#!/bin/bash
# registrar dns must have cname entry pointing host to @ for your public IP.
# gateway must be upnp capable and device subnet running this script must be able to create upnp mappings
# tested using ubuntu server 16.04 client and esxi 6.5 target
echo -e "\n...\e[32mImporting Variables\e[m...\n"
# Import domain
read -p $'
\e[32mEnter the domain name for the certificate in host.domain.tld format\e[m: ' DomainName
# Import email
read -p $'
\e[32mEnter the email for confirmation & renew notifications\e[m: ' Email
# Import esxi admin user
read -p $'
\e[32mEnter ESXi admin username\e[m: ' ESXiUser
# Import esxi host or IP
read -p $'
\e[32mEnter host or IP for the ESXi target\e[m: ' ESXiHost
echo -e "\n...\e[32mUpdating system and installing miniupnpc and letsencrypt\e[m...\n"
# update, upgrade, and install requirements
sudo apt update && sudo apt upgrade -y
sudo apt install miniupnpc letsencrypt -y
# prompt user to enable SSH on ESXi target
read -n 1 -s -r -p '
\e[32mConfirm that SSH access is enabled on $DomainName. Press any key to continue.\e[m'
echo -e "\n...\e[32mSSH key transfer from client to $ESXiHost\e[m...\n"
# check if rsa keypair exists. if true, copy to ESXi host authorized keys. else, create 4096 bit rsa key with no pass and export to ESXi host.
if [[ -e ~/.ssh/id_rsa ]]; then
echo -e "\n...\e[32mClient RSA key exists. Copying to $ESXiHost and restarting SSH\e[m...\n"
cat ~/.ssh/id_rsa.pub | ssh $ESXiUser@$ESXiHost "mkdir -p /etc/ssh/keys-$ESXiUser/ && cat >> /etc/ssh/keys-$ESXiUser/authorized_keys && /etc/init.d/SSH restart"
else
echo -e "\n...\e[32mClient RSA key not found. Generating 4096 bit key\e[m...\n"
ssh-keygen -b 4096 -t rsa -f ~/.ssh/id_rsa -q -N ""
echo -e "\n...\e[32mCopying client RSA key to $ESXiHost and restarting SSH\e[m...\n"
cat ~/.ssh/id_rsa.pub | ssh $ESXiUser@$ESXiHost "mkdir -p /etc/ssh/keys-$ESXiUser/ && cat >> /etc/ssh/keys-$ESXiUser/authorized_keys && /etc/init.d/SSH restart"
fi
echo -e "\n...\e[32mEnabling https port forwarding to client for letsencrypt verification\e[m...\n"
# Enable UPnP https port forward for requesting device
upnpc -e "Let's Encrypt Temp SSL" -r 443 tcp
echo -e "\n...\e[32mRequesting 4096 bit certificate for $ESXiHost\e[m...\n"
# pull let's encrypt cert
sudo letsencrypt certonly --standalone --agree-tos -m $Email -d $DomainName --rsa-key-size 4096
echo -e "\n...\e[32mBacking up existing certificates on $ESXiHost\e[m...\n"
# backup existing SSL components on ESXi target
ssh $ESXiUser@$ESXiHost "mv /etc/vmware/ssl/castore.pem /etc/vmware/ssl/castore.pem.back"
ssh $ESXiUser@$ESXiHost "mv /etc/vmware/ssl/rui.crt /etc/vmware/ssl/rui.crt.back"
ssh $ESXiUser@$ESXiHost "mv /etc/vmware/ssl/rui.key /etc/vmware/ssl/rui.key.back"
echo -e "\n...\e[32mCoping letsencrypt certificates to $ESXiHost\e[m...\n"
# copy Let's Encrypt SSL componenets to ESXi target
sudo scp /etc/letsencrypt/live/$DomainName/fullchain.pem $ESXiUser@$ESXiHost:/etc/vmware/ssl/castore.pem
sudo scp /etc/letsencrypt/live/$DomainName/cert.pem $ESXiUser@$ESXiHost:/etc/vmware/ssl/rui.crt
sudo scp /etc/letsencrypt/live/$DomainName/privkey.pem $ESXiUser@$ESXiHost:/etc/vmware/ssl/rui.key
echo -e "\n...\e[32mRestarting services on $ESXiHost\e[m...\n"
# restart services on ESXi target
ssh $ESXiUser@$ESXiHost "services.sh restart"
echo -e "\n...\e[32mRemoving https port forwarding\e[m...\n"
# Disable UPnP https port forward
upnpc -d 443 tcp
Sources