VMWare ESXi + LetsEncrypt - SSL certificate renewal

3 main steps for setting up this.

1. Let's Encrypt certificate generation with DNS challenge.

Default challenge process with let's encrypt is HTTP-01 / acme-challenge file generation.
It's not convenient with ESXi use.

I switch to DNS-01 Challenge which is compliant with my DNS provider.
I use certbot tool.

You can install it with

apt install python3-pip
pip install certbot

I found a dedicated python certbot tool extension for challenge automation.
See OVH specific extension and complete tutorial
Specific tool is pip install certbot-dns-ovh


The final command is certbot itself :

certbot certonly -d mydomain.com

Specific version for OVH is certbot certonly -d mydomain.com --dns-ovh --dns-ovh-credentials ~/.ovh-api
You'll have to create .ovh-api file with these instructions

Thanks to his, I've got quickly a list of .pem files

2. Certificate format transform

Certificate are directly generated in .pem format so you do not need to change format. You just have to rename files

cp fullchain.pem rui.crt
cp privkey.pem rui.key

Be carefull, do not use cert.pem but fullchain.pem.
cert.pem is not compliant with ESXi

3. Renew certificate on VMWare esxi

  • On ESXi host, backup your old certificate

    cd /etc/vmware/ssl/
    mv rui.crt rui.crt.`date +%Y%m%d-%H%M%S`.bak
    mv rui.key rui.key.`date +%Y%m%d-%H%M%S`.bak
    

    Actually, you should backup these 2 files on your workstation.
    scp myhost:/etc/vmware/ssl/*.bak ./
    If ssl certificates are not compliant with vmware host client requirements, web ui will not start again... particulary boring and stressfull to fix ...
    If you need to rollback and reset ssl, you can use /sbin/generate-certificates && reboot command

  • From your workstation:
    Replace your certificate
    scp rui.key rui.crt myhost:/etc/vmware/ssl/

  • On ESXi host, restart the host reboot