VMWare ESXi + LetsEncrypt – SSL certificate renewal

certbotlets-encryptovhssl-certificatevmware-esxi

With VMWare ESXi (I'm running ESXi 6.7), I'm regularly go through an SSL issue. Chrome & Firefox do not allow self-signed certificated provided by internal VMWare system.

In my case, the only way to access to VMWare Sphere Web Client is to use Safari (on macOS) and allow manually certificate as a trusted certificate.

The point is to declare signed certificate.
As VSphere Client is only for administrator use, I'd rather not paying a ~100$-a-year third-part signed certificate.

Until a few months ago, I used ZeroSSL which is not totally free anymore (blocked after 3 renewals). I was following these instructions

Is there a way to use Let'sEncrypt process to get a valid signed certificate and push it my VMWare Server ?

Best Answer

3 main steps for setting up this.

1. Let's Encrypt certificate generation with DNS challenge.

Default challenge process with let's encrypt is HTTP-01 / acme-challenge file generation.
It's not convenient with ESXi use.

I switch to DNS-01 Challenge which is compliant with my DNS provider.
I use certbot tool.

You can install it with

apt install python3-pip
pip install certbot

I found a dedicated python certbot tool extension for challenge automation.
See OVH specific extension and complete tutorial
Specific tool is pip install certbot-dns-ovh

The final command is certbot itself :

certbot certonly -d mydomain.com

Specific version for OVH is certbot certonly -d mydomain.com --dns-ovh --dns-ovh-credentials ~/.ovh-api
You'll have to create .ovh-api file with these instructions

Thanks to his, I've got quickly a list of .pem files

2. Certificate format transform

Certificate are directly generated in .pem format so you do not need to change format. You just have to rename files

cp fullchain.pem rui.crt
cp privkey.pem rui.key

Be carefull, do not use cert.pem but fullchain.pem.
cert.pem is not compliant with ESXi

3. Renew certificate on VMWare esxi

On ESXi host, backup your old certificate
```
cd /etc/vmware/ssl/
mv rui.crt rui.crt.`date +%Y%m%d-%H%M%S`.bak
mv rui.key rui.key.`date +%Y%m%d-%H%M%S`.bak
```
Actually, you should backup these 2 files on your workstation.
scp myhost:/etc/vmware/ssl/*.bak ./
If ssl certificates are not compliant with vmware host client requirements, web ui will not start again... particulary boring and stressfull to fix ...
If you need to rollback and reset ssl, you can use /sbin/generate-certificates && reboot command
From your workstation:
Replace your certificate
scp rui.key rui.crt myhost:/etc/vmware/ssl/
On ESXi host, restart the host reboot

Related Solutions

Renewed Thawte SSL Web certificate on ISA 2006 – This certificate cannot be verified up to a trusted certification authority

After verifying that the intermediate CAs were installed correctly, our best guesses were that maybe a reboot on the ISA Server would help fix the chaining issue. I was finally able to schedule a brief outage tonight to do the reboot, and Bingo! Everything is working correctly now.

Used this Thawte KB article to verify the CAs that needed to be installed, and one that needed to be disabled. This can be used for ISA Server as well https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO15171&actp=search&viewlocale=en_US&searchid=1282614432001

Cheers!

SSL Certificate – Displaying Remote SSL Certificate Details Using CLI Tools

You should be able to use OpenSSL for your purpose:

echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

That command connects to the desired website and pipes the certificate in PEM format on to another openssl command that reads and parses the details.

(Note that "redundant" -servername parameter is necessary to make openssl do a request with SNI support.)