Let’s Encrypt SSL сертификат в vmware с автоматическим обновлением

Как установить Let’s Encrypt SSL сертификат в VMWare ESXi с автоматическим обновлением

Для начала

Необходимо включить ssh доступ к ESXi: официальная инструкция.

Поскольку в ESXi нет git, то необходимо скачать ACME-tiny. acme_tiny.py скопировать в /opt/acme-tiny/acme_tiny.py.

Необходимо разрешить исходящие http/https соединения:

1
esxcli network firewall ruleset set -e true -r httpClient

Настройка ручками

Сначала генерируем приватный ключ для аккаунта Let’s Encrypt

1
2
3
4
5
6
7
root@esxi-server:~]  cd /etc/vmware/ssl/
[root@esxi-server:/etc/vmware/ssl] openssl genrsa 4096 > account.key
WARNING: can't open config file: /usr/lib/ssl/openssl.cnf
Generating RSA private key, 4096 bit long modulus
......................................++++
..................++++
e is 65537 (0x10001)

Ругается, но ключ делает. Чтобы избежать дальнейших вопросов делаем openssl.cnf.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#
# OpenSSL example configuration file.
#

# This definition stops the following lines choking if HOME isn’t
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd

####################################################################
[ req ]
default_bits = 4096
default_md = sha256
default_keyfile = letsencrypt.key
distinguished_name = req_distinguished_name
extensions = v3_ca
req_extensions = v3_ca

[ v3_ca ]
basicConstraints = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier = hash
##authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = keyCertSign, cRLSign
nsCertType = sslCA, emailCA, objCA

[req_distinguished_name ]
countryName = RU
countryName_default = RU
countryName_min = 2
countryName_max = 2

# write company name
organizationName = domain
organizationName_default = Company

# write department
#organizationalUnitName = department
#organizationalUnitName_default = department

# write domain name which you service
commonName = domain.com
commonName_default = lesstif’s Self Signed CA
commonName_max = 64

Гененрируем приватный ключ для сертификата:

1
2
3
4
5
6
[root@esxi-server:/etc/vmware/ssl] openssl genrsa 4096 > letsencrypt.key
WARNING: can't open config file: /usr/lib/ssl/openssl.cnf
Generating RSA private key, 4096 bit long modulus
.............................................................................................................................................++++
..................................................................................++++
e is 65537 (0x10001)

Генерируем запрос на подпись сертификата:

1
2
root@esxi-server:/etc/vmware/ssl] openssl req -config /etc/vmware/ssl/openssl.cnf -new -sha256 -key letsencrypt.key -subj "/CN=domain.com" > letsencrypt.csr
WARNING: can't open config file: /usr/lib/ssl/openssl.cnf

Создаем каталоги, необходимые для работы ACME-tiny:

1
2
[root@esxi-server:/etc/vmware/ssl] mkdir /usr/lib/vmware/hostd/docroot/.well-known/
[root@esxi-server:/etc/vmware/ssl] mkdir /usr/lib/vmware/hostd/docroot/.well-known/acme-challenge/

Получаем подписанный сертификат:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@esxi-server:/etc/vmware/ssl] /usr/bin/python /opt/acme-tiny/acme_tiny.py --account-key /etc/vmware/ssl/account.key --csr /etc/vmware/ssl/letsencrypt.csr --acme-dir /usr/lib/vmware/hostd/docroot/.well-known/acme-challenge > /etc/vmware/ssl/letsencrypt.crt
Parsing account key...
Parsing CSR...
Found domains: domain.com
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying domain.com...
vm.xratescanner.dev verified!
Signing certificate...
Certificate signed!

Устанавливаем сертификат:

1
2
3
4
[root@esxi-server:/etc/vmware/ssl] cp -f /etc/vmware/ssl/rui.key /etc/vmware/ssl/orig.rui.key
[root@esxi-server:/etc/vmware/ssl] cp -f /etc/vmware/ssl/rui.crt /etc/vmware/ssl/orig.rui.crt
[root@esxi-server:/etc/vmware/ssl] cp -f /etc/vmware/ssl/letsencrypt.key /etc/vmware/ssl/rui.key
[root@esxi-server:/etc/vmware/ssl] cp -f /etc/vmware/ssl/letsencrypt.crt /etc/vmware/ssl/rui.crt

Перезапускаем сервисы:

1
2
3
4
5
6
7
8
9
10
[root@esxi-server:/etc/vmware/ssl] /etc/init.d/hostd restart
watchdog-hostd: Terminating watchdog process with PID 34255
hostd stopped.
Ramdisk 'hostd' with estimated size of 553MB already exists
hostd started.
[root@esxi-server:/etc/vmware/ssl] /etc/init.d/vpxa restart
watchdog-vpxa: Terminating watchdog process with PID 34853
vpxa stopped.
[root@esxi-server:/etc/vmware/ssl] /etc/init.d/vpxa start
vpxa is running

Настройка автоматического обновления

Создаем скрипт letsencrypt_renewal.sh и помещаем его в /etc/vmware/ssl/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#!/usr/bin/sh
/usr/bin/python /opt/acme-tiny/acme_tiny.py --account-key /etc/vmware/ssl/account.key --csr /etc/vmware/ssl/letsencrypt.csr --acme-dir /usr/lib/vmware/hostd/docroot/.well-known/acme-challenge > /etc/vmware/ssl/letsencrypt.crt
if [ -s "/etc/vmware/ssl/orig.rui.key" ]; then
else
cp -f /etc/vmware/ssl/rui.key /etc/vmware/ssl/orig.rui.key
cp -f /etc/vmware/ssl/rui.crt /etc/vmware/ssl/orig.rui.crt
fi
if [ -s "/etc/vmware/ssl/letsencrypt.crt" ]; then
cp -f /etc/vmware/ssl/letsencrypt.key /etc/vmware/ssl/rui.key
cp -f /etc/vmware/ssl/letsencrypt.crt /etc/vmware/ssl/rui.crt
/etc/init.d/hostd restart
/etc/init.d/vpxa restart
/etc/init.d/vpxa start
else
echo "File letsencrypt.crt is not correct"
fi

Добавляем в крон:

1
[root@esxi-server:/etc/vmware/ssl] echo '0 0 1 * * /etc/vmware/ssl/letsencrypt_renewal.sh >> /etc/vmware/ssl/letsencrypt.log 2>&1' >> /var/spool/cron/crontabs/root

Поскольку esxi затирает файлы crontab при ребуте, добавляем в /etc/rc.local.d/local.sh строки

1
2
3
4
/bin/kill $(cat /var/run/crond.pid) # Gets the cron service pid and simply kills it.
/bin/echo '0 0 1 * * /etc/vmware/ssl/letsencrypt_renewal.sh >> /etc/vmware/ssl/letsencrypt.log 2>&1' >> /var/spool/cron/crontabs/root
/usr/lib/vmware/busybox/bin/busybox crond
exit 0

Файлы лежат на GitHub.


По мотивам чтения:

mishulins hell