voltron/letsencrypt-esxi
1
0
Fork 0
mirror of https://github.com/w2c/letsencrypt-esxi.git synced 2026-01-15 14:58:31 -06:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: voltron:1.0.0
Branches Tags
voltron:master
voltron:1.1.0 voltron:1.0.0
...
compare: voltron:master
Branches Tags
voltron:master
voltron:1.1.0 voltron:1.0.0

7 Commits
1.0.0 ... master

Author SHA1 Message Date
Johannes Feichtner
27598a9070 Update README.md with info on support for ESXi 8.0 2022-12-10 14:52:18 +01:00
Johannes Feichtner
078e726fdd Bring back the offline bundle 2022-12-04 14:41:42 +01:00
Johannes Feichtner
e2e66c8475 Remove offline bundle also from Gitlab CI 2022-12-04 01:11:31 +01:00
Johannes Feichtner
9ec56ba0ff build: Adapt create_vib.sh for ESXi 8.0 compatible builds 
ESXi 8.0 requires a SHA-256 hash of the gzipped payload to be provided in the manifest. The VIB author tool doesn't include this functionality for SHA-1 but not SHA-256. The build process has therefore been modified to take VIB author out of the game
 2022-12-04 01:00:39 +01:00
Johannes Feichtner
6469b47185 Github Action: Ignore offline bundle from now on 2022-12-04 00:50:03 +01:00
Johannes Feichtner
9da2a81a7a Read FQDN from hostname command 
The previous command stopped working with ESXi 8
 2022-12-03 23:56:35 +01:00
Johannes Feichtner
a58778311d Keep existing cert while it is still valid 
Letsencrypt has some hiccups sometimes during renewals. Instead of instantly replacing a still valid cert with a self-signed, it should be kept, while it hasn't expired
 2022-12-03 23:53:11 +01:00
4 changed files with 86 additions and 66 deletions
Expand all files Collapse all files

4
.github/workflows/ci.yml vendored
View File

@@ -15,10 +15,10 @@ jobs:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Create VIB and offline bundle - name: Create VIB
run: /bin/bash ./build/build.sh run: /bin/bash ./build/build.sh
- name: Store VIB and offline bundle - name: Store VIB
uses: actions/upload-artifact@v2 uses: actions/upload-artifact@v2
with: with:
name: w2c-letsencrypt-esxi name: w2c-letsencrypt-esxi

2
README.md
View File

@@ -9,7 +9,7 @@ Features:
- **Persistent**: The certificate, private key and all settings are preserved over ESXi upgrades - **Persistent**: The certificate, private key and all settings are preserved over ESXi upgrades
- **Configurable**: Customizable parameters for renewal interval, Let's Encrypt (ACME) backend, etc - **Configurable**: Customizable parameters for renewal interval, Let's Encrypt (ACME) backend, etc
_Successfully tested with all currently supported versions of ESXi (6.5, 6.7, 7.0)._ _Successfully tested with ESXi 6.5, 6.7, 7.0, 8.0._
## Why? ## Why?

46
build/create_vib.sh
View File

@@ -35,7 +35,28 @@ mkdir -p ${TEMP_DIR}
# Create VIB spec payload directory # Create VIB spec payload directory
mkdir -p ${VIB_PAYLOAD_DIR} mkdir -p ${VIB_PAYLOAD_DIR}
# Create target directory
BIN_DIR=${VIB_PAYLOAD_DIR}/opt/w2c-letsencrypt
INIT_DIR=${VIB_PAYLOAD_DIR}/etc/init.d
mkdir -p ${BIN_DIR} ${INIT_DIR}
# Copy files to the corresponding locations
cp ../* ${BIN_DIR} 2>/dev/null
cp ../w2c-letsencrypt ${INIT_DIR}
# Ensure that shell scripts are executable
chmod +x ${INIT_DIR}/w2c-letsencrypt ${BIN_DIR}/renew.sh
# Create tgz with payload
tar czf ${TEMP_DIR}/payload1 -C ${VIB_PAYLOAD_DIR} etc opt
# Create letsencrypt-esxi VIB descriptor.xml # Create letsencrypt-esxi VIB descriptor.xml
PAYLOAD_FILES=$(tar tf ${TEMP_DIR}/payload1 | grep -v -E '/$' | sed -e 's/^/ <file>/' -e 's/$/<\/file>/')
PAYLOAD_SIZE=$(stat -c %s ${TEMP_DIR}/payload1)
PAYLOAD_SHA256=$(sha256sum ${TEMP_DIR}/payload1 | awk '{print $1}')
PAYLOAD_SHA256_ZCAT=$(zcat ${TEMP_DIR}/payload1 | sha256sum | awk '{print $1}')
PAYLOAD_SHA1_ZCAT=$(zcat ${TEMP_DIR}/payload1 | sha1sum | awk '{print $1}')
cat > ${VIB_DESC_FILE} << __W2C__ cat > ${VIB_DESC_FILE} << __W2C__
<vib version="5.0"> <vib version="5.0">
<type>bootbank</type> <type>bootbank</type>
@@ -60,6 +81,7 @@ cat > ${VIB_DESC_FILE} << __W2C__
<maintenance-mode>false</maintenance-mode> <maintenance-mode>false</maintenance-mode>
</system-requires> </system-requires>
<file-list> <file-list>
${PAYLOAD_FILES}
</file-list> </file-list>
<acceptance-level>community</acceptance-level> <acceptance-level>community</acceptance-level>
<live-install-allowed>true</live-install-allowed> <live-install-allowed>true</live-install-allowed>
@@ -68,25 +90,21 @@ cat > ${VIB_DESC_FILE} << __W2C__
<stateless-ready>true</stateless-ready> <stateless-ready>true</stateless-ready>
<overlay>false</overlay> <overlay>false</overlay>
<payloads> <payloads>
<payload name="payload1" type="vgz"></payload> <payload name="payload1" type="tgz" size="${PAYLOAD_SIZE}">
<checksum checksum-type="sha-256">${PAYLOAD_SHA256}</checksum>
<checksum checksum-type="sha-256" verify-process="gunzip">${PAYLOAD_SHA256_ZCAT}</checksum>
<checksum checksum-type="sha-1" verify-process="gunzip">${PAYLOAD_SHA1_ZCAT}</checksum>
</payload>
</payloads> </payloads>
</vib> </vib>
__W2C__ __W2C__
# Create target directory # Create letsencrypt-esxi VIB
BIN_DIR=${VIB_PAYLOAD_DIR}/opt/w2c-letsencrypt touch ${TEMP_DIR}/sig.pkcs7
INIT_DIR=${VIB_PAYLOAD_DIR}/etc/init.d ar r w2c-letsencrypt-esxi.vib ${TEMP_DIR}/descriptor.xml ${TEMP_DIR}/sig.pkcs7 ${TEMP_DIR}/payload1
mkdir -p ${BIN_DIR} ${INIT_DIR}
# Copy files to the corresponding locations # Create the offline bundle
cp ../* ${BIN_DIR} 2>/dev/null PYTHONPATH=/opt/vmware/vibtools-6.0.0-847598/bin python -c "import vibauthorImpl; vibauthorImpl.CreateOfflineBundle('w2c-letsencrypt-esxi.vib', 'w2c-letsencrypt-esxi-offline-bundle.zip', True)"
cp ../w2c-letsencrypt ${INIT_DIR}
# Ensure that shell scripts are executable
chmod +x ${INIT_DIR}/w2c-letsencrypt ${BIN_DIR}/renew.sh
# Create letsencrypt-esxi VIB + offline bundle
vibauthor -C -t ${TEMP_DIR} -v w2c-letsencrypt-esxi.vib -O w2c-letsencrypt-esxi-offline-bundle.zip -f
# Show some details about what we have just created # Show some details about what we have just created
vibauthor -i -v w2c-letsencrypt-esxi.vib vibauthor -i -v w2c-letsencrypt-esxi.vib

4
renew.sh
View File

@@ -3,7 +3,7 @@
# Copyright (c) Johannes Feichtner <johannes@web-wack.at> # Copyright (c) Johannes Feichtner <johannes@web-wack.at>
# Released under the GNU GPLv3 License. # Released under the GNU GPLv3 License.
DOMAIN=$(grep "adv/Misc/HostName" /etc/vmware/esx.conf | awk '{print $3}' | xargs) DOMAIN=$(hostname -f)
LOCALDIR=$(dirname "$(readlink -f "$0")") LOCALDIR=$(dirname "$(readlink -f "$0")")
LOCALSCRIPT=$(basename "$0") LOCALSCRIPT=$(basename "$0")
@@ -98,6 +98,8 @@ if [ -n "$CERT" ] ; then
cp -p "$LOCALDIR/$KEY" "$VMWARE_KEY" cp -p "$LOCALDIR/$KEY" "$VMWARE_KEY"
cp -p "$LOCALDIR/$CRT" "$VMWARE_CRT" cp -p "$LOCALDIR/$CRT" "$VMWARE_CRT"
log "Success: Obtained and installed a certificate from Let's Encrypt." log "Success: Obtained and installed a certificate from Let's Encrypt."
elif openssl x509 -checkend 86400 -noout -in "$VMWARE_CRT"; then
log "Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid."
else else
log "Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate." log "Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate."
/sbin/generate-certificates /sbin/generate-certificates