ESXi certificate using Let's Encrypt


#1

Thanks for your time and help!

I’m a technical trainer at a community college. As part of their training students install standalone ESXi 6.x servers (no vCenter) onto the Internet. They access the servers using a HTTPS/SSL in web browser. The servers have a self-signed certificate which generates a “site isn’t secure” browser error message. Each ESXi server has a Internet resolvable FQDN (we host the DNS) and a public IP.

I’d like to learn myself, and teach the students, how to use “Let’s Encrypt” to install SSL certificates onto their ESXi servers. In reading and researching I am coming up short on what is the best way to do this.

Question:
What is the best way to configure an ESXi 6.x servers to use Let’s Encrypt for generating and receiving an HTTPS/SSL certificate?

Again Thanks (and the students Thank You also!)
Randy Graves


#2

Hi,

Personally, i haven’t use any of the VMware product yet…

So, could you please answer a few questions?

  1. Can the server host a regular website? (to serve token files?)
  2. Does the server have shell access? (after setup) or they have a GUI to upload the certificate/key & install manually?

Thank you

P.S. i could find really minimum resources on the web for this server type, and i hope this link will help…
https://wiki.comprofix.com/index.php?title=Let's_Encrypt_ESXi_VPS


#3

Steven,

Thank you for your reply. I appreciate your time.

Answer to #1.
The ESXi server, as part of its installation, includes a built-in web server. The web server is used post-installation as the management interface for configuring the server and creating virtual machines. The ESXi server it’self best-I-know is limited to only using its builtin web server, which is integrated with ESXi OS.

#2. Yes, I can SSH into the server and use PuTTY & WinScp, navigate the file system, run scripts, etc. Within the ESXi file system the self-signed certificate is accessible and replaceable. I believe the ESXi OS has its root in Linux.

Followed the web link you provided (Thank You). Upon first read it looks like this is specific to ESXi & VPS (not totally clear on what VPS is but I don’t think it applies to our situation.)

Again Thanks,
Randy Graves


#4

Hi,

Could the interface serve a token without requiring user login?

Let’s Encrypt’s HTTP validation requires the user to present a challenge token at the requested file path & Let’s Encrypt will try to validate it.

Or, you could use the DNS-01 validation… But it heavily depends on your (Domain) DNS provider and whether a ACME-client support the DNS provider(via API) to automate the process.

If those machines are just for training and will not last more than 3 months (and the Let’s Encrypt certificate is just for dismissing the browser “security error”), it’s fine to use Let’s Encrypt… Else it might be painful to renew it manually…

Thank you


#5

Steve, Thanks for taking the time to dialog with me on this.

I’m not familiar with tokens in regards to certificate generation - I will check into this more.

We do host our own DNS for the domain. Currently this domains DNS is hosted on two Microsoft servers (we use both Windows and Linux DNS servers). I’m also not familiar with DNS-01 validation but will dig deeper and learn more.

Yes, these VMware ESXi servers are used only for training in 16 week courses. The students are comfortable working around the browser “security error”. My goal is to use this opportunity to teach them about certificates and give them some experience working with them.

Again Thanks!
Randy Graves
North Idaho College


#6

A little point off-topic, but I think important:

Let’s Encrypt have some rate-limits: https://letsencrypt.org/docs/rate-limits/ that you may hit depending of the number of students and the number of error they do (I think in particular about the “Duplicate Certificate limit” and the “Failed Validation”).

But there is a staging available: https://letsencrypt.org/docs/staging-environment/ that allows you to test your process. It have very high rate-limits (but it generate certificates that are not considered trusted by Browsers).

So the process for students could be:

  • Test with the staging environment
  • Once the student successfully generate and install a “staging” certificate, replicate the process with the real environment.

#7

Without getting deep into unsupported territory, you’re not going to be able to host LE HTTP challenge tokens directly on an ESXi host. Even trying to install an ACME client directly onto ESXi (outside of a supported VIB which I don’t think exists) is probably frowned upon. Even though it’s a *NIX variant, it’s not really intended to be a general purpose OS.

So realistically, the cert generation is going to need to happen outside the ESXi host and use DNS based challenges. With a Windows DNS server hosting your zones, your client choices are pretty limited if you want to actually automate this. Posh-ACME (which I maintain) is one of them. But if you’re willing to have people manually create TXT records, there are a lot more options.

The cert generation workflow looks something like this but clients usually handle most of it:

  • Create an account on the ACME server
  • Create a new cert order for esxi1.example.com
  • Create TXT records to satisfy the dns-01 challenge
    • If manual, the client should tell you exactly what to create
    • If automated, the client should take care of this for you
  • Create the cert private key and CSR and submit them to the ACME server
  • Download the signed certificate

Once you’ve got the cert and private key, then it’s just a matter of using the standard VMware tools to get it imported to ESXi.


#8

Thank you! Very Helpful.


#9

I appreciate this information and step-through. Thank you.

I’m thinking “Let’s Encrypt” with ESXi is probably not going to work out for us. Plan-B would be to purchase a wildcard cert and then teach the students how to install and use it.

With our Linux class however - I think we are good-to-go for: openSUSE + Apache + Let’s Encrypt!

Again Thanks,
Everyone has been Very Helpful,
With Appreciation,
Randy Graves
North Idaho College


#10

You could still use LE to get the wildcard cert for free in advance and use that the same way you’d use a purchased one. It just needs to be renewed every 90 days.


#11

Thank You! I didn’t realize this was an option. This sounds like a great way to go - gives me the option for students to learn how to generate certificates as well as install them. We just need to figure out how to do this outside of ESXi and then import the certificate.

You’ve been Very Helpful and I (and the students) appreciate your time. If I get stuck figuring this out I’ll check back with the forum.

Again Thanks,
Randy Graves