Better late than never, yea? Quick Saturday post, here is how to get your host up to date real quick via SSH, generate new certs, and change the root password. Better safe than sorry, friends.
Note: This is only for ESXi 5.5 Update 1! If you are not running 5.5u1, replace ESXi-5.5.0-20140404001-standard with ESXi-5.5.0-20140401020s-standard.
This will be the quick way to do it, your environment may not let you turn on the built-in httpclient within ESXi but I am going to assume that will not be an issue. And because I am currently doing these patches on my homelab where I am the boss!
Enable SSH on your host(s) and remote in via terminal/putty
Enable the ESXi built-in httpclient:
1 |
esxcli network firewall ruleset set -e true -r httpClient |
Pull down and install the patch:
1 |
esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-5.5.0-20140404001-standard |
Backup your ‘old’ SSL keys:
1 2 |
mv /etc/vmware/ssl/rui.crt /vmfs/volumes/your_datastore/orig.rui.crt mv /etc/vmware/ssl/rui.key /vmfs/volumes/your_datastore/orig.rui.key |
Generate new keys and chmod them:
1 2 |
/sbin/generate-certificates chmod +t rui.* |
Reboot the host:
1 |
reboot |
Once the host comes back up, SSH back in and change the root password: passwd root
That’s all there is to it. These types of security issues are no fun for anyone but it comes with the territory. Cheers!
VMware KB#2076665 – Resolving OpenSSL Heartbleed for ESXi 5.5