ESXi 6.x SSL

1. Start certbot:

   sudo certbot certonly --manual --preferred-challenges dns -d pedge.syninf.net

2. Set and verify TXT record: https://dnschecker.org/#TXT/_acme-challenge.pedge.syninf.net
3. Complete certbot
4. Delete TXT record
5. Enable SSH on ESXi host
6. Grab keys

   sudo cp /etc/letsencrypt/live/pedge.syninf.net/fullchain.pem rui.crt ; 
   sudo cp /etc/letsencrypt/live/pedge.syninf.net/privkey.pem rui.key 

7. backup keys on host:

   cd /etc/vmware/ssl/ ;
   mv rui.crt rui.crt.`date +%Y%m%d-%H%M%S`.bak ;
   mv rui.key rui.key.`date +%Y%m%d-%H%M%S`.bak

8. Move new keys to host:

   scp rui.key rui.crt root@pedge:/etc/vmware/ssl/

9. Restart the hostd service

   /etc/init.d/hostd restart

10. Exit SSH and disable

If restarting hostd doesn't work, restart the management agent through the DCUI.

1. Open console to host via LOM to access DCUI
2. Customize System → Troubleshooting Options → Restart Management Agents → Exit
3. Verify new cert, do it again in 90 days.