Hallo,

I am getting this error. I have removed the domain but already verified that I can reach the ESXi console from Internet using the domain I used to generate the new certificate

[root@...:/tmp] /etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert issued for localhost.localdomain but current domain name is ....... Requesting a new one!
Serving HTTP on :: port 8120 (http://[::]:8120/) ...
Parsing account key...
Parsing CSR...
Found domains: .....
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/1046503447
Creating new order...
Order created!
Verifying .........
Traceback (most recent call last):
File "./acme_tiny.py", line 145, in get_crt
assert (disable_check or _do_request(wellknown_url)[0] == keyauthorization)
File "./acme_tiny.py", line 46, in _do_request
raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error:
Url: http://....../.well-known/acme-challenge/1vNofoe2lO8zUwuJkOgzg3fnLC9iuBgamSauCy4rlf4
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)>

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "./acme_tiny.py", line 199, in
main(sys.argv[1:])
File "./acme_tiny.py", line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
File "./acme_tiny.py", line 147, in get_crt
raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /opt/w2c-letsencrypt/.well-known/acme-challenge/1vNofoe2lO8zUwuJkOgzg3fnLC9iuBgamSauCy4rlf4, but couldn't download http://..../.well-known/acme-challenge/1vNofoe2lO8zUwuJkOgzg3fnLC9iuBgamSauCy4rlf4: Error:
Url: http://..../.well-known/acme-challenge/1vNofoe2lO8zUwuJkOgzg3fnLC9iuBgamSauCy4rlf4
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)>
Certificate will not expire
Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid.
usage: clusterAgent [-h] ACTION
clusterAgent: error: the following arguments are required: ACTION

• '[' '!' -d /opt/dell/fist ]
• basename /etc/init.d/dell_fist
• echo 'Usage: dell_fist {start,stop}'
• exit 1
  usage: esxio-commd [-h] ACTION
  esxio-commd: error: the following arguments are required: ACTION
  logger: Invalid PID 'Usage: fsvmsockrelay '
  logger: Invalid PID '{start|stop|status|restart} [--vmci VMCI_ID]'
  usage: gpuManager [-h] ACTION
  gpuManager: error: the following arguments are required: ACTION
  hostd signalled.
  watchdog-lsud[1053680]: Terminating watchdog process with PID 1053288
  lsud stopped
  lsud started
  VMware HTTP reverse proxy signalled.
  sfcbd-init[1053765]: args ('')
  sfcbd-init[1053765]: Getting Exclusive access, please wait...
  sfcbd-init[1053765]: Exclusive access granted.
  sfcbd-init[1053776]: args ('ssl_reset')
  sfcbd-init[1053776]: Getting Exclusive access, please wait...
  sfcbd-init[1053776]: Exclusive access granted.
  sfcbd-init[1053776]: sfcbd is not running.
  logger: Invalid PID 'Usage: vdfsd '
  logger: Invalid PID '{start|stop|status|restart|'
  vpxa signalled.
  vsanperfsvc is not running.
  /etc/init.d/vvold ssl_reset, PID 1053888
  vvold is not running.

On my host system, the renew.sh unfortunately only creates an IPv6 HTTP server

Serving HTTP on :: port 8120 (http://[::]:8120/)

Unfortunately, only v6 link locals exist on the system. Incoming request attempts therefore seem to come to nothing.

However, the whole thing could be easily accessed via the parameter "--bind=127.0.0.1" in the script, for example. Any chance of setting the addition ipv4/ipv6 via config value here?

I could just be dumb but I can't get this installed.

How to install on ESXI 8 U2 last version ?

i try install error

[root@localhost:~] esxcli software vib install -v /vmfs/volumes/Data01/w2c-letsencrypt-esxi.vib -f
[InstallationError]
Can not open /var/vmware/lifecycle/stageliveimage/data/payload1.t00 to write payload payload1: [Errno 2] No such file or directory: '/var/vmware/lifecycle/stageliveimage/data/payload1.t00'
cause = Can not open /var/vmware/lifecycle/stageliveimage/data/payload1.t00 to write payload payload1: [Errno 2] No such file or directory: '/var/vmware/lifecycle/stageliveimage/data/payload1.t00'
vibs = ['web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.1.0-0.0.0']
Please refer to the log file for more details.

Hi im getting this error after run script.

[root@dedi-01-tr:~] /etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert for dedi-01-tr.xxx.com not issued by Let's Encrypt. Requesting a new one!
Serving HTTP on :: port 8120 (http://[::]:8120/) ...
Parsing account key...
Parsing CSR...
Found domains: dedi-01-tr.xxx.com
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/1111111
Creating new order...
Order created!
Already verified: dedi-01-tr.xxx.com, skipping...
Signing certificate...
Certificate signed!
Success: Obtained and installed a certificate from Let's Encrypt.
usage: clusterAgent [-h] ACTION
clusterAgent: error: the following arguments are required: ACTION
usage: esxio-commd [-h] ACTION
esxio-commd: error: the following arguments are required: ACTION
logger: Invalid PID 'Usage: fsvmsockrelay '
logger: Invalid PID '{start|stop|status|restart} [--vmci VMCI_ID]'
usage: gpuManager [-h] ACTION
gpuManager: error: the following arguments are required: ACTION
hostd signalled.
watchdog-lsud[2107812]: Terminating watchdog process with PID 2107391
lsud stopped
lsud started
VMware HTTP reverse proxy signalled.
sfcbd-init[2107897]: args ('')
sfcbd-init[2107897]: Getting Exclusive access, please wait...
sfcbd-init[2107897]: Exclusive access granted.
sfcbd-init[2107908]: args ('ssl_reset')
sfcbd-init[2107908]: Getting Exclusive access, please wait...
sfcbd-init[2107908]: Exclusive access granted.
sfcbd-init[2107908]: sfcbd is not running.
logger: Invalid PID 'Usage: vdfsd '
logger: Invalid PID '{start|stop|status|restart|'
vpxa signalled.
vsanperfsvc is not running.
/etc/init.d/vvold ssl_reset, PID 2108023
vvold is not running.

Although I have my FQDN set, vib installation doesn't recognize it and fails with error "Message: Host is not changed." Should there be a server reboot required?

So I've been playing with this for the last couple of days with a LabCA instance I set up on my local network. (Highly recommended, by the way, this tool is AWESOME!) This works out wonderfully! I can finally have a trusted cert that I can keep track of via my own ACME-style CA! It's quite literally fire and forget! I've only got one public IP on my network to play with, so this is the next best thing for me in lieu of LetsEncrypt.

My only issue with this thus far is I have to adjust the configuration in order for this to work on my net, and putting my config file and root/intermediate cert chain in /opt/w2c-letsencrypt obviously doesn't stick around past a reboot.

Would you be inclined to include searching in a directory that does persist, say, /etc/w2c-letsencrypt, for config files as well? I know it could be easy to just do this off a datastore, but I'm already redlining mine as it is, and it shouldn't be too much of a challenge to put this into a place able to be saved to the state file, just in case something happens.

I'd be happy to submit a pull request! Shouldn't take more than a few minutes at last glance to include this functionality.

vcenter removed the esx server from the cluster and I am unable to add it back.

I keep getting:
Authenticity of the host's SSL certificate is not verified.

I tested DNS lookups and reverse lookups from the vcenter and that just works fine.
I changed the certificate mode to custom and tried thumbprint as well, neither works.
I added the certificate chain for lets encrypt to the certificate manager, didnt help either.

I had to remove the app and revert to self signed from the vmware ca.

Does this sound familiar? I read the wiki troubleshooting and searched issues and discussions but couldn't find anything related.

The error I receive is plenty to be found all over the net, but the solutions don't seem to work.

If we can't solve this, you might want to add a big fat warning somewhere because once a server is removed, all its settings are removed as well (think monitoring, alerts, all host specific settings basically are gone.

Hi,

I had it installed on ESXi 8u1 and not only did it not work with the challenge, but now I cannot uninstall it.

Basically I am stuck with it permanently failing, restoring self-signed certificates instead of my custom valid ones...

Any idea please ?

esxcli software vib remove --maintenance-mode -n w2c-l
etsencrypt-esxi
 [Exception]
 Busy
 Please refer to the log file for more details.

Hello,

Are there any settings that I can use to configure multiple domains for the cert that will be generated?

Best regards

Hi
tried to install on esxi 5.5 - and now can't uninstall it

getting this error

~ # esxcli software vib remove -n w2c-letsencrypt-esxi
[InstallationError]
Error in running rm /tardisks/payload1.v00:
Return code: 1
Output: rm: can't remove '/tardisks/payload1.v00': Device or resource busy

It is not safe to continue. Please reboot the host immediately to discard the unfinished update.
Please refer to the log file for more details.
~ #

Hi
It's during install

Hi,

Thanks for this. Sadly not working for me.

Running on ESXi ESXi-6.7.0-20220704001-standard.

/etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert for esxi.myDomain.com not issued by Let's Encrypt. Requesting a new one!
Generating RSA private key, 4096 bit long modulus
***************************************************************************************************************************************************************************               ***************************************************************************************************************************************************************************               ***************************************************************************************************************************************************************************               ****************************************************************++++
****************++++
e is 65537 (0x10001)
Serving HTTP on 0.0.0.0 port 8120 ...
Parsing account key...
Parsing CSR...
Found domains: esxi.myDomain.com
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/700469847
Creating new order...
Order created!
Verifying esxi.myDomain.com...
127.0.0.1 - - [25/Aug/2022 17:41:28] "GET /.well-known/acme-challenge/Te4bgquHPUCMnn6JbLsknwR4CmG9GXFnaxJceNRo2gk HTTP/1.1" 200 -
Traceback (most recent call last):
  File "./acme_tiny.py", line 199, in <module>
    main(sys.argv[1:])
  File "./acme_tiny.py", line 195, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=arg               s.contact, check_port=args.check_port)
  File "./acme_tiny.py", line 153, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for esxi.myDomain.com: {'identifier': {'type': 'dns', 'value': 'esxi.myDomain.com'}, 'expires': '2022-09-01T17:41:27Z', 'challenge               s': [{'token': 'Te4bgquHPUCMnn6JbLsknwR4CmG9GXFnaxJceNRo2gk', 'validationRecord': [{'addressesResolved': ['myPublicIP'], 'url': 'http://esxi.myDomain.com/.well-known/               acme-challenge/Te4bgquHPUCMnn6JbLsknwR4CmG9GXFnaxJceNRo2gk', 'port': '80', 'addressUsed': 'myPublicIP', 'hostname': 'esxi.myDomain.com'}], 'validated': '2022-08-25T17               :41:28Z', 'status': 'invalid', 'type': 'http-01', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/146077121297/FH4vAg', 'error': {'detail': 'myPublicIP: Fetch               ing http://esxi.myDomain.com/.well-known/acme-challenge/Te4bgquHPUCMnn6JbLsknwR4CmG9GXFnaxJceNRo2gk: Error getting validation data', 'type': 'urn:ietf:params:acme:error               :connection', 'status': 400}}], 'status': 'invalid'}
Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
hostd signalled.
rabbitmqproxy is not running
VMware HTTP reverse proxy signalled.
sfcbd-init: Getting Exclusive access, please wait...
sfcbd-init: Exclusive access granted.
sfcbd-init: sfcbd is not running.
vpxa signalled.
vsanperfsvc is not running.
/etc/init.d/vvold ssl_reset, PID 2104005
vvold is not running.
cat /var/log/syslog.log | grep w2c
2022-08-25T16:59:18Z jumpstart[2098915]: executing start plugin: w2c-letsencrypt
2022-08-25T16:59:18Z /etc/init.d/w2c-letsencrypt: Running 'start' action
2022-08-25T16:59:18Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2022-08-25T16:59:18Z /opt/w2c-letsencrypt/renew.sh: Existing cert for esxi.myDomain.com not issued by Let's Encrypt. Requesting a new one!
2022-08-25T17:00:02Z /opt/w2c-letsencrypt/renew.sh: Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
2022-08-25T17:37:23Z /etc/init.d/w2c-letsencrypt: Running 'start' action
2022-08-25T17:37:23Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2022-08-25T17:37:23Z /opt/w2c-letsencrypt/renew.sh: Existing cert for esxi.myDomain.com not issued by Let's Encrypt. Requesting a new one!
2022-08-25T17:37:40Z /opt/w2c-letsencrypt/renew.sh: Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
2022-08-25T17:41:23Z /etc/init.d/w2c-letsencrypt: Running 'start' action
2022-08-25T17:41:23Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2022-08-25T17:41:23Z /opt/w2c-letsencrypt/renew.sh: Existing cert for esxi.myDomain.com not issued by Let's Encrypt. Requesting a new one!
2022-08-25T17:41:29Z /opt/w2c-letsencrypt/renew.sh: Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.

Edit Update: Just realized I had in /etc/hosts setting the domain to a local ip to make it easier on me so got rid of that and tried again. Not just gettings stuck on verifying domain.com and log stops there as well.

And https://websistent.com/tools/open-port-check-tool/ confirms port 80 is open as expected.

Edit 2: Trying on ESXi-7.0U3f-20036589-standard

First thing I noticed:

 esxcli software vib install -v /tmp/w2c-letsencrypt-esxi.vib -f
Remote end closed connection without response
[will@esxi2:~] esxcli software vib install -v /tmp/w2c-letsencrypt-esxi.vib -f
Installation Result
   Message: Host is not changed.
   Reboot Required: false
   VIBs Installed:
   VIBs Removed:
   VIBs Skipped: web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.0.0-0.0.0

So it did work despiste the first error.

Sadly same problem.

For privacy, I switched out my real public IP with myPublicIP my domain with myDomain.

Using Cloudflare to set my A record.

Thanks for the help,

Will

Hi,

I've a problem, here is my log :

[root@localhost:~] cat /var/log/syslog.log | grep w2c
2023-05-13T09:37:16Z /etc/init.d/w2c-letsencrypt: Running 'start' action
2023-05-13T09:37:17Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2023-05-13T09:37:17Z /opt/w2c-letsencrypt/renew.sh: Existing cert issued for sv2.softigest.com but current domain name is localhost.localdomain. Requesting a new one!
2023-05-13T09:37:27Z /opt/w2c-letsencrypt/renew.sh: Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
2023-05-13T09:37:28Z /etc/init.d/w2c-letsencrypt: Running 'install' action
2023-05-13T10:00:16Z /etc/init.d/w2c-letsencrypt: Running 'stop' action
2023-05-13T10:00:16Z /etc/init.d/w2c-letsencrypt: Running 'remove' action
2023-05-13T10:01:34Z /etc/init.d/w2c-letsencrypt: Running 'start' action
2023-05-13T10:01:34Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2023-05-13T10:01:34Z /opt/w2c-letsencrypt/renew.sh: Existing cert for localhost.localdomain not issued by Let's Encrypt. Requesting a new one!
2023-05-13T10:01:40Z /opt/w2c-letsencrypt/renew.sh: Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid.
2023-05-13T10:01:41Z /etc/init.d/w2c-letsencrypt: Running 'install' action

Can you help me please ?

Thanks

Hello, what about DNS challenge for cloudflare for example? It will be much easier and safer than open 80 and 443 port in my firewall and redirecting it to esxi for issuing certificate. I found few solutions, but it's too complicated for every three months renewal. Your vib with DNS challenge will be the best option.

Works for the initial certificate request and then never renews. Reinstalled several times and always the same result after expiration.

ESXI 7.0 Update 3

DNS name k2-esxi.domain.org A record is registered to a local ip address.

At startup , outputs:

/etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert issued for localhost.localdomain but current domain name is k2-esxi.domain.org. Requesting a new one!
Generating RSA private key, 4096 bit long modulus
**********************************************************************************************************++++
***************************************************************************************************************************************************************************************************************************************************************************************************************************************++++
e is 65537 (0x10001)
Serving HTTP on 0.0.0.0 port 8120 (http://0.0.0.0:8120/) ...
Parsing account key...
Parsing CSR...
Found domains: k2-esxi.domain.org
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/866296867
Creating new order...
Order created!
Verifying k2-esxi.domain.org...
127.0.0.1 - - [11/Dec/2022 12:12:20] "GET /.well-known/acme-challenge/15Ig8QtCSjDqqtkmHsawlr5z1uBmPOccXTkqCcLQRYw HTTP/1.1" 200 -
Traceback (most recent call last):
File "./acme_tiny.py", line 199, in
main(sys.argv[1:])
File "./acme_tiny.py", line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
File "./acme_tiny.py", line 153, in get_crt
raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for k2-esxi.domain.org: {'identifier': {'type': 'dns', 'value': 'k2-esxi.domain.org'}, 'status': 'invalid', 'expires': '2022-12-18T12:12:21Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:dns', 'detail': 'no valid A records found for k2-esxi.domain.org; no valid AAAA records found for k2-esxi.domain.org', 'status': 400}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/186152580607/5zMdvw', 'token': '15Ig8QtCSjDqqtkmHsawlr5z1uBmPOccXTkqCcLQRYw', 'validated': '2022-12-11T12:12:24Z'}]}
Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid.
logger: Invalid PID 'Usage: fsvmsockrelay '
logger: Invalid PID '{start|stop|status|restart} [--vmci VMCI_ID]'
hostd signalled.
watchdog-lsud[529842]: Terminating watchdog process with PID 529113
lsud stopped
lsud started
VMware HTTP reverse proxy signalled.
sfcbd-init[529924]: args ('')
sfcbd-init[529924]: Getting Exclusive access, please wait...
sfcbd-init[529924]: Exclusive access granted.
sfcbd-init[529935]: args ('ssl_reset')
sfcbd-init[529935]: Getting Exclusive access, please wait...
sfcbd-init[529935]: Exclusive access granted.
sfcbd-init[529935]: sfcbd is not running.
logger: Invalid PID 'Usage: vdfsd '
logger: Invalid PID '{start|stop|status|restart|'
vpxa signalled.
vsanperfsvc is not running.
/etc/init.d/vvold ssl_reset, PID 530041
vvold is not running.
[root@k2-esxi:] /etc/init.d/hostd restart
watchdog-hostd[530098]: Terminating watchdog process with PID 526363 525564
hostd stopped.
hostd started.
[root@k2-esxi:] /etc/init.d/vpxa restart
watchdog-vpxa[530315]: Terminating watchdog process with PID 527026
vpxa stopped.
vpxa started.

I run the command: /etc/init.d/w2c-letsencrypt start

and I receive the following:
`Running 'start' action
Starting certificate renewal.
Existing cert issued for redirect.ovh.net but current domain name is ip-158-69-26.net. Requesting a new one!
Generating RSA private key, 4096 bit long modulus
...++++
....................................................................++++
e is 65537 (0x10001)
Serving HTTP on 0.0.0.0 port 8120 ...
Parsing account key...
Parsing CSR...
Found domains: ip-158-69-26.net
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/817945307
Creating new order...
Order created!
Verifying ip-158-69-26.net...
Traceback (most recent call last):
File "./acme_tiny.py", line 145, in get_crt
assert (disable_check or _do_request(wellknown_url)[0] == keyauthorization)
AssertionError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "./acme_tiny.py", line 199, in
main(sys.argv[1:])
File "./acme_tiny.py", line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
File "./acme_tiny.py", line 147, in get_crt
raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /opt/w2c-letsencrypt/.well-known/acme-challenge/SXykn4btnmIQbv-5OX-cS_fuIiMjUvuLlI0Yb92veKE, but couldn't download http://ip-158-69-26.net/.well-known/acme-challenge/SXykn4btnmIQbv-5OX-cS_fuIiMjUvuLlI0Yb92veKE:
Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
hostd signalled.
rabbitmqproxy is not running
VMware HTTP reverse proxy signalled.
sfcbd-init: backgrounding ssl_reset on sfcbd-watchdog
vpxa signalled.
ssl_reset: vsanperfsvc is not running
/etc/init.d/vvold ssl_reset, PID 14994659
vvold is not running.
`

I believe the A record etc. is correct. Any ideas? Thank you.

Do you think it would be possible to use the DNS challenge instead of HTTP? Then not public facing servers would also work.

I found this project that could be of help: https://github.com/Trim/acme-dns-tiny/

Exposing an ESXi server to the public internet really isn't a good idea.

LetsEncrypt permits the use of a DNS Challenge.

Could you update this to enable the use of that instead?

thanks!

Installing VIB on ESXi 8.0 doesn't work, how feasible is repacking the vib with the community tool to support sha-256 gunzip encryption?

esxcli software vib install -v /tmp/w2c-letsencrypt-esxi.vib -f

[ProfileValidationError]
In ImageProfile (Updated) ESXi-8.0.0-20513097-standard, the payload(s) in VIB web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.0.0-0.0.0 does not have sha-256 gunzip checksum. This will prevent VIB security verification and secure boot from functioning properly. Please remove this VIB or please check with your vendor for a replacement of this VIB

Hey there,

I've got both "vSphere Web Access" and "vSphere Web Client" limited to my own IPs, which makes it impossible to pass the challenge automatically, so i've got to disable the firewall in esxi first and then need to execute the script manually and then need to enable the firewall again.

is there some way you can automate this, so your script checks if the firewall for both services is active and disables it before it proceeds to order the certificate? Also it should activate the firewall again when the certificate is installed successfully.

best regards

I upgraded to VMware ESXi 7.0 Update 3i from VMware ESXi 7.0 Update 3g, but it is now keeping Self Signed Cert.

VMware ESXi 7.0 Update 3i uses Client version: 2.1.1.

VMware ESXi 7.0 Update 3g Client version: 1.43.8.

Despite log showing success:

[will@esxi:~] cat /var/log/syslog.log | grep w2c
2022-12-15T23:41:28.191Z jumpstart[2098126]: executing start plugin: w2c-letsencrypt
2022-12-15T23:41:28.194Z .etc.init.d.w2c-letsencrypt[2100127]: Running 'start' action
2022-12-15T23:41:28.212Z .opt.w2c-letsencrypt.renew.sh[2100141]: Starting certificate renewal.
2022-12-15T23:41:28.280Z .opt.w2c-letsencrypt.renew.sh[2100167]: Existing cert for esxi.mydomain.com not issued by Let's Encrypt. Requesting a new one!
2022-12-15T23:41:40.059Z jumpstart[2098126]: w2c-letsencrypt started.
2022-12-15T23:41:44.512Z .opt.w2c-letsencrypt.renew.sh[2100734]: Success: Obtained and installed a certificate from Let's Encrypt.

FYI, Not sure why, but have to use wget --no-check-certificate to grab the file:

[will@esxi:~] wget -O /tmp/w2c-letsencrypt-esxi.vib https://github.com/w2c/letsencrypt-esxi/releases/latest/download/w2c-letsencrypt-esxi.vib
Connecting to github.com (140.82.114.3:443)
wget: error getting response

[will@esxi:~] wget --no-check-certificate -O /tmp/w2c-letsencrypt-esxi.vib https://github.com/w2c/letsencrypt-esxi/releases/latest/download/w2c-letsencrypt-esxi.vib
Connecting to github.com (140.82.114.4:443)
Connecting to github.com (140.82.114.4:443)
Connecting to objects.githubusercontent.com (185.199.109.133:443)
saving to '/tmp/w2c-letsencrypt-esxi.vib'
w2c-letsencrypt-esxi 100% |*********************************************************************************************************************************************************************| 29770  0:00:00 ETA
'/tmp/w2c-letsencrypt-esxi.vib' saved

Upgrade of the script looks good:

[will@esxi:~] esxcli software vib install -v /tmp/w2c-letsencrypt-esxi.vib -f
Installation Result
   Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
   Reboot Required: true
   VIBs Installed: web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.1.0-0.0.0
   VIBs Removed: web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.0.0-0.0.0
   VIBs Skipped:
[will@esxi:~] esxcli software vib list | grep w2c
w2c-letsencrypt-esxi           1.0.0-0.0.0                            web-wack-creations  CommunitySupported  2022-09-27
reboot
w2c-letsencrypt-esxi           1.1.0-0.0.0                            web-wack-creations  CommunitySupported  2022-12-15

Well looks like the Let's Encrypt cert is there (Host > Manage > Security & users > Certificates). but the web ui needs to be restarted for it to take effect.

Indeed, I just ran /sbin/services.sh restart and now the web ui is using the certificate.

So looks like this command needs to be ran at the end of the cert install.