################ Internal SSL/TLS ################ HTTP connections to the outside are encrypted be default in caddy. For maximum security, we should also encrypt connections internally. To do so, self-signed certificates are used. The certificates are signed by the root CA certififcate of the host server (located here: ``/etc/pve/priv/pve-root-ca.key``). The CA is trusted in the reverse proxy. Create new certificates ======================= New certificates are created using ``openssl``. To do so, first create a config file e.g. ``san.conf`` (that is needed to use IPs as alternative names): .. code-block:: [ req ] req_extensions = req_ext distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_req [ req_distinguished_name ] commonName = [v3_req] subjectAltName = @alt_names [ req_ext ] subjectAltName = @alt_names [alt_names] IP.1 = DNS.1 = DNS.2 = .fritz.box DNS.3 = .falken-niedersachsen.local Then, create a private key and certificate (this needs to be done on the host): .. code-block:: console # Generate a private key (make sure that there is enough entropy to do this properly) [root@pve: /tmp] $ openssl ecparam -out example_server.key -name prime256v1 -genkey # Create a CSR with the config file. When promted, enter the guest hostname [root@pve: /tmp] $ openssl req -new -key example_server.key -config san.cnf -out example_server.csr # Create and sign a TLS certificate with 10 years lifetime [root@pve: /tmp] $ openssl x509 -req -in example_server.csr -CA /etc/pve/pve-root-ca.pem -CAkey /etc/pve/priv/pve-root-ca.key -CAcreateserial -out example_server.pem -days 3650 -sha256 -extfile san.cnf -extensions v3_req Now you can copy the generated file to the webserver of the guest and it will be trusted by the reverse proxy. .. warning:: **Never** copy the root CA private key from the server (or even anywhere else). Only perfom the signing in the trusted environment! Trust the host CA ================= TODO