Greetings friends, for many years, changing or adding an SSL certificate to our VMware vCenter has been a real pain, there are tens of KB, and hundreds of posts in the Community with errors of all kinds once you flirt with the steps. But from 6.7 onwards it seems that the process has been simplified a lot, so today I come to show you the steps to install your own SSL Certificate in VCSA, also free created with Let’s Encrypt.
NOTE: The Let’s Encrypt CA expired, you can get a workaround if you use the latest certbot, from snap on ubuntu, and you have you VCSA completely clean of old CA, and root certificates. Meaning, before you follow these steps, please clean your system – https://jorgedelacruz.uk/2021/11/23/vmware-fixing-annoying-error-cannot-connect-to-profile-driven-storage-service-related-to-ssl-certificates/
Installation of system requirements (certbot)
Let’s install certbot on a Linux machine outside the VCSA itself. As simple as launching the following:
sudo apt-add-repository -r ppa:certbot/certbot
This will allow us to update our packages and then install what is required:
sudo apt-get update sudo apt install python-certbot-apache
We have everything ready, let’s go to the next step.
Launch acme command to generate a Let’s Encrypt SSL Certificate
We have several validation options to request the SSL certificate and be granted it, in this case, I will use the simplest, but manual, which is using the manual DNS mode that will give us a TXT record that we have to put in our public DNS.
The command to be launched to request the SSL certificate is the following, be careful to change your FQDN of your vCenter, and your email to get the alerts when it expires. This command is also useful when you want to renew:
certbot --manual --preferred-challenges dns certonly -d vcsa.jorgedelacruz.es --staple-ocsp -m [email protected] --agree-tos --force-renewal
This will show us output similar to this, we will answer Yes so that our IP is stored and then have its statistics:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for vcsa.jorgedelacruz.es - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: yes
Once we press yes, it will ask us to create the next TXT in our public DNS:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.vcsa.jorgedelacruz.es with the following value: kF8R0icb8zE3vgsJyOVWJqBbXdeU0AWJk0veEsh7eKg Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
I go to my public DNS provider and create the entry as indicated by the console:
Now that I have everything, I go back to my console and press Enter, to see that everything works and I have my SSL certificate:
Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/vcsa.jorgedelacruz.es/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/vcsa.jorgedelacruz.es/privkey.pem Your cert will expire on 2021-04-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Locate SSL Certificate in our vCenter Appliance (VCSA)
If you have generated this in another Linux, as recommended, we will have to create three files within our VCSA: cert.pem, privkey.pem, and fullchain.pem.
As you can imagine, including the content of /etc/letsencrypt/live/vcsa.jorgedelacruz.es/cert.pem inside the new file /root/cert.pem inside VCSA.
The content of /etc/letsencrypt/live/vcsa.jorgedelacruz.es/privkey.pem inside /root/privkey.pem
If you are using vSphere 7.0U2 and above you do not need to do this, jump to the next step, which is Install Let’s Encrypt Certificate.
Create a new fullchain.pem valid for vCenter Server 7.0 U1 or below
For some time now, it seems that VMware has become a little more demanding with Intermediate CA’s, etc. So the fullchain.pem that automatically creates Let’s Encrypt is useless and will give us an error when deploying it, so that we do not have problems, we will have to create a new file, I have called it fullchain2021.pem
And inside I have combined the Intermediate Certificates Let’s Encrypt Authority X3 (IdenTrust cross-signed)
We will combine that previous file with the next DST Root CA X3that you can find here:
All together should be something like this:
-----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE-----
Okay, we are very close to the end, we already have three files inside our VCSA 7, in the root folder:
[email protected] [ ~ ]# ls -la *.pem -rw-r--r-- 1 root root 1862 Jan 9 11:26 cert.pem -rw-r--r-- 1 root root 3448 Jan 9 11:27 fullchain2021.pem -rw-r--r-- 1 root root 1704 Jan 9 11:27 privkey.pem
Install Let’s Encrypt SSL Certificate in VCSA with certificate-manager via shell
As we are still inside our VCSA by shell, we can make use of the new certificate manager that is included in a few editions, to invoke it as simple as launching:
That will show us the following menu, we will press 1:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | | | *** Welcome to the vSphere 6.8 Certificate Manager *** | | | | -- Select Operation -- | | | | 1. Replace Machine SSL certificate with Custom Certificate | | | | 2. Replace VMCA Root certificate with Custom Signing | | Certificate and replace all Certificates | | | | 3. Replace Machine SSL certificate with VMCA Certificate | | | | 4. Regenerate a new VMCA Root Certificate and | | replace all certificates | | | | 5. Replace Solution user certificates with | | Custom Certificate | | NOTE: Solution user certs will be deprecated in a future | | release of vCenter. Refer to release notes for more details.| | | | 6. Replace Solution user certificates with VMCA certificates | | | | 7. Revert last performed operation by re-publishing old | | certificates | | | | 8. Reset all Certificates | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _| Note : Use Ctrl-D to exit. Option[1 to 8]: 1
This will ask us for credentials with permissions to operate the SSL Certificates within vsphere.local (or your SSO), in my case I will use administrator:
Please provide valid SSO and VC privileged user credential to perform certificate operations. Enter username [[email protected]]: Enter password:
Now we will select the second option to select our own SSL Certificate
1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate 2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate Option [1 or 2]: 2 Please provide valid custom certificate for Machine SSL. File : /root/cert.pem Please provide valid custom key for Machine SSL. File : /root/privkey.pem Please provide the signing certificate of the Machine SSL certificate File : /root/fullchain2.pem
And we will already select yes in this last question, the services will be restarted automatically:
You are going to replace Machine SSL cert using custom cert Continue operation : Option[Y/N] ? : y Command Output: /root/cert.pem: OK Get site nameCompleted [Replacing Machine SSL Cert...] default-site Lookup all services Get service default-site:c528e353-4680-4885-9e07-6d1d5b5b632d Don't update service default-site:c528e353-4680-4885-9e07-6d1d5b5b632d Get service default-site:612774a5-5093-4eaa-892c-d5735d3af0fe ... Get service 9ae1be99-aabd-47a5-bd9a-f97f74eaf78f_com.vmware.vcenter.wcp Don't update service 9ae1be99-aabd-47a5-bd9a-f97f74eaf78f_com.vmware.vcenter.wcp Updated 0 service(s) Status : 100% Completed [All tasks completed successfully]
Check that our VCSA already has the new valid SSL Certificate
The moment of truth has arrived, we will go to our vCenter, remember that the certificate is only valid for the FQDN, if you access by IP it will always come out that it is not secure, and if it is the FQDN we will see the so desired green lock: In addition, we can see when the SSL certificate expires, properties, etc:
- Looking for the Perfect Dashboard: InfluxDB, Telegraf, and Grafana – Part XX (Monitoring SSL Certificates x.509)
That’s all friends, I hope you like it and find it useful. A big greeting.