Re: ESXi 6.5 - Wildcard SSL help needed

JohnyBeGood · ‎10-27-2017

Hi all,

I have ISPconfig with few personal websites and I got Comodo Positive SSL Wildcard. Using ISPconfig I went thru process generating CSR for *.mydomain.com and sending it to where I got SSL from the re seller, I got it back and pasted into ISPconfig, so far so good.

When I do the same for ESXi which is on different IP esxi.mydomain.com I have to use this guide and OpenSSL for windows https://www.comprofix.com/2017/03/02/using-letsencrypt-esxi-vps/

Since when I run ESXi command I get:

[root@esxi:/vmfs/volumes/59c20232-9fad620f-8e7c-0cc47a0c8c1c/verticalbackup] openssl req -x509 -sha256 -newkey rsa:2048 -keyout rui.key -config
openssl.cfg -out rui.crt -days 3650
error on line -1 of openssl.cfg
1022206424744:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('openssl.cfg','rb')
1022206424744:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:182:
1022206424744:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:195:

So when I upload CRT to SSL re seller and get it back from Comodo I get STAR_mydomain_com.crt.crt file and I replace rui.crt in /etc/vmware/ssl and do services.sh restart

I no longer can access https://esxi.mydomain.com and I have to revert to Let's Encrypt certs to log back in.

Any idea?

JohnyBeGood · ‎10-30-2017

I solved this issue and wanted to post the solution in case someone runs into same issue.

It was quite simple. Once I got STAR_mydomain_us.ca-bundle and

STAR_mydomain_us.crt in the email from Comodo I opened new text file and enter content from STAR_mydomain_us.crt 1st and just bellow that added content from STAR_mydomain_us.ca-bundle and copied that content in /etc/vmware/ssl/rui.crt inside /etc/vmware/ssl/rui.key I had my private key from OpenSSL (star_mydomain_us.key) and did services.sh restart on my ESXi server.

https://prnt.sc/h3qdyi

Now everywhere online I also get:

"Certificate Chain Complete

All of the correct Intermediate CA Certificates are installed. Your SSL certificate is installed correctly and should be supported in all the major web browsers without problems."

msripada · ‎11-01-2017

Hello Johny,

Wildcard certificates are currently not supported, but even if they were, it is much more secure to have a proper certificate for each host.

https://kb.vmware.com/s/article/2113926?language=en_US

It is not recommended to have wildcard certificates as it may lead to different issues with ESXi hosts. Please go through the above KB article and replace the certs with proper certificates.

thanks,

MS

JohnyBeGood · ‎11-01-2017

Thanks for the reply and link! So far I have not noticed any issues or differences.

GunterO · ‎02-13-2020

Thanks, worked like a charm!

GarfsField · ‎03-14-2024

Anyone got this to work with ESXi 8?