VMWare ESXi + LetsEncrypt - SSL certificate renewal
3 main steps for setting up this.
1. Let's Encrypt certificate generation with DNS challenge.
Default challenge process with let's encrypt is HTTP-01 / acme-challenge file generation.
It's not convenient with ESXi use.
I switch to DNS-01 Challenge which is compliant with my DNS provider.
I use certbot
tool.
You can install it with
apt install python3-pip
pip install certbot
I found a dedicated python certbot tool extension for challenge automation.
See OVH specific extension and complete tutorial
Specific tool ispip install certbot-dns-ovh
The final command is certbot
itself :
certbot certonly -d mydomain.com
Specific version for OVH is
certbot certonly -d mydomain.com --dns-ovh --dns-ovh-credentials ~/.ovh-api
You'll have to create .ovh-api file with these instructions
Thanks to his, I've got quickly a list of .pem
files
2. Certificate format transform
Certificate are directly generated in .pem format so you do not need to change format. You just have to rename files
cp fullchain.pem rui.crt
cp privkey.pem rui.key
Be carefull, do not use
cert.pem
butfullchain.pem
.cert.pem
is not compliant with ESXi
3. Renew certificate on VMWare esxi
-
On ESXi host, backup your old certificate
cd /etc/vmware/ssl/ mv rui.crt rui.crt.`date +%Y%m%d-%H%M%S`.bak mv rui.key rui.key.`date +%Y%m%d-%H%M%S`.bak
Actually, you should backup these 2 files on your workstation.
scp myhost:/etc/vmware/ssl/*.bak ./
If ssl certificates are not compliant with vmware host client requirements, web ui will not start again... particulary boring and stressfull to fix ...
If you need to rollback and reset ssl, you can use/sbin/generate-certificates && reboot
command -
From your workstation:
Replace your certificatescp rui.key rui.crt myhost:/etc/vmware/ssl/
-
On ESXi host, restart the host
reboot