Let’s Encrypt SSL сертификат в vmware с автоматическим обновлением Posted on февр. 9, 2020
Как установить Let’s Encrypt SSL сертификат в VMWare ESXi с автоматическим обновлением Для начала Необходимо включить ssh доступ к ESXi: официальная инструкция .
Поскольку в ESXi нет git, то необходимо скачать ACME-tiny . acme_tiny.py
скопировать в /opt/acme-tiny/acme_tiny.py
.
Необходимо разрешить исходящие http/https соединения:
1 esxcli network firewall ruleset set -e true -r httpClient
Настройка ручками Сначала генерируем приватный ключ для аккаунта Let’s Encrypt
1 2 3 4 5 6 7 root@esxi-server:~] cd /etc/vmware/ssl/ [root@esxi-server:/etc/vmware/ssl] openssl genrsa 4096 > account.key WARNING: can't open config file: /usr/lib/ssl/openssl.cnf Generating RSA private key, 4096 bit long modulus ......................................++++ ..................++++ e is 65537 (0x10001)
Ругается, но ключ делает. Чтобы избежать дальнейших вопросов делаем openssl.cnf
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 # # OpenSSL example configuration file. # # This definition stops the following lines choking if HOME isn’t # defined. HOME = . RANDFILE = $ENV::HOME/.rnd #################################################################### [ req ] default_bits = 4096 default_md = sha256 default_keyfile = letsencrypt.key distinguished_name = req_distinguished_name extensions = v3_ca req_extensions = v3_ca [ v3_ca ] basicConstraints = critical, CA:TRUE, pathlen:0 subjectKeyIdentifier = hash ##authorityKeyIdentifier = keyid:always, issuer:always keyUsage = keyCertSign, cRLSign nsCertType = sslCA, emailCA, objCA [req_distinguished_name ] countryName = RU countryName_default = RU countryName_min = 2 countryName_max = 2 # write company name organizationName = domain organizationName_default = Company # write department #organizationalUnitName = department #organizationalUnitName_default = department # write domain name which you service commonName = domain.com commonName_default = lesstif’s Self Signed CA commonName_max = 64
Гененрируем приватный ключ для сертификата:
1 2 3 4 5 6 [root@esxi-server:/etc/vmware/ssl] openssl genrsa 4096 > letsencrypt.key WARNING: can't open config file: /usr/lib/ssl/openssl.cnf Generating RSA private key, 4096 bit long modulus .............................................................................................................................................++++ ..................................................................................++++ e is 65537 (0x10001)
Генерируем запрос на подпись сертификата:
1 2 root@esxi-server:/etc/vmware/ssl] openssl req -config /etc/vmware/ssl/openssl.cnf -new -sha256 -key letsencrypt.key -subj "/CN=domain.com" > letsencrypt.csr WARNING: can't open config file: /usr/lib/ssl/openssl.cnf
Создаем каталоги, необходимые для работы ACME-tiny
:
1 2 [root@esxi-server:/etc/vmware/ssl] mkdir /usr/lib/vmware/hostd/docroot/.well-known/ [root@esxi-server:/etc/vmware/ssl] mkdir /usr/lib/vmware/hostd/docroot/.well-known/acme-challenge/
Получаем подписанный сертификат:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [root@esxi-server:/etc/vmware/ssl] /usr/bin/python /opt/acme-tiny/acme_tiny.py --account-key /etc/vmware/ssl/account.key --csr /etc/vmware/ssl/letsencrypt.csr --acme-dir /usr/lib/vmware/hostd/docroot/.well-known/acme- challenge > /etc/vmware/ssl/letsencrypt.crt Parsing account key... Parsing CSR... Found domains: domain.com Getting directory... Directory found! Registering account... Already registered! Creating new order... Order created! Verifying domain.com... vm.xratescanner.dev verified! Signing certificate... Certificate signed!
Устанавливаем сертификат:
1 2 3 4 [root@esxi-server:/etc/vmware/ssl] cp -f /etc/vmware/ssl/rui.key /etc/vmware/ssl/orig.rui.key [root@esxi-server:/etc/vmware/ssl] cp -f /etc/vmware/ssl/rui.crt /etc/vmware/ssl/orig.rui.crt [root@esxi-server:/etc/vmware/ssl] cp -f /etc/vmware/ssl/letsencrypt.key /etc/vmware/ssl/rui.key [root@esxi-server:/etc/vmware/ssl] cp -f /etc/vmware/ssl/letsencrypt.crt /etc/vmware/ssl/rui.crt
Перезапускаем сервисы:
1 2 3 4 5 6 7 8 9 10 [root@esxi-server:/etc/vmware/ssl] /etc/init.d/hostd restart watchdog-hostd: Terminating watchdog process with PID 34255 hostd stopped. Ramdisk 'hostd' with estimated size of 553MB already exists hostd started. [root@esxi-server:/etc/vmware/ssl] /etc/init.d/vpxa restart watchdog-vpxa: Terminating watchdog process with PID 34853 vpxa stopped. [root@esxi-server:/etc/vmware/ssl] /etc/init.d/vpxa start vpxa is running
Настройка автоматического обновления Создаем скрипт letsencrypt_renewal.sh
и помещаем его в /etc/vmware/ssl/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 #!/usr/bin/sh /usr/bin/python /opt/acme-tiny/acme_tiny.py --account-key /etc/vmware/ssl/account.key --csr /etc/vmware/ssl/letsencrypt.csr --acme-dir /usr/lib/vmware/hostd/docroot/.well-known/acme-challenge > /etc/vmware/ssl/letsencrypt.crt if [ -s "/etc/vmware/ssl/orig.rui.key" ]; then else cp -f /etc/vmware/ssl/rui.key /etc/vmware/ssl/orig.rui.key cp -f /etc/vmware/ssl/rui.crt /etc/vmware/ssl/orig.rui.crt fi if [ -s "/etc/vmware/ssl/letsencrypt.crt" ]; then cp -f /etc/vmware/ssl/letsencrypt.key /etc/vmware/ssl/rui.key cp -f /etc/vmware/ssl/letsencrypt.crt /etc/vmware/ssl/rui.crt /etc/init.d/hostd restart /etc/init.d/vpxa restart /etc/init.d/vpxa start else echo "File letsencrypt.crt is not correct" fi
Добавляем в крон:
1 2 [root@esxi-server:/etc/vmware/ssl] echo '0 0 1 * * /etc/vmware/ssl/letsencrypt_renewal.sh >> /etc/vmware/ssl/letsencrypt.log 2>&1' >> /var/spool/cron/crontabs/root
Поскольку esxi затирает файлы crontab
при ребуте, добавляем в /etc/rc.local.d/local.sh
строки
1 2 3 4 /bin/kill $(cat /var/run/crond.pid) /bin/echo '0 0 1 * * /etc/vmware/ssl/letsencrypt_renewal.sh >> /etc/vmware/ssl/letsencrypt.log 2>&1' >> /var/spool/cron/crontabs/root /usr/lib/vmware/busybox/bin/busybox crond exit 0
Файлы лежат на GitHub .
По мотивам чтения: