This is a step by step guide for configuring an [[Automatic Certificate Management Environment (ACME)|ACME]] SSL Certificate for your [[Proxmox VE]] server without exposing/opening any ports for incoming traffic. 1. Optional: Create the A record for your server. If it is only an internal DNS record, you don't have to publish on Cloudflare. 2. Create a Cloudflare API token. 1. Scope the permissions down to only the domain that you will be using. 2. Add only **DNS Read**, **DNS Edit**, and **Zone Read**. 3. Document the Account ID and API key in your password manager. 4. Note the Zone ID. 3. Open the ACME plugin in Proxmox (Proxmox VE → Datacenter → ACME) 4. Register a new account & accept TOS. 1. Account Name: not sure what best practice is here 5. Add a new challenge plugin 1. Plugin ID: domain-cf (ex. `flwr.day-cf`) 2. Validation Delay: empty 3. DNS API: Cloudflare Managed DNS 4. CF_Account_ID: generated with API key 5. CF_Email: empty 6. CF_Key: empty 7. CF_Token: generated API key 8. CF_Zone_ID: find in Cloudflare dash 6. Open the node in Proxmox (Proxmox VE → Node → System → Certificates) 7. Switch to the account you created in step 4. 8. Add a new Domain 1. Challenge Type: DNS (you can do HTTP if this is a public facing server) 2. Plugin: the plugin you created in step 5. 3. Domain: the A record you created in step 1. 9. Verify that you can access your Proxmox server and are served a valid HTTPS certificate.