A few months ago, I made a post on how to install a Let's Encrypt certificate to ESXi, and automate it using autohotkey. That post is now archived, but if you wanted to view it, you can so here. It was complex and while it worked and was able to automatically renew, there's a much more simple way: reverse proxy it!

I found a very helpful post on the VMware forums with a good base configuration - it was able to properly proxy the websockets and remote console, but there was just one problem: it didn't proxy the login page. At the time, I thought this was just something I would have to deal with, since it directly redirected to the vcenter's FQDN.

I spent a while looking at what the vCenter does right before the SSO redirection, and found that it might not be that hard to proxy after all. When you go to /ui/login, it performs a 302 redirection with the location as your vCenter's FQDN (not the proxy's), with the SAML login URL. I found out that you can get nginx to not pass through errors (commonly used for a 404), but I could use this in my favor to get it to proxy any 302 at a certain URL. After a lot of trial and error, I finally got the configuration to properly proxy the login page and not allow it to 302 itself. At this point, the login page looked like this:

This isn't what I wanted the login page to look like...

Once again, I opened up the Chrome DevTools and found out that it was trying to access a lot of resources that were 404ing. I went back and added these to the proxy configuration, and now, the login page looked a lot better:

Much, much better.

Why would I want to do this?

If you've used vCenter, you might notice that unless you trust the vCenter CA, you'll get a warning every time you go to vCenter how it's "not secure". You could install a Let's Encrypt certificate to the vCenter, but that requires a lot more hassle than simply proxying it through nginx.

That's cool and all, but how do I install it?

I'm going to assume you already know how to use nginx and acme.sh, and how to add another nginx configuration file to sites-available and symlink it to sites-enabled. If you don't know how to do this, feel free leave me a comment and I'll make a post going over it in more detail.

Getting this configuration to work is simple: Set up acme.sh, install the certificate somewhere, download the vcenter and ssl-params configurations, modify the vcenter configuration with your vcenter's IP, modify ssl-params with the IP of your dns resolver, and change the vCenter config to your vCenter's IP address and hostname.

Here's the vcenter configuration file:

Note: This is an updated configuration that will work with both flash and the HTML5 client. I had an older configuration that only worked on HTMl5, available here.

And here's the ssl-params.conf (make sure you've changed the resolver to something that can resolve your vcenter's FQDN.

Once you do this and reload your configuration, you should be able to properly log in to your vCenter by going to the new FQDN. As long as you already have a proper Let's Encrypt certificate, it should now say "Secure" (or just a padlock if you're running Chrome 69).

As always, if you have any issues, feel free to leave me a comment and I'll try to help as soon as possible.

Credit: I found the base nginx reverse proxy for vCenter here and how to override the 302 redirection here