1. Let’s Encrypt Certificate Generation with DNS Challenge on a Linux Server
By default, Let’s Encrypt uses the HTTP-01/acme-challenge file generation process for certificate generation. However, this process may not be convenient for use with ESXi. To address this, you can switch to the DNS-01 Challenge, which is compliant with your DNS provider. Here’s how you can achieve this using the certbot
tool from Let’s Encrypt:
-
Install
certbot
on your Linux server:For Ubuntu:
sudo apt install certbot python3-certbot-apache
For RedHat:
sudo yum install epel-release sudo yum install certbot python2-certbot-apache mod_ssl
-
Generate the Let’s Encrypt certificate using the
certbot
command:certbot certonly -d YourDomain.com
2. Certificate Format Transformation
Let’s Encrypt generates certificates in the .pem format, so there is no need to change the format. You simply need to rename the files accordingly:
cp fullchain.pem rui.crt
cp privkey.pem rui.key
Please note that it’s important to use fullchain.pem
and not cert.pem
, as the latter is not compliant with ESXi.
3. Renewing the Certificate on VMware ESXi
To renew the certificate on your VMware ESXi host, follow these steps:
-
Backup your old certificate on the ESXi host:
cd /etc/vmware/ssl/ mv rui.crt rui.crt.`date +%Y%m%d-%H%M%S`.bak mv rui.key rui.key.`date +%Y%m%d-%H%M%S`.bak
If you need to rollback and reset the SSL, you can use the command
/sbin/generate-certificates && reboot
. -
Replace the existing certificate on the ESXi server with the one generated on the Linux server:
scp rui.key rui.crt root@esxi-server-ip:/etc/vmware/ssl/
-
Restart the ESXi host to apply the new certificate:
reboot
By following these steps, you can generate Let’s Encrypt certificates using the DNS challenge on your Linux server and then transfer and apply them to your VMware ESXi host.