vCenter (VCSA) and using Let's Encrypt for SSL Certificates
If you are using the VCSA for your vCenter you might have searched around to figure out how to update the certificate from Let’s Encrypt. It seems that throughout my Googling I personally wasn’t able to find a tutorial so this is mine. If you have suggestions or ideas I’d love to hear them, reach out via twitter: @jjasghar.
Prerequisites
You need to set up certbot on your local machine. There are a few
ways to do that if you click that link please figure it out. Second, you
need the root login to your VCSA, with ssh turned on. You’ll be running
some commands at the shell of the VCSA and if you can’t get there you won’t
be able to update your certificate. And finally you’ll need some administrator privileges to your vCenter, defaulting to administrator@vsphere.local.
Requesting the cert from Let’s Encrypt
Whatever your domain name is, in order for Let’s Encrypt to say that you
own the domain you’ll need to add a TXT entry for the vCenter you are
getting the certificate for. For instance here is mine:
Ok, assuming you have your DNS provider up, let’s send the commands to Let’s Encrypt:
~ > sudo certbot certonly --manual --preferred-challenges=dns -d vcenter.tirefi.re
Notice the sudo you have to run this command with root privileges. This sends
the request and gives you a couple prompts, the most important being:
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.vcenter.tirefi.re with the following value:
tuS3NO-WAY-IMPUTTING34p2MY-ACTUAL32341KEY-HERE
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Press the Enter key when you are sure the TXT DNS entry has propagated and you should see something like:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/vcenter.tirefi.re/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/vcenter.tirefi.re/privkey.pem
Your cert will expire on 2018-02-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
Wonderful, now keep this terminal/window open you’ll need it in a bit.
Updating the SSL Certificate on your VCSA
Now that you have your files on your local machine, you’ll need to get them
on your VCSA. There are a couple ways to do this, the easiest way I found was
to cat out the certificates and open up vim on the VCSA paste them in and save the files. You
can get scp or others working, but I didn’t want to go through all that.
So here are my steps, first I ssh into my VCSA:
~ > ssh vcenter.tirefi.re -l root
VMware vCenter Server Appliance 6.5.0.10100
Type: vCenter Server with an embedded Platform Services Controller
root@vcenter.tirefi.re's password:
Last login: Tue Nov 14 20:55:38 2017 from 172.16.20.10
Connected to service
* List APIs: "help api list"
* List Plugins: "help pi list"
* Launch BASH: "shell"
Command> shell
Shell access is granted to root
root@vcenter [ ~ ]#
I create the three files I’ll need to update on the VCSA.
root@vcenter [ ~ ]# touch cert.pem
root@vcenter [ ~ ]# touch privkey.pem
root@vcenter [ ~ ]# touch fullchain.pem
Now I go to my other window and type:
~ > sudo ls -l /etc/letsencrypt/live/vcenter.tirefi.re/
total 40
-rw-r--r-- 1 root wheel 543 Nov 14 15:01 README
lrwxr-xr-x 1 root wheel 41 Nov 14 15:01 cert.pem -> ../../archive/vcenter.tirefi.re/cert1.pem
lrwxr-xr-x 1 root wheel 42 Nov 14 15:01 chain.pem -> ../../archive/vcenter.tirefi.re/chain1.pem
lrwxr-xr-x 1 root wheel 46 Nov 14 15:01 fullchain.pem -> ../../archive/vcenter.tirefi.re/fullchain1.pem
lrwxr-xr-x 1 root wheel 44 Nov 14 15:01 privkey.pem -> ../../archive/vcenter.tirefi.re/privkey1.pem
~ >
Notice the consistent naming convention here.
Now cat out each, like this:
~ > sudo cat /etc/letsencrypt/live/vcenter.tirefi.re/cert.pem
~ > sudo cat /etc/letsencrypt/live/vcenter.tirefi.re/privkey.pem
~ > sudo cat /etc/letsencrypt/live/vcenter.tirefi.re/fullchain.pem
From your local machine, and copy everything in each file to the window that is your VCSA.
Now that have your three files on your VCSA lets get them inside your machine.
certificate-manager
Go ahead and run this next command:
root@vcenter [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager
You should see something like the following:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.0 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]:
If you have an error or something doesn’t show up, you aren’t running 6.5 vCenter and you’ll need to debug what’s going on.
Luckily the rest of the commands to get the certificates updated isn’t too complicated:
First, select 1. Replace Machine SSL certificate with Custom Certificate
to update the certificate:
Option[1 to 8]: 1
It will prompt you for your administrator level privilege to update the
certificate, and the next option:
Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:
1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate
Option [1 or 2]: 2
We want to import the custom certificate so select 2 as I did above.
Fill out the next with the suggestions we walked through at the beginning of this post:
Please provide valid custom certificate for Machine SSL.
File : /root/cert.pem
Please provide valid custom key for Machine SSL.
File : /root/privkey.pem
The next option is the one that was where the trick of this whole thing is,
vCenter asks for the signing certificate of the Machine SSL certificate
where if you google around you’ll only ever see references to vCenter and
not what it actually means. Luckily, Let’s Encrypt puts this in the
fullchain.pem so that’s all you have to add:
Please provide the signing certificate of the Machine SSL certificate
File : /root/fullchain.pem
You are going to replace Machine SSL cert using custom cert
Continue operation : Option[Y/N] ? : Y
Command Output: /root/cert.pem: OK
Get site nameCompleted [Replacing Machine SSL Cert...]
default-site
Lookup all services
The final option is the confirmation you’ll like to replace the Machine
SSL cert, and select Y.
A ton of UUIDs and data will stream by and it may take up to 10-15 minutes, but when you see this:
Updated 29 service(s)
Status : 70% Completed [stopping services...]
Status : 100% Completed [All tasks completed successfully]
You have successfully updated your Certificate!
