Using Let's Encrypt with XCP-ng and XO-CE

RandomDevOpsGuy · July 30, 2025, 12:03am

tl;dr - I want to set up Let’s Encrypt on XPG-ng host and XO-CE.

Two things I want to solve:

#1 - To use a Let’s Encrypt Cert (DNS verified, not HTTPS verified) for accessing my Xen Orchestra Community Edition webpage.
https://xo-ce.sub.mydomain.net

#2 - Not to have to use “Unauthorized Certificates” here:
https://xcp-ng1.sub.mydomain.net [the host xcp-ng that XO-CE connects to]

I’ve registered a domain name, call it mydomain.net

I’ve DNS mapped homeassistant.sub.mydomain.net to my Home Assistant’s private IP.

I’ve set up HomeAssistant with an auto renewing certificate from Let’s Encrypt. It involved using their official Let’s Encrypt addon and generating an API key to allow the script to do automatic public DNS/domain verification. All worked perfectly.

I want to do this with both XCP-ng (the host) and XO-CE so I don’t have to use self-signed certificates. Bonus for the built in XO-Lite https://xolite.sub.mydomain.net

I’ve seen many results online but they all point to HTTP verification which means having port 80 and 443 publicly open, which I don’t want to do.

Thanks.

LTS_Tom · July 30, 2025, 9:38am

My way of doing that is with NGINX Proxy Manager:

RandomDevOpsGuy · July 30, 2025, 12:00pm

Hey Tom,

I remember seeing this video a while back, it’s really a great one. I will be using this for other general services but wanted direct access to the hypervisors (and my HomeAssistant) in the case that reverse proxy server goes down.
In my case, it’s likely that the reverse proxy server will be running on a hypervisor so if it’s down I can’t connect to the host easily, if that makes sense. It would be the same idea even if the reverse proxy would be running on a RPi, once down I’ve no access past it via those set URLs.

LTS_Tom · July 30, 2025, 12:40pm

In that case you will have to learn how do some coding to integrate that into XO.