LetsEncrypt certificates are an easy way to help secure your Proxmox VE installation. However, sometimes you want to use them for more. In my case, I had a local service that I also wanted to use the certificate for, but when the certificate renewed the service would not restart. ACME.sh has built-in hook functionality to solve this exact need, but unfortunately It’s not easily accessed if you also want all the features of the Proxmox GUI and certificate management, since Proxmox handles all the calling to ACME and doesn’t provide a method to hook.
Of course it would be possible to use ACME independently, and then restart the needed PVE services, but I like to tinker and I wanted to find a way to go the other way; How can I keep the PVE certificate management and also restart my local service after renewal.
After a ton of Googling, I finally managed to find a solution. Proxmox VE calls the /usr/bin/pveupdate script to update certificates. This is just a Perl script, and if you scroll down you’ll find a $renew subroutine, with the lines:
print "Restarting pveproxy after renewing certificate\n";
PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'pveproxy']);So I took those and added:
print "Restarting myservice after renewing certificate\n";
PVE::Tools::run_command(['systemctl', 'reload-or-restart', 'myservice']);A certificate renewal via the GUI now restarts my service after a certificate renewal. This functionality could be used to hook any type of action you need. The only downside, is that this script needs to be updated each time Proxmox is updated. Not the most elegant solution, but it works.