Apply to the network for VIP IP, and mapping to all node IPs

If there is no A10 VIP support, HA software can be used to achieve it

• (Optional) 1.2 Setup software HA

please refer to Software L4 Config to configure software HA

2. Enable FQDN¶

• 2.0 Prepare the FQDN URL, and register it with DNS
• 2.1 Create SSL Certificate (@any node in the cluster)

🔗Please refer to SSL Cert Request for applying a SSL certificate

• 2.2 Config IP port forward

Install iptables

apt update && apt install iptables iptables-persistent -y

Forward port 443 to 8006

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8006

Save the policy to make it permanent

netfilter-persistent save

Check iptables config

cat /etc/iptables/rules.v4

3. Enable SSL¶

Login PVE with FQDN (https://wzsitpve-tb5.wistron.com)

• 3.1 Select Node, and click System -> Certificates -> Upload Custom Certificate

• 3.2 Input SSL key (private key & certificate key)

Copy private key and paste under Private Key (Optinal)

cd ~/ssl_key/
cat tls.key

Copy certificate key and paste under Certificate Chain

cat wzsitpve-tb5.wistron.com.cer

• 3.3 refer (3.1~3.2) to upload certificate to other nodes