pbs_node_cert_upload
Upload a custom TLS certificate to a Proxmox Backup Server node with a dry-run plan by default. Execute with confirm=True to apply; keys are never logged.
Instructions
MUTATION (HIGH, no undo): upload a custom TLS certificate to a PBS node. A malformed cert/key can lock you out of the PBS web UI and API. Dry-run by default.
PRIVATE KEY REDACTION: key is UNCONDITIONALLY redacted — never appears in the plan, change,
detail, or ledger. Only {"key": "[redacted]"} is recorded. NOTE: PBS's own schema documents a
'restart' param on this endpoint as ignored ("UI compatibility parameter") — deliberately not
exposed here.
confirm=True executes (POST /nodes/{node}/certificates/custom) and returns {"status": "ok", "result": [...cert info dicts...]}. Revert with pbs_node_cert_delete. Needs PROXIMO_PBS_* config.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| key | No | PEM-encoded TLS private key matching the certificate; a secret, unconditionally redacted in all output. | |
| node | No | PBS node name (or 'localhost'). | localhost |
| force | No | If True, overwrite an existing custom certificate. | |
| confirm | No | False (default) returns a dry-run PLAN only; True executes the certificate upload. | |
| certificates | Yes | PEM-encoded certificate chain (public, may appear in plans/logs). | |
| proximo_target | No | Which configured Proxmox target to run this call against — a target name from your multi-target config (a specific PVE/PBS/PMG/PDM box). Omit to use the single/default target from the environment; the selection applies only to this call. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |