Score:0

VMWare ESXi + LetsEncrypt - SSL certificate renewal

cn flag

With VMWare ESXi (I'm running ESXi 6.7), I'm regularly go through an SSL issue. Chrome & Firefox do not allow self-signed certificated provided by internal VMWare system.

In my case, the only way to access to VMWare Sphere Web Client is to use Safari (on macOS) and allow manually certificate as a trusted certificate.

SSL error in chrome

The point is to declare signed certificate.
As VSphere Client is only for administrator use, I'd rather not paying a ~100$-a-year third-part signed certificate.

Until a few months ago, I used ZeroSSL which is not totally free anymore (blocked after 3 renewals). I was following these instructions

Is there a way to use Let'sEncrypt process to get a valid signed certificate and push it my VMWare Server ?

joeqwerty avatar
cv flag
As an aside, you can get a one year commercial SSL certificate for less than $4.00 USD.
cn flag
Previously, I had bad experience on this → some of SSL certificates discouters have "exoctic" root CA, and my websites went as failure in chrome i.e.
cn flag
I have about 100 services behind SSL encryption, 4... makes a lot ;-) And letsencrypt can be automated easily is most of the cases (web servers)
Score:3
cn flag

3 main steps for setting up this.

1. Let's Encrypt certificate generation with DNS challenge.

Default challenge process with let's encrypt is HTTP-01 / acme-challenge file generation.
It's not convenient with ESXi use.

I switch to DNS-01 Challenge which is compliant with my DNS provider.
I use certbot tool.

You can install it with

apt install python3-pip
pip install certbot

I found a dedicated python certbot tool extension for challenge automation.
See OVH specific extension and complete tutorial
Specific tool is pip install certbot-dns-ovh


The final command is certbot itself :

certbot certonly -d mydomain.com

Specific version for OVH is certbot certonly -d mydomain.com --dns-ovh --dns-ovh-credentials ~/.ovh-api
You'll have to create .ovh-api file with these instructions

Thanks to his, I've got quickly a list of .pem files

2. Certificate format transform

Certificate are directly generated in .pem format so you do not need to change format. You just have to rename files

cp fullchain.pem rui.crt
cp privkey.pem rui.key

Be carefull, do not use cert.pem but fullchain.pem.
cert.pem is not compliant with ESXi

3. Renew certificate on VMWare esxi

  • On ESXi host, backup your old certificate

    cd /etc/vmware/ssl/
    mv rui.crt rui.crt.`date +%Y%m%d-%H%M%S`.bak
    mv rui.key rui.key.`date +%Y%m%d-%H%M%S`.bak
    

    Actually, you should backup these 2 files on your workstation.
    scp myhost:/etc/vmware/ssl/*.bak ./
    If ssl certificates are not compliant with vmware host client requirements, web ui will not start again... particulary boring and stressfull to fix ...
    If you need to rollback and reset ssl, you can use /sbin/generate-certificates && reboot command

  • From your workstation:
    Replace your certificate
    scp rui.key rui.crt myhost:/etc/vmware/ssl/

  • On ESXi host, restart the host reboot

Michael Hampton avatar
cz flag
Is there really no less disruptive way to start using the new certificates than to reboot the host?
Michael Hampton avatar
cz flag
Aha, [here](https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-A261E6D8-03E4-48ED-ADB6-473C2DAAB7AD.html) is the answer: "Alternatively, you can put the host into maintenance mode, install the new certificate, use the Direct Console User Interface (DCUI) to restart the management agents, and set the host to exit maintenance mode." Not quite as disruptive as a reboot, but still a real pain.
Score:-1
fi flag

Restarting the Management agents in ESXi (1003490) https://kb.vmware.com/s/article/1003490 using DCUI or SSH shell

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.