SSL for the Proxmox VE web UI: Configuring an ACME DNS challenge with the Hetzner Cloud plugin

June 4, 2026 · Tags:

Proxmox VE has a great interface to configure SSL certificates for the web UI. From the CLI, not everything is as obvious. Here are some notes so that my future self avoids some of the traps we tapped into today.

Useful resources

  • Marcus (Blogger-IT) has a comprehensive tutorial on the Hetzner-specific setup.
  • A shorter version is offered by Spickzettel.
  • Have you read the fascinating manual? I should have done so.
  • In retrospect, pvenode help acme would have granted some insights.
  • Having @kaleso as a second pair of eyes helps as well.

There is no “Datacenter → ACME”!?

Every single blog post kept telling me to go to “Datacenter → ACME”, yet I could not find it. If you are in the same situation, you might simply not be logged in as root. In our case, an Authentik-based authentication setup made us see almost everything we needed – just not the ACME config. Eventually, gfngfn256’s hint over at the Proxmox forum pointed at the issue.

Configuring the Hetzner Cloud plugin

Since we have spent some time without GUI access to the plugin config, we did most of the stuff by hand. Here is what we learned about some of the files involved:

  • /etc/pve/priv/acme/plugins.cfg: The plugin config, including the stored variables encoded as base64.
  • /etc/pve/priv/acme/default: The Let’s Encrypt profile. You may want to have one for staging and one for production.
  • /etc/pve/local/config: The list of domains to obtain certificates for. Also, this stores which Let’s Encrypt account to use.

Some issues to avoid

  • Make sure to use the correct plugin (hetznercloud) instead of the hetzner one and to obtain the corresponding API token.
  • The hetznercloud API token variable is all-uppercase: HETZNER_TOKEN – and not HETZNER_Token which was in use for the hetzner plugin.
  • Do not treat the Let’s Encrypt profile just like any NGINX site. Deactivating is not reversible (although it is cheap to create a new profile).

--data is not what it seems

One last note: Did you figure out how to add the API token to the plugin from the CLI? There is the --data option, but it is somewhat different from what I expected. You do not pass it the key-value combination directly. Instead, specify a file with one key-value pair per line. I eventually also found it in the docs:

me@server:~> pvenode help acme
# …
USAGE: pvenode acme plugin set <id> [OPTIONS]

  Update ACME plugin configuration.

  <id>	     <string>
	     ACME Plugin ID name

  --api      <1984hosting | … | hetzner | hetznercloud | …>
	     API plugin name

  --data     File with one key-value pair per line, will be base64url
	     encode for storage in plugin config.
	     DNS plugin data. (base64 encoded)
# …

These instructions have last been checked on 4 June 2026 using Proxmox Virtual Environment 9.1.9.

Fediverse Reactions