Update README.md with info on support for ESXi 8.0

ESXi 8.0 requires a SHA-256 hash of the gzipped payload to be provided in the manifest. The VIB author tool doesn't include this functionality for SHA-1 but not SHA-256. The build process has therefore been modified to take VIB author out of the game

.github/workflows/ci.yml

@@ -1,50 +1,50 @@
-name: w2c-letsencrypt-esxi
+name: w2c-letsencrypt-esxi
-
+
-on:
+on:
-  push:
+  push:
-    tags:
+    tags:
-      - '[0-9]+.[0-9]+.[0-9]+'
+      - '[0-9]+.[0-9]+.[0-9]+'
-
+
-  workflow_dispatch:
+  workflow_dispatch:
-
+
-jobs:
+jobs:
-  build:
+  build:
-    name: Build
+    name: Build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest
-    steps:
+    steps:
-      - name: Checkout repository
+      - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v2
-
+
-      - name: Create VIB and offline bundle
+      - name: Create VIB
-        run: /bin/bash ./build/build.sh
+        run: /bin/bash ./build/build.sh
-
+
-      - name: Store VIB and offline bundle
+      - name: Store VIB
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v2
-        with:
+        with:
-          name: w2c-letsencrypt-esxi
+          name: w2c-letsencrypt-esxi
-          path: |
+          path: |
-            artifacts/w2c-letsencrypt-esxi.vib
+            artifacts/w2c-letsencrypt-esxi.vib
-            artifacts/w2c-letsencrypt-esxi-offline-bundle.zip
+            artifacts/w2c-letsencrypt-esxi-offline-bundle.zip
-          if-no-files-found: error
+          if-no-files-found: error
-          
+
-  release:
+  release:
-    name: Release
+    name: Release
-    if: startsWith(github.ref, 'refs/tags/')
+    if: startsWith(github.ref, 'refs/tags/')
-    needs: build
+    needs: build
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest
-    steps:
+    steps:
-      - name: Retrieve build artifacts
+      - name: Retrieve build artifacts
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v2
-        with:
+        with:
-          name: w2c-letsencrypt-esxi
+          name: w2c-letsencrypt-esxi
-
+
-      - name: Create release
+      - name: Create release
-        id: create_release
+        id: create_release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v1
-        env:
+        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
+        with:
-          body: w2c-letsencrypt-esxi
+          body: w2c-letsencrypt-esxi
-          files: |
+          files: |
-            w2c-letsencrypt-esxi.vib
+            w2c-letsencrypt-esxi.vib
-            w2c-letsencrypt-esxi-offline-bundle.zip
+            w2c-letsencrypt-esxi-offline-bundle.zip

README.md

@@ -9,7 +9,7 @@ Features:
 - **Persistent**: The certificate, private key and all settings are preserved over ESXi upgrades
 - **Configurable**: Customizable parameters for renewal interval, Let's Encrypt (ACME) backend, etc
 
-_Successfully tested with all currently supported versions of ESXi (6.5, 6.7, 7.0)._
+_Successfully tested with ESXi 6.5, 6.7, 7.0, 8.0._
 
 ## Why?
 

build/create_vib.sh

@@ -35,7 +35,28 @@ mkdir -p ${TEMP_DIR}
 # Create VIB spec payload directory
 mkdir -p ${VIB_PAYLOAD_DIR}
 
+# Create target directory
+BIN_DIR=${VIB_PAYLOAD_DIR}/opt/w2c-letsencrypt
+INIT_DIR=${VIB_PAYLOAD_DIR}/etc/init.d
+mkdir -p ${BIN_DIR} ${INIT_DIR}
+
+# Copy files to the corresponding locations
+cp ../* ${BIN_DIR} 2>/dev/null
+cp ../w2c-letsencrypt ${INIT_DIR}
+
+# Ensure that shell scripts are executable
+chmod +x ${INIT_DIR}/w2c-letsencrypt ${BIN_DIR}/renew.sh
+
+# Create tgz with payload
+tar czf ${TEMP_DIR}/payload1 -C ${VIB_PAYLOAD_DIR} etc opt
+
 # Create letsencrypt-esxi VIB descriptor.xml
+PAYLOAD_FILES=$(tar tf ${TEMP_DIR}/payload1 | grep -v -E '/$' | sed -e 's/^/    <file>/' -e 's/$/<\/file>/')
+PAYLOAD_SIZE=$(stat -c %s ${TEMP_DIR}/payload1)
+PAYLOAD_SHA256=$(sha256sum ${TEMP_DIR}/payload1 | awk '{print $1}')
+PAYLOAD_SHA256_ZCAT=$(zcat ${TEMP_DIR}/payload1 | sha256sum | awk '{print $1}')
+PAYLOAD_SHA1_ZCAT=$(zcat ${TEMP_DIR}/payload1 | sha1sum | awk '{print $1}')
+
 cat > ${VIB_DESC_FILE} << __W2C__
 <vib version="5.0">
   <type>bootbank</type>
@@ -60,6 +81,7 @@ cat > ${VIB_DESC_FILE} << __W2C__
     <maintenance-mode>false</maintenance-mode>
   </system-requires>
   <file-list>
+${PAYLOAD_FILES}
   </file-list>
   <acceptance-level>community</acceptance-level>
   <live-install-allowed>true</live-install-allowed>
@@ -68,25 +90,21 @@ cat > ${VIB_DESC_FILE} << __W2C__
   <stateless-ready>true</stateless-ready>
   <overlay>false</overlay>
   <payloads>
-    <payload name="payload1" type="vgz"></payload>
+    <payload name="payload1" type="tgz" size="${PAYLOAD_SIZE}">
+        <checksum checksum-type="sha-256">${PAYLOAD_SHA256}</checksum>
+        <checksum checksum-type="sha-256" verify-process="gunzip">${PAYLOAD_SHA256_ZCAT}</checksum>
+        <checksum checksum-type="sha-1" verify-process="gunzip">${PAYLOAD_SHA1_ZCAT}</checksum>
+    </payload>
   </payloads>
 </vib>
 __W2C__
 
-# Create target directory
+# Create letsencrypt-esxi VIB
-BIN_DIR=${VIB_PAYLOAD_DIR}/opt/w2c-letsencrypt
+touch ${TEMP_DIR}/sig.pkcs7
-INIT_DIR=${VIB_PAYLOAD_DIR}/etc/init.d
+ar r w2c-letsencrypt-esxi.vib ${TEMP_DIR}/descriptor.xml ${TEMP_DIR}/sig.pkcs7 ${TEMP_DIR}/payload1
-mkdir -p ${BIN_DIR} ${INIT_DIR}
 
-# Copy files to the corresponding locations
+# Create the offline bundle
-cp ../* ${BIN_DIR} 2>/dev/null
+PYTHONPATH=/opt/vmware/vibtools-6.0.0-847598/bin python -c "import vibauthorImpl; vibauthorImpl.CreateOfflineBundle('w2c-letsencrypt-esxi.vib', 'w2c-letsencrypt-esxi-offline-bundle.zip', True)"
-cp ../w2c-letsencrypt ${INIT_DIR}
-
-# Ensure that shell scripts are executable
-chmod +x ${INIT_DIR}/w2c-letsencrypt ${BIN_DIR}/renew.sh
-
-# Create letsencrypt-esxi VIB + offline bundle
-vibauthor -C -t ${TEMP_DIR} -v w2c-letsencrypt-esxi.vib -O w2c-letsencrypt-esxi-offline-bundle.zip -f
 
 # Show some details about what we have just created
 vibauthor -i -v w2c-letsencrypt-esxi.vib

renew.sh

@@ -3,7 +3,7 @@
 # Copyright (c) Johannes Feichtner <johannes@web-wack.at>
 # Released under the GNU GPLv3 License.
 
-DOMAIN=$(grep "adv/Misc/HostName" /etc/vmware/esx.conf | awk '{print $3}' | xargs)
+DOMAIN=$(hostname -f)
 LOCALDIR=$(dirname "$(readlink -f "$0")")
 LOCALSCRIPT=$(basename "$0")
 
@@ -98,6 +98,8 @@ if [ -n "$CERT" ] ; then
   cp -p "$LOCALDIR/$KEY" "$VMWARE_KEY"
   cp -p "$LOCALDIR/$CRT" "$VMWARE_CRT"
   log "Success: Obtained and installed a certificate from Let's Encrypt."
+elif openssl x509 -checkend 86400 -noout -in "$VMWARE_CRT"; then
+  log "Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid."
 else
   log "Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate."
   /sbin/generate-certificates