VMware Unified Access Gateway – Renew LetsEncrypt Certificate

Release date: March 24th 2023

Welcome to my VMware Unified Access Gateway series. This topic will show how to renew the TLS certificates. As I’ve show earlier, I use a HAProxy loadbalancer in front of my UAG’s with a LetsEncrypt certificate. From time to time, this certificate has to be renewed. In this session I will do a walk-through of this procedure. Before I start, I verify the expiration date on the certificate. As we can see, this certificate expires on April 7th 2023.

I apologize for the Norwegian language-settings in the dialogue-box above 🙂

To renew this certificate, I log in on the HaProxy server with Putty first. By running the following command, I can see the status of this certificate:

sudo certbot certificates -d desktop.frelab.net

Next, I start the renewal process by running the command below:

sudo certbot -d desktop.frelab.net --manual --preferred-challenges dns certonly

During renewal I have to update my DNS TXT pointer with the value supplied

As I have a 5 minute TTL on this DNS record, I wait 5 minutes before I hit ENTER in the Putty windows. Once done, I get the Success message below

I can now view the new certificate details and path, by running the following command:

sudo certbot certificates -d desktop.frelab.net

Once renewal is done, I merge the two files into my certificate by running the following command:

sudo cat /etc/letsencrypt/live/desktop.frelab.net/fullchain.pem \
  /etc/letsencrypt/live/desktop.frelab.net/privkey.pem \
| sudo tee /etc/ssl/desktop.frelab.net/desktop.frelab.net.pem

Next, I verify the HAProxy config and restart the HAProxy service

haproxy -c -f /etc/haproxy/haproxy.cfg
sudo service haproxy restart

Then, I create a tar-file containing the folder with the certificate

sudo tar -chvzf certs.tar.gz /etc/letsencrypt/live/desktop.frelab.net

I can now connect using WinSCP and transfer the tar-file as needed. Once done I extract the files

Before I can use these with the UAG, I convert privkey to rsa privkey format by running the following OpenSSL command

openssl rsa -in <path>\privkey.pem > <path>\privkey-PEM.pem

Finally, I upload private key and certificate chain to my VMware Unified Access Gateways

When I now verify the certificate status, I can see that the expiration date is updated and “way into the future”

I apologize for the Norwegian language-settings in the dialogue-box above 🙂

VMware Unified Access Gateway Documentation

VMware Unified Access Gateway

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: