Skip to content

Resource: proxmox_acme_certificate

Manages ACME SSL certificates for Proxmox VE nodes.

This resource orders and renews certificates from an ACME Certificate Authority (like Let's Encrypt) for a specific node. Before using this resource, ensure that: - An ACME account is configured (using proxmox_acme_account) - DNS plugins are configured if using DNS-01 challenge (using proxmox_acme_dns_plugin)

Example Usage

# Example: Basic ACME certificate with HTTP-01 challenge (standalone)
resource "proxmox_acme_account" "example" {
  name      = "production"
  contact   = "admin@example.com"
  directory = "https://acme-v02.api.letsencrypt.org/directory"
  tos       = "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf"
}

resource "proxmox_acme_certificate" "http_example" {
  node_name = "pve-node-01"
  account   = proxmox_acme_account.example.name

  domains = [
    {
      domain = "pve.example.com"
      # No plugin specified = HTTP-01 challenge
    }
  ]
}

# Example: ACME certificate with DNS-01 challenge using Cloudflare
resource "proxmox_acme_dns_plugin" "cloudflare" {
  plugin = "cloudflare"
  api    = "cf"

  # Wait 2 minutes for DNS propagation
  validation_delay = 120

  data = {
    CF_Account_ID = "your-cloudflare-account-id"
    CF_Token      = "your-cloudflare-api-token"
    CF_Zone_ID    = "your-cloudflare-zone-id"
  }
}

resource "proxmox_acme_certificate" "dns_example" {
  node_name = "pve-node-01"
  account   = proxmox_acme_account.example.name

  domains = [
    {
      domain = "pve.example.com"
      plugin = proxmox_acme_dns_plugin.cloudflare.plugin
    }
  ]

  depends_on = [
    proxmox_acme_account.example,
    proxmox_acme_dns_plugin.cloudflare
  ]
}

# Example: Force certificate renewal
resource "proxmox_acme_certificate" "force_renew" {
  node_name = "pve-node-01"
  account   = proxmox_acme_account.example.name
  force     = true

  domains = [
    {
      domain = "pve.example.com"
      plugin = proxmox_acme_dns_plugin.cloudflare.plugin
    }
  ]

  depends_on = [
    proxmox_acme_account.example,
    proxmox_acme_dns_plugin.cloudflare
  ]
}

Schema

Required

  • account (String) The ACME account name to use for ordering the certificate.
  • domains (Attributes List) The list of domains to include in the certificate. At least one domain is required. (see below for nested schema)
  • node_name (String) The name of the Proxmox VE node for which to order/manage the ACME certificate.

Optional

  • force (Boolean) Force certificate renewal even if the certificate is not due for renewal yet. Setting this to true will trigger a new certificate order on every apply.

Read-Only

  • certificate (String) The PEM-encoded certificate data.
  • fingerprint (String) The certificate fingerprint.
  • id (String) The unique identifier of this resource.
  • issuer (String) The certificate issuer.
  • not_after (String) The certificate expiration timestamp.
  • not_before (String) The certificate start timestamp.
  • subject (String) The certificate subject.
  • subject_alternative_names (List of String) The certificate subject alternative names (SANs).

Nested Schema for domains

Required:

  • domain (String) The domain name to include in the certificate.

Optional:

  • alias (String) An optional alias domain for DNS validation. This allows you to validate the domain using a different domain's DNS records.
  • plugin (String) The DNS plugin to use for DNS-01 challenge validation. If not specified, the standalone HTTP-01 challenge will be used.

Import

Import is supported using the following syntax:

#!/usr/bin/env sh
# ACME certificates can be imported using the node name, e.g.:
terraform import proxmox_acme_certificate.example pve-node-01