Letsencrypt Cert for your VCSA

So I just had to renew my letsencrypt certificate for my VCSA and ran into a few issues and I wanted to write them down here, so I will go through creating the cert and adding it to your VCSA in the below blog post.
I will assume you have certbot only installed on your machine
Let’s create our cert
certbot certonly -d myservice.domain.com --manual --preferred-challenges dns --agree-tos -m mail@mail.com
Of course make changes as needed from the above command, then follow the instructions to add a TXT record to your DNS provider
Now comes the tricky bit of assemblying the certificate in a way that your VCSA will accept it and not choke, the below blog helped out quite a bit.

Add Let’s Encrypt Certificate to vCenter 7

But what we need to do is to re-create the fullchain certificate that letsencrypt gave us, we will do this by downloading the current intermediate and root cert from below, and when we assemble the new fullchain we will need to make sure we add the intermediate first and then the root.

Download Chain of Trust

intermediate cert

root cert

From the above images you can see that I am not using the crossed-signed certs I will assume using them will work, but I have not tested that thesis, also make certain you are not mixing the cross-signed root and the signed intermediate and vice-versa, if you are going to use the cross-signed certs make sure both intermediate and root are cross-signed. Once you download the .pem files you are ready to assemble.
touch fullchain-vcsa.pem
Copy the contents of the intermediate .pem and then the root .pem into the above file, this will be your new fullchain pem file. Now under __MACHINE_CERT click ACTIONS > Replace vCenter Server Certificate

Replace Certificate

Select like the above example

Replace cert

Now point to your cert1.pem file and place that in the Machine SSL Certificate and then in the Chain of trusted root certificates point that to your new fullchain-vcsa.pem file that we created, and then the last one is self explanatory either point to or copy in your private key, and if you did everything correct you should get a message that services are being restarted and once everything comes back up you should have your new cert.