```
apt update && apt install certbot
```
use STANDALONE validation on 80 port (should be open)

```
# lowercase
DOMAIN_NAME=xxx.com.br
EMAIL=meu-email@gmail.com

certbot certonly --expand --agree-tos --text --non-interactive \
  --standalone \
  --email $EMAIL \
  -d $DOMAIN_NAME
```

```
cat << EOF > /usr/local/bin/renew-pve-certs.sh
#!/bin/bash
# backup old certs
mv /etc/pve/local/pveproxy-ssl.pem /etc/pve/local/pve-ssl.pem.bak
mv /etc/pve/local/pveproxy-ssl.key /etc/pve/local/pveproxy-ssl.key.bak

cp /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem /etc/pve/local/pveproxy-ssl.pem
cp /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem /etc/pve/local/pveproxy-ssl.key

systemctl restart pveproxy 
EOF
```
```
chmod +x /usr/local/bin/renew-pve-certs.sh
```
```
echo "30 6 1,15 * * root /usr/bin/certbot renew --quiet --post-hook /usr/local/bin/renew-pve-certs.sh" > /etc/cron.d/letsencrypt
```
```
/usr/local/bin/renew-pve-certs.sh
```