-
-
Save vkingw/b34695c20e48ec22916e691c0dcbc2a6 to your computer and use it in GitHub Desktop.
Let's Encrypt SSL for ESXi
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # registrar dns must have cname entry pointing host to @ for your public IP. | |
| # gateway must be upnp capable and device subnet running this script must be able to create upnp mappings | |
| # tested using ubuntu server 16.04 client and esxi 6.5 target | |
| echo -e " | |
| ...\e[32mImporting Variables\e[m... | |
| " | |
| # Import domain | |
| read -p $' | |
| \e[32mEnter the domain name for the certificate in host.domain.tld format\e[m: ' DomainName | |
| # Import email | |
| read -p $' | |
| \e[32mEnter the email for confirmation & renew notifications\e[m: ' Email | |
| # Import esxi admin user | |
| read -p $' | |
| \e[32mEnter ESXi admin username\e[m: ' ESXiUser | |
| # Import esxi host or IP | |
| read -p $' | |
| \e[32mEnter host or IP for the ESXi target\e[m: ' ESXiHost | |
| echo -e " | |
| ...\e[32mUpdating system and installing miniupnpc and letsencrypt\e[m... | |
| " | |
| # update, upgrade, and install requirements | |
| sudo apt update && sudo apt upgrade -y | |
| sudo apt install miniupnpc letsencrypt -y | |
| # prompt user to enable SSH on ESXi target | |
| read -n 1 -s -r -p ' | |
| \e[32mConfirm that SSH access is enabled on $DomainName. Press any key to continue.\e[m' | |
| echo -e " | |
| ...\e[32mSSH key transfer from client to $ESXiHost\e[m... | |
| " | |
| # check if rsa keypair exists. if true, copy to ESXi host authorized keys. else, create 4096 bit rsa key with no pass and export to ESXi host. | |
| if [[ -e ~/.ssh/id_rsa ]]; then | |
| echo -e " | |
| ...\e[32mClient RSA key exists. Copying to $ESXiHost and restarting SSH\e[m... | |
| " | |
| cat ~/.ssh/id_rsa.pub | ssh $ESXiUser@$ESXiHost "mkdir -p /etc/ssh/keys-$ESXiUser/ && cat >> /etc/ssh/keys-$ESXiUser/authorized_keys && /etc/init.d/SSH restart" | |
| else | |
| echo -e " | |
| ...\e[32mClient RSA key not found. Generating 4096 bit key\e[m... | |
| " | |
| ssh-keygen -b 4096 -t rsa -f ~/.ssh/id_rsa -q -N "" | |
| echo -e " | |
| ...\e[32mCopying client RSA key to $ESXiHost and restarting SSH\e[m... | |
| " | |
| cat ~/.ssh/id_rsa.pub | ssh $ESXiUser@$ESXiHost "mkdir -p /etc/ssh/keys-$ESXiUser/ && cat >> /etc/ssh/keys-$ESXiUser/authorized_keys && /etc/init.d/SSH restart" | |
| fi | |
| echo -e " | |
| ...\e[32mEnabling https port forwarding to client for letsencrypt verification\e[m... | |
| " | |
| # Enable UPnP https port forward for requesting device | |
| upnpc -e "Let's Encrypt Temp SSL" -r 443 tcp | |
| echo -e " | |
| ...\e[32mRequesting 4096 bit certificate for $ESXiHost\e[m... | |
| " | |
| # pull let's encrypt cert | |
| sudo letsencrypt certonly --standalone --agree-tos -m $Email -d $DomainName --rsa-key-size 4096 | |
| echo -e " | |
| ...\e[32mBacking up existing certificates on $ESXiHost\e[m... | |
| " | |
| # backup existing SSL components on ESXi target | |
| ssh $ESXiUser@$ESXiHost "mv /etc/vmware/ssl/castore.pem /etc/vmware/ssl/castore.pem.back" | |
| ssh $ESXiUser@$ESXiHost "mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.back" | |
| ssh $ESXiUser@$ESXiHost "mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.back" | |
| echo -e " | |
| ...\e[32mCoping letsencrypt certificates to $ESXiHost\e[m... | |
| " | |
| # copy Let's Encrypt SSL componenets to ESXi target | |
| sudo scp /etc/letsencrypt/live/$DomainName/fullchain.pem $ESXiUser@$ESXiHost:/etc/vmware/ssl/castore.pem | |
| sudo scp /etc/letsencrypt/live/$DomainName/cert.pem $ESXiUser@$ESXiHost:/etc/vmware/ssl/rui.crt | |
| sudo scp /etc/letsencrypt/live/$DomainName/privkey.pem $ESXiUser@$ESXiHost:/etc/vmware/ssl/rui.key | |
| echo -e " | |
| ...\e[32mRestarting services on $ESXiHost\e[m... | |
| " | |
| # restart services on ESXi target | |
| ssh $ESXiUser@$ESXiHost "services.sh restart" | |
| echo -e " | |
| ...\e[32mRemoving https port forwarding\e[m... | |
| " | |
| # Disable UPnP https port forward | |
| upnpc -d 443 tcp |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment