Update README.md with info on support for ESXi 8.0

ESXi 8.0 requires a SHA-256 hash of the gzipped payload to be provided in the manifest. The VIB author tool doesn't include this functionality for SHA-1 but not SHA-256. The build process has therefore been modified to take VIB author out of the game

.github/workflows/ci.yml

@@ -15,10 +15,10 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v2
 
-      - name: Create VIB and offline bundle
+      - name: Create VIB
         run: /bin/bash ./build/build.sh
 
-      - name: Store VIB and offline bundle
+      - name: Store VIB
         uses: actions/upload-artifact@v2
         with:
           name: w2c-letsencrypt-esxi

README.md

@@ -9,7 +9,7 @@ Features:
 - **Persistent**: The certificate, private key and all settings are preserved over ESXi upgrades
 - **Configurable**: Customizable parameters for renewal interval, Let's Encrypt (ACME) backend, etc
 
-_Successfully tested with all currently supported versions of ESXi (6.5, 6.7, 7.0)._
+_Successfully tested with ESXi 6.5, 6.7, 7.0, 8.0._
 
 ## Why?
 

build/create_vib.sh

@@ -35,7 +35,28 @@ mkdir -p ${TEMP_DIR}
 # Create VIB spec payload directory
 mkdir -p ${VIB_PAYLOAD_DIR}
 
+# Create target directory
+BIN_DIR=${VIB_PAYLOAD_DIR}/opt/w2c-letsencrypt
+INIT_DIR=${VIB_PAYLOAD_DIR}/etc/init.d
+mkdir -p ${BIN_DIR} ${INIT_DIR}
+
+# Copy files to the corresponding locations
+cp ../* ${BIN_DIR} 2>/dev/null
+cp ../w2c-letsencrypt ${INIT_DIR}
+
+# Ensure that shell scripts are executable
+chmod +x ${INIT_DIR}/w2c-letsencrypt ${BIN_DIR}/renew.sh
+
+# Create tgz with payload
+tar czf ${TEMP_DIR}/payload1 -C ${VIB_PAYLOAD_DIR} etc opt
+
 # Create letsencrypt-esxi VIB descriptor.xml
+PAYLOAD_FILES=$(tar tf ${TEMP_DIR}/payload1 | grep -v -E '/$' | sed -e 's/^/    <file>/' -e 's/$/<\/file>/')
+PAYLOAD_SIZE=$(stat -c %s ${TEMP_DIR}/payload1)
+PAYLOAD_SHA256=$(sha256sum ${TEMP_DIR}/payload1 | awk '{print $1}')
+PAYLOAD_SHA256_ZCAT=$(zcat ${TEMP_DIR}/payload1 | sha256sum | awk '{print $1}')
+PAYLOAD_SHA1_ZCAT=$(zcat ${TEMP_DIR}/payload1 | sha1sum | awk '{print $1}')
+
 cat > ${VIB_DESC_FILE} << __W2C__
 <vib version="5.0">
   <type>bootbank</type>
@@ -60,6 +81,7 @@ cat > ${VIB_DESC_FILE} << __W2C__
     <maintenance-mode>false</maintenance-mode>
   </system-requires>
   <file-list>
+${PAYLOAD_FILES}
   </file-list>
   <acceptance-level>community</acceptance-level>
   <live-install-allowed>true</live-install-allowed>
@@ -68,25 +90,21 @@ cat > ${VIB_DESC_FILE} << __W2C__
   <stateless-ready>true</stateless-ready>
   <overlay>false</overlay>
   <payloads>
-    <payload name="payload1" type="vgz"></payload>
+    <payload name="payload1" type="tgz" size="${PAYLOAD_SIZE}">
+        <checksum checksum-type="sha-256">${PAYLOAD_SHA256}</checksum>
+        <checksum checksum-type="sha-256" verify-process="gunzip">${PAYLOAD_SHA256_ZCAT}</checksum>
+        <checksum checksum-type="sha-1" verify-process="gunzip">${PAYLOAD_SHA1_ZCAT}</checksum>
+    </payload>
   </payloads>
 </vib>
 __W2C__
 
-# Create target directory
-BIN_DIR=${VIB_PAYLOAD_DIR}/opt/w2c-letsencrypt
-INIT_DIR=${VIB_PAYLOAD_DIR}/etc/init.d
-mkdir -p ${BIN_DIR} ${INIT_DIR}
+# Create letsencrypt-esxi VIB
+touch ${TEMP_DIR}/sig.pkcs7
+ar r w2c-letsencrypt-esxi.vib ${TEMP_DIR}/descriptor.xml ${TEMP_DIR}/sig.pkcs7 ${TEMP_DIR}/payload1
 
-# Copy files to the corresponding locations
-cp ../* ${BIN_DIR} 2>/dev/null
-cp ../w2c-letsencrypt ${INIT_DIR}
-
-# Ensure that shell scripts are executable
-chmod +x ${INIT_DIR}/w2c-letsencrypt ${BIN_DIR}/renew.sh
-
-# Create letsencrypt-esxi VIB + offline bundle
-vibauthor -C -t ${TEMP_DIR} -v w2c-letsencrypt-esxi.vib -O w2c-letsencrypt-esxi-offline-bundle.zip -f
+# Create the offline bundle
+PYTHONPATH=/opt/vmware/vibtools-6.0.0-847598/bin python -c "import vibauthorImpl; vibauthorImpl.CreateOfflineBundle('w2c-letsencrypt-esxi.vib', 'w2c-letsencrypt-esxi-offline-bundle.zip', True)"
 
 # Show some details about what we have just created
 vibauthor -i -v w2c-letsencrypt-esxi.vib

renew.sh

@@ -3,7 +3,7 @@
 # Copyright (c) Johannes Feichtner <johannes@web-wack.at>
 # Released under the GNU GPLv3 License.
 
-DOMAIN=$(grep "adv/Misc/HostName" /etc/vmware/esx.conf | awk '{print $3}' | xargs)
+DOMAIN=$(hostname -f)
 LOCALDIR=$(dirname "$(readlink -f "$0")")
 LOCALSCRIPT=$(basename "$0")
 
@@ -98,6 +98,8 @@ if [ -n "$CERT" ] ; then
   cp -p "$LOCALDIR/$KEY" "$VMWARE_KEY"
   cp -p "$LOCALDIR/$CRT" "$VMWARE_CRT"
   log "Success: Obtained and installed a certificate from Let's Encrypt."
+elif openssl x509 -checkend 86400 -noout -in "$VMWARE_CRT"; then
+  log "Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid."
 else
   log "Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate."
   /sbin/generate-certificates