A very cool solution for standalone ESXi hosts used in production or home labs that I want to report today. In fact, I have received a quick email from Horst Fickel, which is one of our readers, letting me know that he and his friends have released a lightweight VIB package for VMware ESXi which is able auto-renew letsencrypt security certificate. Let's Encrypt for VMware ESXi standalone hosts can be used in production or in your homelab.
Your ESXi hosts must be reachable over the internet and be configured with your internal DNS (that's what most home labs does anyways), so you might have something esxi1.lab.local within your DNS. (note the default config localhost.localdomain would not work).
As you know, letsencrypt allows you to create and use free certificates for different kinds of servers, hosts and other devices. ESXi server, as part of its installation, includes a built-in web server. The web server is used post-installation as the management interface for configuring the server and creating virtual machines (VMs). So basically, the hostname must be resolvable (in both directions) in the DNS zone you're using.
Quote from Horst's email:
Our goal was to simplify letsencrypt installation and monthly renewal for everyone for e.g. single vmware servers hosted at ovh, hetzner, etc but also in general for homelabs and production servers.
Let's Encrypt for VMware ESXi – The Features
- Fully Configurable – Customizable parameters for renewal interval, Let's Encrypt (ACME) backend, etc
- Persistent – The certificate, private key and all settings are preserved over ESXi upgrades
- Fully-automated – Requesting and renewing certificates without user interaction
- Auto-renewal – A cronjob runs once a week to check if a certificate is due for renewal
Why the VIB?
Many ESXi servers are accessible over the Internet and use self-signed X.509 certificates for TLS connections. This situation not only leads to annoying warnings in the browser when calling the Web UI, but can also be the reason for serious security problems. Despite the enormous popularity of Let's Encrypt, there is no convenient way to automatically request, renew or remove certificates in ESXi.
I think that it's a very convenient way of aproaching a standalone ESXi certificates problematic. It allows you to quickly deploy, configure and renew ESXi certificate. I haven't personally tested it yet, so If you guys do, please provide feedback to Horst. Here is his github page, where you can find how to download and use the VIB.
- VMware vSphere 7.0 Essentials PLUS
- VMware vSphere 7.0 Essentials
- VMware vSphere 7.0 Enterprise PLUS
- vSphere Essentials Per Incident Support
- Upgrade to vSphere Enterprise Plus
- VMware Current Promotions
More posts from ESX Virtualization:
- More Patches for VMware – vCenter 7.0U3f and ESXi 7.0U3f
- VMware vCenter Server 7.0 U3e released – another maintenance release fixing vSphere with Tanzu
- VMware vCenter Converter Discontinued – what’s your options?
- How to upgrade VMware VCSA 7 Offline via patch ISO
- vSphere 7.0 U3C Released
- vSphere 7.0 Page[All details about vSphere and related products here]
- VMware vSphere 7.0 Announced – vCenter Server Details
- VMware vSphere 7.0 DRS Improvements – What's New
- How to Patch vCenter Server Appliance (VCSA) – [Guide]
- What is The Difference between VMware vSphere, ESXi and vCenter
- How to Configure VMware High Availability (HA) Cluster