If you are using the VCSA for your vCenter you might have searched around to figure out how to update the certificate from Let’s Encrypt. It seems that throughout my Googling I personally wasn’t able to find a tutorial so this is mine. If you have suggestions or ideas I’d love to hear them, reach out via twitter: @jjasghar.
You need to set up certbot on your local machine. There are a few
ways to do that if you click that link please figure it out. Second, you
root login to your VCSA, with
ssh turned on. You’ll be running
some commands at the shell of the VCSA and if you can’t get there you won’t
be able to update your certificate. And finally you’ll need some
administrator privileges to your vCenter, defaulting to
Requesting the cert from Let’s Encrypt
Whatever your domain name is, in order for Let’s Encrypt to say that you
own the domain you’ll need to add a
TXT entry for the vCenter you are
getting the certificate for. For instance here is mine:
Ok, assuming you have your DNS provider up, let’s send the commands to Let’s Encrypt:
~ > sudo certbot certonly --manual --preferred-challenges=dns -d vcenter.tirefi.re
sudo you have to run this command with
root privileges. This sends
the request and gives you a couple prompts, the most important being:
------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.vcenter.tirefi.re with the following value: tuS3NO-WAY-IMPUTTING34p2MY-ACTUAL32341KEY-HERE Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue
Press the Enter key when you are sure the
TXT DNS entry has propagated and you should see something like:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/vcenter.tirefi.re/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/vcenter.tirefi.re/privkey.pem Your cert will expire on 2018-02-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
Wonderful, now keep this terminal/window open you’ll need it in a bit.
Updating the SSL Certificate on your VCSA
Now that you have your files on your local machine, you’ll need to get them
on your VCSA. There are a couple ways to do this, the easiest way I found was
cat out the certificates and open up
vim on the VCSA paste them in and save the files. You
scp or others working, but I didn’t want to go through all that.
So here are my steps, first I
ssh into my VCSA:
~ > ssh vcenter.tirefi.re -l root VMware vCenter Server Appliance 126.96.36.19900 Type: vCenter Server with an embedded Platform Services Controller firstname.lastname@example.org's password: Last login: Tue Nov 14 20:55:38 2017 from 172.16.20.10 Connected to service * List APIs: "help api list" * List Plugins: "help pi list" * Launch BASH: "shell" Command> shell Shell access is granted to root root@vcenter [ ~ ]#
I create the three files I’ll need to update on the VCSA.
root@vcenter [ ~ ]# touch cert.pem root@vcenter [ ~ ]# touch privkey.pem root@vcenter [ ~ ]# touch fullchain.pem
Now I go to my other window and type:
~ > sudo ls -l /etc/letsencrypt/live/vcenter.tirefi.re/ total 40 -rw-r--r-- 1 root wheel 543 Nov 14 15:01 README lrwxr-xr-x 1 root wheel 41 Nov 14 15:01 cert.pem -> ../../archive/vcenter.tirefi.re/cert1.pem lrwxr-xr-x 1 root wheel 42 Nov 14 15:01 chain.pem -> ../../archive/vcenter.tirefi.re/chain1.pem lrwxr-xr-x 1 root wheel 46 Nov 14 15:01 fullchain.pem -> ../../archive/vcenter.tirefi.re/fullchain1.pem lrwxr-xr-x 1 root wheel 44 Nov 14 15:01 privkey.pem -> ../../archive/vcenter.tirefi.re/privkey1.pem ~ >
Notice the consistent naming convention here.
Now cat out each, like this:
~ > sudo cat /etc/letsencrypt/live/vcenter.tirefi.re/cert.pem ~ > sudo cat /etc/letsencrypt/live/vcenter.tirefi.re/privkey.pem ~ > sudo cat /etc/letsencrypt/live/vcenter.tirefi.re/fullchain.pem
From your local machine, and copy everything in each file to the window that is your VCSA.
Now that have your three files on your VCSA lets get them inside your machine.
Go ahead and run this next command:
root@vcenter [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager
You should see something like the following:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | | | *** Welcome to the vSphere 6.0 Certificate Manager *** | | | | -- Select Operation -- | | | | 1. Replace Machine SSL certificate with Custom Certificate | | | | 2. Replace VMCA Root certificate with Custom Signing | | Certificate and replace all Certificates | | | | 3. Replace Machine SSL certificate with VMCA Certificate | | | | 4. Regenerate a new VMCA Root Certificate and | | replace all certificates | | | | 5. Replace Solution user certificates with | | Custom Certificate | | | | 6. Replace Solution user certificates with VMCA certificates | | | | 7. Revert last performed operation by re-publishing old | | certificates | | | | 8. Reset all Certificates | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _| Note : Use Ctrl-D to exit. Option[1 to 8]:
If you have an error or something doesn’t show up, you aren’t running 6.5 vCenter and you’ll need to debug what’s going on.
Luckily the rest of the commands to get the certificates updated isn’t too complicated:
1. Replace Machine SSL certificate with Custom Certificate
to update the certificate:
Option[1 to 8]: 1
It will prompt you for your
administrator level privilege to update the
certificate, and the next option:
Please provide valid SSO and VC privileged user credential to perform certificate operations. Enter username [Administrator@vsphere.local]: Enter password: 1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate 2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate Option [1 or 2]: 2
We want to import the custom certificate so select
2 as I did above.
Fill out the next with the suggestions we walked through at the beginning of this post:
Please provide valid custom certificate for Machine SSL. File : /root/cert.pem Please provide valid custom key for Machine SSL. File : /root/privkey.pem
The next option is the one that was where the trick of this whole thing is,
vCenter asks for the
signing certificate of the Machine SSL certificate
where if you google around you’ll only ever see references to vCenter and
not what it actually means. Luckily, Let’s Encrypt puts this in the
fullchain.pem so that’s all you have to add:
Please provide the signing certificate of the Machine SSL certificate File : /root/fullchain.pem You are going to replace Machine SSL cert using custom cert Continue operation : Option[Y/N] ? : Y Command Output: /root/cert.pem: OK Get site nameCompleted [Replacing Machine SSL Cert...] default-site Lookup all services
The final option is the confirmation you’ll like to replace the Machine
SSL cert, and select
A ton of UUIDs and data will stream by and it may take up to 10-15 minutes, but when you see this:
Updated 29 service(s) Status : 70% Completed [stopping services...] Status : 100% Completed [All tasks completed successfully]
You have successfully updated your Certificate!