-
-
Save n8felton/faa84d5ce4b1214b32d7ca43d002d1ad to your computer and use it in GitHub Desktop.
Let's Encrypt SSL for ESXi
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
## -----------------------------=[ WARNING ]=-------------------------------- ## | |
# | |
# This script is now woefully out of date due to which accounts ESXi allows to | |
# ssh into the box as well as sticky folders/file flags. | |
# I've since ported the whole thing to python with a lot of bells and whistles | |
# and if i get around to making it public, i'll put a link here. | |
# | |
## -------------------------------=[ Info ]=--------------------------------- ## | |
# | |
# Generate letsencrypt cert on local server and scp to esxi target. | |
# Designed and tested on Ubuntu 16.04LTS. | |
# Assumes you have upnp control over local network. Tested with Ubiquiti USG. | |
# | |
# Dependencies: | |
# miniupnpc (sudo apt install miniupnpc) | |
# certbot (sudo apt install certbot) | |
# | |
## -=[ Author ]=------------------------------------------------------------- ## | |
# | |
# shr00mie | |
# 9.21.2018 | |
# v0.5 | |
# | |
## -=[ Use Case ]=----------------------------------------------------------- ## | |
# | |
# Allows for the generation of certificates on a separate host which can then | |
# be securely copied to target esxi host. | |
# | |
## -=[ Breakdown ]=---------------------------------------------------------- ## | |
# | |
# 1. Prompt for esxi target FQDN, reminder email, and esxi admin username | |
# 2. Check if ssh keys exist for target. | |
# - If keys exist, continue. | |
# - If keys don't exist: | |
# - Silently generate 4096 RSA key, no passphrase, user@target as comment. | |
# - Add key to ssh-agent | |
# - Create target folder/file structure for scp automation | |
# - Restart SSH service on target. | |
# 3. Enable port forwarding. | |
# 4. Generate 4096 bit letsencrypt cert | |
# 5. Backup existing cert with datetime suffix | |
# 6. Copy cert to target | |
# 7. Restart target services | |
# 8. Remove port forwarding | |
# | |
## -=[ To-Do ]=-------------------------------------------------------------- ## | |
# | |
# change: PermitRootLogin yes -> PermitRootLogin no | |
# add: ChallengeResponseAuthentication no | |
# add: PasswordAuthentication no | |
# | |
## -=[ Functions ]=---------------------------------------------------------- ## | |
# Usage: status "Status Text" | |
function status() { | |
GREEN='\033[00;32m' | |
RESTORE='\033[0m' | |
echo -e "\n...${GREEN}$1${RESTORE}...\n" | |
} | |
# Usage: input "Prompt Text" "Variable Name" | |
function input() { | |
GREEN='\033[00;32m' | |
RESTORE='\033[0m' | |
echo -en "\n...${GREEN}$1${RESTORE}: " | |
read $2 | |
echo -e "" | |
} | |
function pressanykey(){ | |
GREEN='\033[00;32m' | |
RESTORE='\033[0m' | |
echo -en "\n...${GREEN}$1. Press any key to continue.${RESTORE}..." | |
read -r -p "" -n 1 | |
} | |
## ---------------------------=[ Script Start ]=----------------------------- ## | |
# Importing Variables | |
status "Importing Variables" | |
# Read ESXiHost | |
input "Enter the FQDN for the certificate/host in host.domain.tld format" "ESXiHost" | |
# Read Email | |
input "Enter the email for confirmation & renewal notifications" "Email" | |
# Read ESXiUser | |
input "Enter ESXi target admin username" "ESXiUser" | |
# Prompt user to confirm/enable SSH on ESXi target | |
pressanykey "Confirm/Enable SSH access on $ESXiHost." | |
# Check for existing ssh keys for esxi host | |
status "Checking for existing ssh keys for $ESXiHost" | |
if [[ -e ~/.ssh/$ESXiHost'_rsa' ]] | |
then | |
status "Keys for $ESXiHost exist. Continuing" | |
else | |
status "Keys for $ESXiHost not found. Generating 4096 bit keys" | |
# Generate 4096 bit key for user@target | |
ssh-keygen -b 4096 -t rsa -f ~/.ssh/$ESXiHost'_rsa' -q -N "" -C "$ESXiUser@$HOSTNAME LetsEncrypt" | |
status "Adding new key to ssh-agent" | |
# Add key to agent | |
eval `ssh-agent` && ssh-add ~/.ssh/$ESXiHost'_rsa' | |
status "Configuring $ESXiHost for ssh access" | |
# Store key as variable | |
pubkey=`cat ~/.ssh/$ESXiHost'_rsa.pub'` | |
# Create directory for authorized user, copy key to target, set permissions, | |
# and restart ssh service on target. | |
ssh $ESXiUser@$ESXiHost "mkdir -p /etc/ssh/keys-$ESXiUser && | |
echo $pubkey > /etc/ssh/keys-$ESXiUser/authorized_keys && | |
chmod 700 -R /etc/ssh/keys-$ESXiUser && | |
chmod 600 /etc/ssh/keys-$ESXiUser/authorized_keys && | |
chown -R $ESXiUser /etc/ssh/keys-$ESXiUser && | |
/etc/init.d/SSH restart" | |
fi | |
# Enable UPnP http(s) port forward for requesting device | |
status "Enabling http(s) port forwarding to client for letsencrypt verification" | |
upnpc -e "letsencrypt http" -r 80 tcp | |
upnpc -e "letsencrypt https" -r 443 tcp | |
# Acquire letsencrypt cert | |
status "Requesting 4096 bit certificate for $ESXiHost" | |
sudo certbot certonly --standalone --preferred-challenges tls-sni --agree-tos -m $Email -d $ESXiHost --rsa-key-size 4096 | |
# Backup existing SSL components on ESXi target | |
status "Backing up existing certificates on $ESXiHost" | |
time=$(date +%Y.%m.%d_%H:%M:%S) | |
ssh $ESXiUser@$ESXiHost "cp /etc/vmware/ssl/castore.pem /etc/vmware/ssl/castore.pem.back.$time" | |
ssh $ESXiUser@$ESXiHost "cp /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.back.$time" | |
ssh $ESXiUser@$ESXiHost "cp /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.back.$time" | |
# Copy letsencrypt cert to ESXi target | |
status "Coping letsencrypt cert to $ESXiHost" | |
sudo scp /etc/letsencrypt/live/$ESXiHost/fullchain.pem $ESXiUser@$ESXiHost:/etc/vmware/ssl/castore.pem | |
sudo scp /etc/letsencrypt/live/$ESXiHost/cert.pem $ESXiUser@$ESXiHost:/etc/vmware/ssl/rui.crt | |
sudo scp /etc/letsencrypt/live/$ESXiHost/privkey.pem $ESXiUser@$ESXiHost:/etc/vmware/ssl/rui.key | |
# Restart services on ESXi target | |
status "Restarting services on $ESXiHost" | |
ssh $ESXiUser@$ESXiHost "services.sh restart" | |
# Disable UPnP http(s) port forward | |
status "Removing http(s) port forwarding" | |
upnpc -d 80 tcp | |
upnpc -d 443 tcp | |
# Prompt user to confirm/disable SSH on ESXi target | |
pressanykey "Remember to disable SSH service on $ESXiHost" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment