Add LetsEncrypt to VMWare ESXi SSL certificate renewal

1. Let’s Encrypt certificate generation with DNS challenge in a Linux server machine.

Default challenge process with let’s encrypt is HTTP-01 / acme-challenge file generation.

It’s not convenient with ESXi use.

I switch to DNS-01 Challenge which is compliant with my DNS provider.

Use certbot tool from Let’s Encrypt.

You can install it with
Ubuntu:

sudo apt install certbot python3-certbot-apache

RedHat:

sudo yum install epel-release

sudo yum install certbot python2-certbot-apache mod_ssl

The final command is certbot itself :

certbot certonly -d YourDomain.com

2. Certificate format transform

Certificate are directly generated in .pem format so you do not need to change format. You just have to rename files

cp fullchain.pem rui.crt
cp privkey.pem rui.key

Be carefull, do not use cert.pem but fullchain.pem.

cert.pem is not compliant with ESXi

3. Renew certificate on VMWare esxi

  • On ESXi host, backup your old certificate
cd /etc/vmware/ssl/
mv rui.crt rui.crt.`date +%Y%m%d-%H%M%S`.bak
mv rui.key rui.key.`date +%Y%m%d-%H%M%S`.bak
  • If you need to rollback and reset ssl, you can use /sbin/generate-certificates && reboot

Replace your certificate from the Linux to the ESXi server:

scp rui.key rui.crt root@esxi-server-ip:/etc/vmware/ssl/
  • On ESXi host, restart the host reboot