Install certbot on old SLE 11.2 system? (VMWare Vcenter Appliance)

Hi there, a newbie SUSE user here.

TL;DR I have an old SUSE 11.2 system that is running a VMWare VCenter appliance with expired SSL/CA certificates that I need to update/reinstall.

I was trying to get python2-certbot installed on this server, to get the certificates but am getting blocked by my lack of understanding of everything SUSE.

I’ve followed advice at tediosity.com (add-opensuse-repository-to-vmware-appliances) to add a repo

zypper addrepo -f http://download.opensuse.org/distribution/11.2/repo/oss/ opensuse
Adding repository 'opensuse' [done]
Repository 'opensuse' successfully added
Enabled: Yes
Autorefresh: Yes
GPG check: Yes
URI: http://download.opensuse.org/distribution/11.2/repo/oss/

But I don’t find the python2-certbot here (nor any package related to certbot), but maybe I’m not grasping how to search using zypper. And I now know that even if this is SUSE (not OpenSUSE, the add repo command worked fine).

And if I go to the page I’ve found for python2-certbot I find packages for SLE15-SP1 which I understand is release 15 (mine is 11.2)

If I list 'unsupported distributions of this package:

I see official release, backports, etc with several different version? numbers (1.0.0, 1.4.0). Do these refer to the certbot package?

Finally when I get to ‘Expert download’ for any of these I have a menu where I have to select between ‘Step’ or ‘Standard’ (what are these?).

I cannot ‘add repo and install manually’ because zipper addrepo fails (reason likely the expired certificates that I need to update/reinstall).

zypper addrepo https://download.opensuse.org/repositories/openSUSE:Backports:SLE-15-SP3/step/openSUSE:Backports:SLE-15-SP3.repo
Download (curl) error for 'https://download.opensuse.org//repositories/openSUSE:Backports:SLE-15-SP3/step/openSUSE:Backports:SLE-15-SP3.repo':
Error code: Unrecognized error
Error message: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

And I don’t quite understand why the examples show zypper but then the ‘grab packages directly’ provide rpm files. Can I install rpm files with zypper?

Thanks in advance for any help or suggestion!

–
fernan

My box has:

cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 2

zypper --version
zypper 1.6.178

python --version
Python 2.6.9

rpm --version
RPM version 4.4.2.3

@fernan Hi and welcome to the Forum
I think you will hit a dead end with this, but maybe @smflood has some clues…

Hmm @malcolmlewis I’m not sure about clues but I’ve got some thoughts …

Firstly @fernan which SSL/CA certificates need updating/reinstalling? My understanding of certbot is that it’s used with Let’s Encrypt certificates for HTTPS.

I’m a bit confused by the “VMware VCenter appliance” reference - is this a (really) old appliance from VMware? I think some were based on SLES11 although that’s long out of support. And if it an appliance why is it hosting web sites?

As for adding the openSUSE repo that’s also not supported plus a really bad idea - it’s only with SLES15 that SLES and openSUSE Leap are compatible enough that you can migrate from one to the other. Definitely not with SLES11 so my first recommendation is to remove that repo and uninstall/downgrade any packages that came from it.

If you’ve found a python2-certbot package then I’d try installing it - you can use rpm or zypper although I’d use rpm to avoid zypper doing anything clever. Even if it fails it should indicate why.

Another approach is treat the RPM as an archive and extract the files from within using rpm2cpio and cpio then see if they work.

Failing all that is find a Python 2 version of certbot and see if that still works although it’s entirely possible certbot has moved on with Python 3 (and since Python 2) so old versions no longer work.

Ultimately plan to install a new machine with a supported OS to host the websites.

Thanks @smflood for the response. Yes this is a very old system, but still running and in production. It is the app that runs and orchestrates the vCenter Server where we manage VMs. It is both a web server app (meaning we can connect with a browser and manage VMs) and also a server that allows clients to connect (e.g. the windows client executable).

Never mind and thanks for the response. While waiting I’ve kept digging into this, and realized it has a complex chain of certificates for both the exposed web server but also for other intermediate (local, internal) services. All these chain of certificates have to be signed by a Certificate Authority (CA) and so that is why I initially thought about certbot / letsencrypt, but you’re right these are for HTTPS.

Thanks anyway, will keep trying, or will pronounce this dead and initiate a move to proxmox. Thanks you all.

Best – fernan

I suspect things have changed, particularly after Broadcom bought VMware, but you used to be able to download later versions of the vCenter appliance. Perhaps that’s an option for you?

Hi @fernan, which version of the vCenter are you using?

Sounds like super outdated setup, is there a reason not to upgrade to a newer version ?

Orlix

Hi Orlix,

apologies for the delay. Version is 5.5. Reason not to upgrade to newer version: 1) run out of support, which would have helped us get some guidance; 2) I understand we can migrate to 6.5, but we haven’t done so while vmware was vmware, and now that vmware is broadcom, the support docs are nowwhere to be found, or very difficult to get. 3) we did download the software to do the upgrade, but need some dedicated personnel to run the upgrade protocol with some care as this is a production system.

Any tips? These would be much appreciated.

Hi @fernan, as vCenter appliance 5.5 is super old, ~12 years old … , I would suggest the obvious to take actions and plan the upgrade. We cannot provide you with tips on that unfortunately.
You cannot upgrade from 5.5 as the newer versions runs on PhotonOS

About the core issue you are running sles 11.2 which is even older than your vcenter appliance.(BTW certbot was not exising when SLES 11.2 was released
in all what you are trying to achieve is a bit hackie

after a bit of search…
vcenter certs should be in:
/etc/vmware-vpx/ssl/
web here: /opt/vmware/etc/lighttpd/server.pem

that looks highly related!

I will strongly suggest you to plan upgrade and migrate to newer SW stack.

Thanks Orlix,

yes, we’re doing the hacky road and planning a move to proxmox. Thanks all for chiming in and trying to help! – fernan