w2c / letsencrypt-esxi Goto Github PK
View Code? Open in Web Editor NEWLet's Encrypt for VMware ESXi with easy installation using pre-built VIB or offline bundle. Auto-renewal of certificates.
License: GNU General Public License v3.0
Let's Encrypt for VMware ESXi with easy installation using pre-built VIB or offline bundle. Auto-renewal of certificates.
License: GNU General Public License v3.0
So I've been playing with this for the last couple of days with a LabCA instance I set up on my local network. (Highly recommended, by the way, this tool is AWESOME!) This works out wonderfully! I can finally have a trusted cert that I can keep track of via my own ACME-style CA! It's quite literally fire and forget! I've only got one public IP on my network to play with, so this is the next best thing for me in lieu of LetsEncrypt.
My only issue with this thus far is I have to adjust the configuration in order for this to work on my net, and putting my config file and root/intermediate cert chain in /opt/w2c-letsencrypt
obviously doesn't stick around past a reboot.
Would you be inclined to include searching in a directory that does persist, say, /etc/w2c-letsencrypt
, for config files as well? I know it could be easy to just do this off a datastore, but I'm already redlining mine as it is, and it shouldn't be too much of a challenge to put this into a place able to be saved to the state file, just in case something happens.
I'd be happy to submit a pull request! Shouldn't take more than a few minutes at last glance to include this functionality.
Hallo,
I am getting this error. I have removed the domain but already verified that I can reach the ESXi console from Internet using the domain I used to generate the new certificate
[root@...:/tmp] /etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert issued for localhost.localdomain but current domain name is ....... Requesting a new one!
Serving HTTP on :: port 8120 (http://[::]:8120/) ...
Parsing account key...
Parsing CSR...
Found domains: .....
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/1046503447
Creating new order...
Order created!
Verifying .........
Traceback (most recent call last):
File "./acme_tiny.py", line 145, in get_crt
assert (disable_check or _do_request(wellknown_url)[0] == keyauthorization)
File "./acme_tiny.py", line 46, in _do_request
raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error:
Url: http://....../.well-known/acme-challenge/1vNofoe2lO8zUwuJkOgzg3fnLC9iuBgamSauCy4rlf4
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)>
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./acme_tiny.py", line 199, in
main(sys.argv[1:])
File "./acme_tiny.py", line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
File "./acme_tiny.py", line 147, in get_crt
raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /opt/w2c-letsencrypt/.well-known/acme-challenge/1vNofoe2lO8zUwuJkOgzg3fnLC9iuBgamSauCy4rlf4, but couldn't download http://..../.well-known/acme-challenge/1vNofoe2lO8zUwuJkOgzg3fnLC9iuBgamSauCy4rlf4: Error:
Url: http://..../.well-known/acme-challenge/1vNofoe2lO8zUwuJkOgzg3fnLC9iuBgamSauCy4rlf4
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)>
Certificate will not expire
Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid.
usage: clusterAgent [-h] ACTION
clusterAgent: error: the following arguments are required: ACTION
Hello,
Are there any settings that I can use to configure multiple domains for the cert that will be generated?
Best regards
I run the command: /etc/init.d/w2c-letsencrypt start
and I receive the following:
`Running 'start' action
Starting certificate renewal.
Existing cert issued for redirect.ovh.net but current domain name is ip-158-69-26.net. Requesting a new one!
Generating RSA private key, 4096 bit long modulus
...++++
....................................................................++++
e is 65537 (0x10001)
Serving HTTP on 0.0.0.0 port 8120 ...
Parsing account key...
Parsing CSR...
Found domains: ip-158-69-26.net
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/817945307
Creating new order...
Order created!
Verifying ip-158-69-26.net...
Traceback (most recent call last):
File "./acme_tiny.py", line 145, in get_crt
assert (disable_check or _do_request(wellknown_url)[0] == keyauthorization)
AssertionError
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./acme_tiny.py", line 199, in
main(sys.argv[1:])
File "./acme_tiny.py", line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
File "./acme_tiny.py", line 147, in get_crt
raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /opt/w2c-letsencrypt/.well-known/acme-challenge/SXykn4btnmIQbv-5OX-cS_fuIiMjUvuLlI0Yb92veKE, but couldn't download http://ip-158-69-26.net/.well-known/acme-challenge/SXykn4btnmIQbv-5OX-cS_fuIiMjUvuLlI0Yb92veKE:
Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
hostd signalled.
rabbitmqproxy is not running
VMware HTTP reverse proxy signalled.
sfcbd-init: backgrounding ssl_reset on sfcbd-watchdog
vpxa signalled.
ssl_reset: vsanperfsvc is not running
/etc/init.d/vvold ssl_reset, PID 14994659
vvold is not running.
`
I believe the A record etc. is correct. Any ideas? Thank you.
Hi
tried to install on esxi 5.5 - and now can't uninstall it
getting this error
~ # esxcli software vib remove -n w2c-letsencrypt-esxi
[InstallationError]
Error in running rm /tardisks/payload1.v00:
Return code: 1
Output: rm: can't remove '/tardisks/payload1.v00': Device or resource busy
It is not safe to continue. Please reboot the host immediately to discard the unfinished update.
Please refer to the log file for more details.
~ #
I upgraded to VMware ESXi 7.0 Update 3i from VMware ESXi 7.0 Update 3g, but it is now keeping Self Signed Cert.
VMware ESXi 7.0 Update 3i uses Client version: 2.1.1.
VMware ESXi 7.0 Update 3g Client version: 1.43.8.
Despite log showing success:
[will@esxi:~] cat /var/log/syslog.log | grep w2c
2022-12-15T23:41:28.191Z jumpstart[2098126]: executing start plugin: w2c-letsencrypt
2022-12-15T23:41:28.194Z .etc.init.d.w2c-letsencrypt[2100127]: Running 'start' action
2022-12-15T23:41:28.212Z .opt.w2c-letsencrypt.renew.sh[2100141]: Starting certificate renewal.
2022-12-15T23:41:28.280Z .opt.w2c-letsencrypt.renew.sh[2100167]: Existing cert for esxi.mydomain.com not issued by Let's Encrypt. Requesting a new one!
2022-12-15T23:41:40.059Z jumpstart[2098126]: w2c-letsencrypt started.
2022-12-15T23:41:44.512Z .opt.w2c-letsencrypt.renew.sh[2100734]: Success: Obtained and installed a certificate from Let's Encrypt.
FYI, Not sure why, but have to use wget --no-check-certificate
to grab the file:
[will@esxi:~] wget -O /tmp/w2c-letsencrypt-esxi.vib https://github.com/w2c/letsencrypt-esxi/releases/latest/download/w2c-letsencrypt-esxi.vib
Connecting to github.com (140.82.114.3:443)
wget: error getting response
[will@esxi:~] wget --no-check-certificate -O /tmp/w2c-letsencrypt-esxi.vib https://github.com/w2c/letsencrypt-esxi/releases/latest/download/w2c-letsencrypt-esxi.vib
Connecting to github.com (140.82.114.4:443)
Connecting to github.com (140.82.114.4:443)
Connecting to objects.githubusercontent.com (185.199.109.133:443)
saving to '/tmp/w2c-letsencrypt-esxi.vib'
w2c-letsencrypt-esxi 100% |*********************************************************************************************************************************************************************| 29770 0:00:00 ETA
'/tmp/w2c-letsencrypt-esxi.vib' saved
Upgrade of the script looks good:
[will@esxi:~] esxcli software vib install -v /tmp/w2c-letsencrypt-esxi.vib -f
Installation Result
Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
Reboot Required: true
VIBs Installed: web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.1.0-0.0.0
VIBs Removed: web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.0.0-0.0.0
VIBs Skipped:
[will@esxi:~] esxcli software vib list | grep w2c
w2c-letsencrypt-esxi 1.0.0-0.0.0 web-wack-creations CommunitySupported 2022-09-27
reboot
w2c-letsencrypt-esxi 1.1.0-0.0.0 web-wack-creations CommunitySupported 2022-12-15
Well looks like the Let's Encrypt cert is there (Host > Manage > Security & users > Certificates). but the web ui needs to be restarted for it to take effect.
Indeed, I just ran /sbin/services.sh restart
and now the web ui is using the certificate.
So looks like this command needs to be ran at the end of the cert install.
Exposing an ESXi server to the public internet really isn't a good idea.
LetsEncrypt permits the use of a DNS Challenge.
Could you update this to enable the use of that instead?
thanks!
Hello, what about DNS challenge for cloudflare for example? It will be much easier and safer than open 80 and 443 port in my firewall and redirecting it to esxi for issuing certificate. I found few solutions, but it's too complicated for every three months renewal. Your vib with DNS challenge will be the best option.
Hi,
I've a problem, here is my log :
[root@localhost:~] cat /var/log/syslog.log | grep w2c
2023-05-13T09:37:16Z /etc/init.d/w2c-letsencrypt: Running 'start' action
2023-05-13T09:37:17Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2023-05-13T09:37:17Z /opt/w2c-letsencrypt/renew.sh: Existing cert issued for sv2.softigest.com but current domain name is localhost.localdomain. Requesting a new one!
2023-05-13T09:37:27Z /opt/w2c-letsencrypt/renew.sh: Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
2023-05-13T09:37:28Z /etc/init.d/w2c-letsencrypt: Running 'install' action
2023-05-13T10:00:16Z /etc/init.d/w2c-letsencrypt: Running 'stop' action
2023-05-13T10:00:16Z /etc/init.d/w2c-letsencrypt: Running 'remove' action
2023-05-13T10:01:34Z /etc/init.d/w2c-letsencrypt: Running 'start' action
2023-05-13T10:01:34Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2023-05-13T10:01:34Z /opt/w2c-letsencrypt/renew.sh: Existing cert for localhost.localdomain not issued by Let's Encrypt. Requesting a new one!
2023-05-13T10:01:40Z /opt/w2c-letsencrypt/renew.sh: Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid.
2023-05-13T10:01:41Z /etc/init.d/w2c-letsencrypt: Running 'install' action
Can you help me please ?
Thanks
Installing VIB on ESXi 8.0 doesn't work, how feasible is repacking the vib with the community tool to support sha-256 gunzip encryption?
[ProfileValidationError]
In ImageProfile (Updated) ESXi-8.0.0-20513097-standard, the payload(s) in VIB web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.0.0-0.0.0 does not have sha-256 gunzip checksum. This will prevent VIB security verification and secure boot from functioning properly. Please remove this VIB or please check with your vendor for a replacement of this VIB
Hi getting this error possible any comment ?
[root@hostingdunyam:~] /etc/init.d/w2c-letsencrypt start
Running 'start' action
/opt/w2c-letsencrypt/renew.sh: /opt/w2c-letsencrypt/renew.cfg: line 1: equest: not found
Starting certificate renewal.
Existing cert for hostingdunyam.srp.services not issued by Let's Encrypt. Requesting a new one!
Serving HTTP on :: port 8120 (http://[::]:8120/) ...
Parsing account key...
Parsing CSR...
Found domains: hostingdunyam.srp.services
Getting directory...
Directory found!
Registering account...
Registered! Account ID: https://acme-staging-v02.api.letsencrypt.org/acme/acct/159542293
Creating new order...
Order created!
Verifying hostingdunyam.srp.services...
::ffff:127.0.0.1 - - [15/Aug/2024 16:29:27] "GET /.well-known/acme-challenge/Bvs5hnd4IXwI7nz07qKKz2ettzI_jCV47TUElp5k52c HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [15/Aug/2024 16:29:29] "GET /.well-known/acme-challenge/Bvs5hnd4IXwI7nz07qKKz2ettzI_jCV47TUElp5k52c HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [15/Aug/2024 16:29:30] "GET /.well-known/acme-challenge/Bvs5hnd4IXwI7nz07qKKz2ettzI_jCV47TUElp5k52c HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [15/Aug/2024 16:29:30] "GET /.well-known/acme-challenge/Bvs5hnd4IXwI7nz07qKKz2ettzI_jCV47TUElp5k52c HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [15/Aug/2024 16:29:31] "GET /.well-known/acme-challenge/Bvs5hnd4IXwI7nz07qKKz2ettzI_jCV47TUElp5k52c HTTP/1.1" 200 -
::ffff:127.0.0.1 - - [15/Aug/2024 16:29:31] "GET /.well-known/acme-challenge/Bvs5hnd4IXwI7nz07qKKz2ettzI_jCV47TUElp5k52c HTTP/1.1" 200 -
hostingdunyam.srp.services verified!
Signing certificate...
Certificate signed!
Success: Obtained and installed a certificate from Let's Encrypt.
usage: clusterAgent [-h] ACTION
clusterAgent: error: the following arguments are required: ACTION
usage: esxio-commd [-h] ACTION
esxio-commd: error: the following arguments are required: ACTION
logger: Invalid PID 'Usage: fsvmsockrelay '
logger: Invalid PID '{start|stop|status|restart} [--vmci VMCI_ID]'
usage: gpuManager [-h] ACTION
gpuManager: error: the following arguments are required: ACTION
usage: hbrsrv [-h] ACTION
hbrsrv: error: the following arguments are required: ACTION
hostd signalled.
usage: infravisor [-h] ACTION
infravisor: error: the following arguments are required: ACTION
VMware HTTP reverse proxy signalled.
sfcbd-init[2100694]: args ('')
sfcbd-init[2100694]: Getting Exclusive access, please wait...
sfcbd-init[2100694]: Exclusive access granted.
sfcbd-init[2100705]: args ('ssl_reset')
sfcbd-init[2100705]: Getting Exclusive access, please wait...
sfcbd-init[2100705]: Exclusive access granted.
sfcbd-init[2100705]: sfcbd is not running.
logger: Invalid PID 'Usage: vdfsd '
logger: Invalid PID '{start|stop|status|restart|'
vpxa signalled.
vsanperfsvc is not running.
/etc/init.d/vvold ssl_reset, PID 2100819
vvold is not running.
How to install on ESXI 8 U2 last version ?
i try install error
[root@localhost:~] esxcli software vib install -v /vmfs/volumes/Data01/w2c-letsencrypt-esxi.vib -f
[InstallationError]
Can not open /var/vmware/lifecycle/stageliveimage/data/payload1.t00 to write payload payload1: [Errno 2] No such file or directory: '/var/vmware/lifecycle/stageliveimage/data/payload1.t00'
cause = Can not open /var/vmware/lifecycle/stageliveimage/data/payload1.t00 to write payload payload1: [Errno 2] No such file or directory: '/var/vmware/lifecycle/stageliveimage/data/payload1.t00'
vibs = ['web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.1.0-0.0.0']
Please refer to the log file for more details.
Hi,
I had it installed on ESXi 8u1 and not only did it not work with the challenge, but now I cannot uninstall it.
Basically I am stuck with it permanently failing, restoring self-signed certificates instead of my custom valid ones...
Any idea please ?
esxcli software vib remove --maintenance-mode -n w2c-l
etsencrypt-esxi
[Exception]
Busy
Please refer to the log file for more details.
On my host system, the renew.sh unfortunately only creates an IPv6 HTTP server
Serving HTTP on :: port 8120 (http://[::]:8120/)
Unfortunately, only v6 link locals exist on the system. Incoming request attempts therefore seem to come to nothing.
However, the whole thing could be easily accessed via the parameter "--bind=127.0.0.1" in the script, for example. Any chance of setting the addition ipv4/ipv6 via config value here?
vcenter removed the esx server from the cluster and I am unable to add it back.
I keep getting:
Authenticity of the host's SSL certificate is not verified.
I tested DNS lookups and reverse lookups from the vcenter and that just works fine.
I changed the certificate mode to custom and tried thumbprint as well, neither works.
I added the certificate chain for lets encrypt to the certificate manager, didnt help either.
I had to remove the app and revert to self signed from the vmware ca.
Does this sound familiar? I read the wiki troubleshooting and searched issues and discussions but couldn't find anything related.
The error I receive is plenty to be found all over the net, but the solutions don't seem to work.
If we can't solve this, you might want to add a big fat warning somewhere because once a server is removed, all its settings are removed as well (think monitoring, alerts, all host specific settings basically are gone.
Do you think it would be possible to use the DNS challenge instead of HTTP? Then not public facing servers would also work.
I found this project that could be of help: https://github.com/Trim/acme-dns-tiny/
Although I have my FQDN set, vib installation doesn't recognize it and fails with error "Message: Host is not changed." Should there be a server reboot required?
Hi,
Thanks for this. Sadly not working for me.
Running on ESXi ESXi-6.7.0-20220704001-standard.
/etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert for esxi.myDomain.com not issued by Let's Encrypt. Requesting a new one!
Generating RSA private key, 4096 bit long modulus
*************************************************************************************************************************************************************************** *************************************************************************************************************************************************************************** *************************************************************************************************************************************************************************** ****************************************************************++++
****************++++
e is 65537 (0x10001)
Serving HTTP on 0.0.0.0 port 8120 ...
Parsing account key...
Parsing CSR...
Found domains: esxi.myDomain.com
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/700469847
Creating new order...
Order created!
Verifying esxi.myDomain.com...
127.0.0.1 - - [25/Aug/2022 17:41:28] "GET /.well-known/acme-challenge/Te4bgquHPUCMnn6JbLsknwR4CmG9GXFnaxJceNRo2gk HTTP/1.1" 200 -
Traceback (most recent call last):
File "./acme_tiny.py", line 199, in <module>
main(sys.argv[1:])
File "./acme_tiny.py", line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=arg s.contact, check_port=args.check_port)
File "./acme_tiny.py", line 153, in get_crt
raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for esxi.myDomain.com: {'identifier': {'type': 'dns', 'value': 'esxi.myDomain.com'}, 'expires': '2022-09-01T17:41:27Z', 'challenge s': [{'token': 'Te4bgquHPUCMnn6JbLsknwR4CmG9GXFnaxJceNRo2gk', 'validationRecord': [{'addressesResolved': ['myPublicIP'], 'url': 'http://esxi.myDomain.com/.well-known/ acme-challenge/Te4bgquHPUCMnn6JbLsknwR4CmG9GXFnaxJceNRo2gk', 'port': '80', 'addressUsed': 'myPublicIP', 'hostname': 'esxi.myDomain.com'}], 'validated': '2022-08-25T17 :41:28Z', 'status': 'invalid', 'type': 'http-01', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/146077121297/FH4vAg', 'error': {'detail': 'myPublicIP: Fetch ing http://esxi.myDomain.com/.well-known/acme-challenge/Te4bgquHPUCMnn6JbLsknwR4CmG9GXFnaxJceNRo2gk: Error getting validation data', 'type': 'urn:ietf:params:acme:error :connection', 'status': 400}}], 'status': 'invalid'}
Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
hostd signalled.
rabbitmqproxy is not running
VMware HTTP reverse proxy signalled.
sfcbd-init: Getting Exclusive access, please wait...
sfcbd-init: Exclusive access granted.
sfcbd-init: sfcbd is not running.
vpxa signalled.
vsanperfsvc is not running.
/etc/init.d/vvold ssl_reset, PID 2104005
vvold is not running.
cat /var/log/syslog.log | grep w2c
2022-08-25T16:59:18Z jumpstart[2098915]: executing start plugin: w2c-letsencrypt
2022-08-25T16:59:18Z /etc/init.d/w2c-letsencrypt: Running 'start' action
2022-08-25T16:59:18Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2022-08-25T16:59:18Z /opt/w2c-letsencrypt/renew.sh: Existing cert for esxi.myDomain.com not issued by Let's Encrypt. Requesting a new one!
2022-08-25T17:00:02Z /opt/w2c-letsencrypt/renew.sh: Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
2022-08-25T17:37:23Z /etc/init.d/w2c-letsencrypt: Running 'start' action
2022-08-25T17:37:23Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2022-08-25T17:37:23Z /opt/w2c-letsencrypt/renew.sh: Existing cert for esxi.myDomain.com not issued by Let's Encrypt. Requesting a new one!
2022-08-25T17:37:40Z /opt/w2c-letsencrypt/renew.sh: Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
2022-08-25T17:41:23Z /etc/init.d/w2c-letsencrypt: Running 'start' action
2022-08-25T17:41:23Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2022-08-25T17:41:23Z /opt/w2c-letsencrypt/renew.sh: Existing cert for esxi.myDomain.com not issued by Let's Encrypt. Requesting a new one!
2022-08-25T17:41:29Z /opt/w2c-letsencrypt/renew.sh: Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
Edit Update: Just realized I had in /etc/hosts setting the domain to a local ip to make it easier on me so got rid of that and tried again. Not just gettings stuck on verifying domain.com and log stops there as well.
And https://websistent.com/tools/open-port-check-tool/ confirms port 80 is open as expected.
Edit 2: Trying on ESXi-7.0U3f-20036589-standard
First thing I noticed:
esxcli software vib install -v /tmp/w2c-letsencrypt-esxi.vib -f
Remote end closed connection without response
[will@esxi2:~] esxcli software vib install -v /tmp/w2c-letsencrypt-esxi.vib -f
Installation Result
Message: Host is not changed.
Reboot Required: false
VIBs Installed:
VIBs Removed:
VIBs Skipped: web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.0.0-0.0.0
So it did work despiste the first error.
Sadly same problem.
For privacy, I switched out my real public IP with myPublicIP my domain with myDomain.
Using Cloudflare to set my A record.
Thanks for the help,
Will
Hey there,
I've got both "vSphere Web Access" and "vSphere Web Client" limited to my own IPs, which makes it impossible to pass the challenge automatically, so i've got to disable the firewall in esxi first and then need to execute the script manually and then need to enable the firewall again.
is there some way you can automate this, so your script checks if the firewall for both services is active and disables it before it proceeds to order the certificate? Also it should activate the firewall again when the certificate is installed successfully.
best regards
Hi
It's during install
Hi im getting this error after run script.
[root@dedi-01-tr:~] /etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert for dedi-01-tr.xxx.com not issued by Let's Encrypt. Requesting a new one!
Serving HTTP on :: port 8120 (http://[::]:8120/) ...
Parsing account key...
Parsing CSR...
Found domains: dedi-01-tr.xxx.com
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/1111111
Creating new order...
Order created!
Already verified: dedi-01-tr.xxx.com, skipping...
Signing certificate...
Certificate signed!
Success: Obtained and installed a certificate from Let's Encrypt.
usage: clusterAgent [-h] ACTION
clusterAgent: error: the following arguments are required: ACTION
usage: esxio-commd [-h] ACTION
esxio-commd: error: the following arguments are required: ACTION
logger: Invalid PID 'Usage: fsvmsockrelay '
logger: Invalid PID '{start|stop|status|restart} [--vmci VMCI_ID]'
usage: gpuManager [-h] ACTION
gpuManager: error: the following arguments are required: ACTION
hostd signalled.
watchdog-lsud[2107812]: Terminating watchdog process with PID 2107391
lsud stopped
lsud started
VMware HTTP reverse proxy signalled.
sfcbd-init[2107897]: args ('')
sfcbd-init[2107897]: Getting Exclusive access, please wait...
sfcbd-init[2107897]: Exclusive access granted.
sfcbd-init[2107908]: args ('ssl_reset')
sfcbd-init[2107908]: Getting Exclusive access, please wait...
sfcbd-init[2107908]: Exclusive access granted.
sfcbd-init[2107908]: sfcbd is not running.
logger: Invalid PID 'Usage: vdfsd '
logger: Invalid PID '{start|stop|status|restart|'
vpxa signalled.
vsanperfsvc is not running.
/etc/init.d/vvold ssl_reset, PID 2108023
vvold is not running.
DNS name k2-esxi.domain.org A record is registered to a local ip address.
At startup , outputs:
/etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert issued for localhost.localdomain but current domain name is k2-esxi.domain.org. Requesting a new one!
Generating RSA private key, 4096 bit long modulus
**********************************************************************************************************++++
***************************************************************************************************************************************************************************************************************************************************************************************************************************************++++
e is 65537 (0x10001)
Serving HTTP on 0.0.0.0 port 8120 (http://0.0.0.0:8120/) ...
Parsing account key...
Parsing CSR...
Found domains: k2-esxi.domain.org
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/866296867
Creating new order...
Order created!
Verifying k2-esxi.domain.org...
127.0.0.1 - - [11/Dec/2022 12:12:20] "GET /.well-known/acme-challenge/15Ig8QtCSjDqqtkmHsawlr5z1uBmPOccXTkqCcLQRYw HTTP/1.1" 200 -
Traceback (most recent call last):
File "./acme_tiny.py", line 199, in
main(sys.argv[1:])
File "./acme_tiny.py", line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
File "./acme_tiny.py", line 153, in get_crt
raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for k2-esxi.domain.org: {'identifier': {'type': 'dns', 'value': 'k2-esxi.domain.org'}, 'status': 'invalid', 'expires': '2022-12-18T12:12:21Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:dns', 'detail': 'no valid A records found for k2-esxi.domain.org; no valid AAAA records found for k2-esxi.domain.org', 'status': 400}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/186152580607/5zMdvw', 'token': '15Ig8QtCSjDqqtkmHsawlr5z1uBmPOccXTkqCcLQRYw', 'validated': '2022-12-11T12:12:24Z'}]}
Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid.
logger: Invalid PID 'Usage: fsvmsockrelay '
logger: Invalid PID '{start|stop|status|restart} [--vmci VMCI_ID]'
hostd signalled.
watchdog-lsud[529842]: Terminating watchdog process with PID 529113
lsud stopped
lsud started
VMware HTTP reverse proxy signalled.
sfcbd-init[529924]: args ('')
sfcbd-init[529924]: Getting Exclusive access, please wait...
sfcbd-init[529924]: Exclusive access granted.
sfcbd-init[529935]: args ('ssl_reset')
sfcbd-init[529935]: Getting Exclusive access, please wait...
sfcbd-init[529935]: Exclusive access granted.
sfcbd-init[529935]: sfcbd is not running.
logger: Invalid PID 'Usage: vdfsd '
logger: Invalid PID '{start|stop|status|restart|'
vpxa signalled.
vsanperfsvc is not running.
/etc/init.d/vvold ssl_reset, PID 530041
vvold is not running.
[root@k2-esxi:] /etc/init.d/hostd restart
watchdog-hostd[530098]: Terminating watchdog process with PID 526363 525564
hostd stopped.
hostd started.
[root@k2-esxi:] /etc/init.d/vpxa restart
watchdog-vpxa[530315]: Terminating watchdog process with PID 527026
vpxa stopped.
vpxa started.
Works for the initial certificate request and then never renews. Reinstalled several times and always the same result after expiration.
ESXI 7.0 Update 3
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.