Installing ACME (Let’s Encrypt) SSL Certificate on Proxmox VE

Automatic Let’s Encrypt SSL Certificate on Proxmox VE with Cloudflare (ACME Plugin)

Introduction

With Proxmox’s integrated ACME support, you can obtain automatic, free, and secure SSL certificates via the Cloudflare DNS API without manually adding TXT records or opening any ports.
This guide is up-to-date with real usage steps, error solutions, and practical tips.

1. Requirements and Preparation

• Proxmox VE (root access, recommended 8.x or 9.x)
• Your domain is managed via Cloudflare DNS
• You have permission to create a Cloudflare API Token
• Your FQDN has a DNS A record (e.g., pve.domain.com)

2. Creating a Cloudflare API Token

1. Log in to your Cloudflare account and go to API Tokens.
2. Click “Create Token” and select the Edit zone DNS template.
3. Give permission only for the relevant domain:
   Zone:DNS:Edit and Zone:Zone:Read
4. Generate the token and save it securely.
   Note: Your token should look like: DZUtOLWXjTVaQgL090asAdhnhbwPpUfdfXTit6dfsb0Gb7Uhw8v

3. Create the Token File on Proxmox Server

echo 'CF_Token="DZUtOLWXjTVaQgL090asAdhnhbwPpUfdfXTit6dfsb0Gb7Uhw8v"' > /root/cf-token-token.txt
chmod 600 /root/cf-token-token.txt

• The token file must be a single line in the format CF_Token="...".
• The chmod 600 command ensures only root can read it.

4. Add the Cloudflare ACME Plugin to Proxmox (CLI)

pvenode acme plugin add dns cftoken --api cf --data /root/cf-token-token.txt

• dns: plugin type (fixed)
• cftoken: your chosen plugin name
• –api cf: must be cf for Cloudflare (not cloudflare!)

5. Verify Plugin and Settings

pvenode acme plugin list

pvenode acme plugin config cftoken

You should see the cftoken name and your token data in the output.

6. Define the ACME Domain

pvenode config set -acmedomain0 pve.domain.com,plugin=cftoken

• For multiple domains, add -acmedomain1, -acmedomain2, etc.

7. Register the ACME Account

pvenode acme account register default em***@********in.com

• You will be prompted to select 0 (production) or 1 (test). Enter 0 for real certificates.
• Accept the Let’s Encrypt Subscriber Agreement by pressing y.

8. Request and Install Certificate

pvenode acme cert order --force

• The –force option clears any failed or stuck challenges.
• On success, you’ll see Task OK or “certificate installed” messages.
• In the background: A _acme-challenge TXT record is automatically added to Cloudflare DNS, validated by Let’s Encrypt, the certificate is installed, and the web GUI reloads.

9. Automatic Renewal

• Proxmox’s pve-daily-update.service will auto-renew certificates before they expire.
• No extra cron jobs or manual steps needed.

10. Common Errors and Solutions

11. Security and Best Practices

• Store your API token in a file readable only by root; never share it.
• Watch for typos in your DNS domain (avoid www. or missing TLD).
• Once successful, connect via https://pve.domain.com and verify the certificate in your browser.
• Enable two-factor authentication for both Proxmox and Cloudflare accounts.

12. Quick Command Summary

# 1. Create the token file
echo 'CF_Token="YOURTOKEN"' > /root/cf-token-token.txt
chmod 600 /root/cf-token-token.txt

# 2. Add the Cloudflare ACME plugin
pvenode acme plugin add dns cftoken --api cf --data /root/cf-token-token.txt

# 3. (Optional) Check plugin config
pvenode acme plugin config cftoken

# 4. Assign domain to node
pvenode config set -acmedomain0 pve.domain.com,plugin=cftoken

# 5. Register ACME account
pvenode acme account register default em***@********in.com

# 6. Order certificate
pvenode acme cert order --force

References

• Proxmox HTTPS Certificate Configuration
• Let’s Encrypt Subscriber Agreement v1.5 (2025)
• Cloudflare API Token Documentation
• Proxmox ACME Plugins Documentation

Conclusion

With this method, your Proxmox web interface will now be fully automatic, secure, and protected with a free SSL certificate! For any issues or extra support, feel free to reach out with your command output or error details.