Update TLS cert for XCP-ng guide to use host-server-certificate-install command

[adrsham]

For my XCP-ng host (v 8.2.1), I am using xe host-server-certificate-install to load certificates from Let's Encrypt.

Updating the guide here to reflect this option.

Signed-off-by: adrsham 7330099+adrsham@users.noreply.github.com

Before submitting the pull request, you must agree with the following statements by checking both boxes with a 'x'.

• [x] "I accept that my contribution is placed under the CC BY-SA 2.0 license [1]."
• [x] "My contribution complies with the Developer Certificate of Origin [2]."

[1] https://creativecommons.org/licenses/by-sa/2.0/ [2] https://xcp-ng.org/docs/contributing.html#developer-certificate-of-origin-dco

[stormi]

Thanks for this contribution. I'm not expert in the certificate management in XCP-ng, but if this is the recommended way to install certificates, we should probably put this method first, and only provide the older method for older (unsupported) versions of XCP-ng.

By the way, are you sure this was added in 8.2? If it was added earlier, then we should probably remove the old method completely from the docs.

Last comment: why mention only Let's Encrypt? Doesn't this work for any kind of certificates? And since Let's Encrypt requires a frequent renewal of the certs, must you re-do the command each time it's updated?

[adrsham]

https://docs.citrix.com/en-us/citrix-hypervisor/hosts-pools.html#install-a-tls-certificate-on-your-server I am referring to this one, which looks like the recommended approach. At least better than overwriting /etc/xensource/xapi-ssl.pem and restarting xapi.

I know this works for my host running 8.2.1, but I have not tried the same command for earlier versions, like 8.1.

That is a fair point, my intent was to suggest to the reader that they can use LetEncrypt to get a free/valid cert. However, yes, it should work for self signed certs or any other certificate.

As for the frequent renewal, yes, you would have to renew the certs every < 3 months and redo the command. Personally I have a cron job that uploads the certificate to my xcpng host automatically from a VM that only does LetsEncrypt certs, but maybe I am just a crazy person :D

I have a cron entry /usr/bin/certbot certonly -d <hostname> --deploy-hook deploy.sh

#deploy.sh
#!/bin/bash

ssh <ssh-user>@<xcpng-host> 'mkdir -p /home/<ssh-user>/ssl/live/<domain>'
ssh <ssh-user>@<xcpng-host> 'mkdir -p /home/<ssh-user>/ssl/archive/<domain>'
rsync -zrlv live/<domain>/ <ssh-user>@<xcpng-host>:/home/<ssh-user>/ssl/live/<domain>
rsync -zrlv archive/<domain>/ <ssh-user>@<xcpng-host>:/home/<ssh-user>/ssl/archive/<domain>
ssh <ssh-user>@<xcpng-host> 'sudo xe host-server-certificate-install certificate=/home/<ssh-user>/ssl/live/<domain>/cert.pem private-key=/home/<ssh-user>/ssl/live/<domain>/privkey.pem certificate-chain=/home/<ssh-user>/ssl/live/<domain>/chain.pem'

[stormi]

Why close the PR request? It's not merged yet because it raises questions and I have been busy, but it seems pertinent to mention this (probably) better way of installing certificates in the documentation.

[adrsham]

Thanks for commenting, I thought there wasn't interest in the PR so closed it early :) Moved some things around based on your previous comment.