VMware: How-to Secure our vCenter Server 7 (VCSA) with a Let’s Encrypt SSL Certificate

Greetings friends, for many years, changing or adding an SSL certificate to our VMware vCenter has been a real pain, there are tens of KB, and hundreds of posts in the Community with errors of all kinds once you flirt with the steps. But from 6.7 onwards it seems that the process has been simplified a lot, so today I come to show you the steps to install your own SSL Certificate in VCSA, also free created with Let’s Encrypt.

Installation of system requirements (ACME)

We can install these packages inside our VCSA 7, but normally I don’t recommend installing anything inside an appliance like vCenter. So in a Linux VM we have around, or container we follow these steps.
As simple as launching the following:

cd /root 
wget -O - https://get.acme.sh | sh

This will create the following directory with the following in it:

ls .acme.sh/ -lah
total 240K
drwx------ 8 root root 4.0K May 15 10:44 .
drwx------ 5 root root 4.0K May 15 12:32 ..
-rw-r--r-- 1 root root  345 May 15 12:33 account.conf
-rwxr-xr-x 1 root root 193K May 15 09:36 acme.sh
-rw-r--r-- 1 root root   78 May 15 09:36 acme.sh.env
drwxr-xr-x 3 root root 4.0K May 15 10:44 ca
drwxr-xr-x 2 root root 4.0K May 15 09:36 deploy
drwxr-xr-x 2 root root 4.0K May 15 09:36 dnsapi
-rw-r--r-- 1 root root  332 May 15 14:49 http.header
drwxr-xr-x 2 root root 4.0K May 15 09:36 notify

We have everything ready, let’s go to the next step.

Launch acme command to generate a Let’s Encrypt SSL Certificate

We have several validation options to request the SSL certificate and be granted it, in this case I will use the simplest, but manual, which is using the manual DNS mode that will give us a TXT record that we have to put in our public DNS.

The command to be launched to request the SSL certificate is the following, be careful to change your FQDN of your vCenter, and your email to get the alerts when it expires. This command is also useful when you want to renew:

certbot --manual --preferred-challenges dns certonly -d vcsa.jorgedelacruz.es --staple-ocsp -m [email protected] --agree-tos --force-renewal

This will show us output similar to this, we will answer Yes so that our IP is stored and then have its statistics:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for vcsa.jorgedelacruz.es

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: yes

Once we press yes, it will ask us to create the next TXT in our public DNS:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.vcsa.jorgedelacruz.es with the following value:

kF8R0icb8zE3vgsJyOVWJqBbXdeU0AWJk0veEsh7eKg

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

I go to my public DNS provider and create the entry as indicated by the console:
Now that I have everything, I go back to my console and press Enter, to see that everything works and I have my SSL certificate:

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/vcsa.jorgedelacruz.es/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/vcsa.jorgedelacruz.es/privkey.pem
Your cert will expire on 2021-04-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Locate SSL Certificate in our vCenter Appliance (VCSA)

If you have the acme inside VCSA, which I have told you better not, we can find the certificates in the route that has told you let’s encrypt. If, on the other hand, you have generated this in another Linux, we will have to create three files within our VCSA: cert.pem, privkey.pem, and fullchain.pem.

As you can imagine, include the content of /etc/letsencrypt/live/vcsa.jorgedelacruz.es/cert.pem inside the new file /root/cert.pem inside VCSA.

The content of /etc/letsencrypt/live/vcsa.jorgedelacruz.es/privkey.pem inside /root/privkey.pem

And to create a valid fullchain.pem in vCenter 7 follow the next steps.

Create a new fullchain.pem valid for vCenter Server 7
For some time now, it seems that VMware has become a little more demanding with Intermediate CA’s, etc. So the fullchain.pem that automatically creates Let’s Encrypt is useless and will give us an error when deploying it, so that we do not have problems, we will have to create a new file, I have called it fullchain2021.pem

vi fullchain2021.pem

And inside I have combined  the Intermediate Certificates Let’s Encrypt Authority X3 (IdenTrust cross-signed)

We will combine that previous file with the next DST Root CA X3that you can find here:

All together should be something like this:

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

Okay, we are very close to the end, we already have three files inside our VCSA 7, in the root folder:

[email protected] [ ~ ]# ls -la *.pem
-rw-r--r-- 1 root root 1862 Jan 9 11:26 cert.pem
-rw-r--r-- 1 root root 3448 Jan 9 11:27 fullchain2021.pem
-rw-r--r-- 1 root root 1704 Jan 9 11:27 privkey.pem

Install Let’s Encrypt SSL Certificate in VCSA with certificate-manager via shell

As we are still inside our VCSA by shell, we can make use of the new certificate manager that is included since a few editions, to invoke it as simple as launching:

/usr/lib/vmware-vmca/bin/certificate-manager

That will show us the following menu, we will press 1:

                 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
                |                                                                     |
                |      *** Welcome to the vSphere 6.8 Certificate Manager  ***        |
                |                                                                     |
                |                   -- Select Operation --                            |
                |                                                                     |
                |      1. Replace Machine SSL certificate with Custom Certificate     |
                |                                                                     |
                |      2. Replace VMCA Root certificate with Custom Signing           |
                |         Certificate and replace all Certificates                    |
                |                                                                     |
                |      3. Replace Machine SSL certificate with VMCA Certificate       |
                |                                                                     |
                |      4. Regenerate a new VMCA Root Certificate and                  |
                |         replace all certificates                                    |
                |                                                                     |
                |      5. Replace Solution user certificates with                     |
                |         Custom Certificate                                          |
                |         NOTE: Solution user certs will be deprecated in a future    |
                |         release of vCenter. Refer to release notes for more details.|
                |                                                                     |
                |      6. Replace Solution user certificates with VMCA certificates   |
                |                                                                     |
                |      7. Revert last performed operation by re-publishing old        |
                |         certificates                                                |
                |                                                                     |
                |      8. Reset all Certificates                                      |
                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 1

This will ask us for credentials with permissions to operate the SSL Certificates within vsphere.local (or your SSO), in my case I will use administrator:

Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [[email protected]]:
Enter password:

Now we will select the second option to select our own SSL Certificate

1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate

Option [1 or 2]: 2
Please provide valid custom certificate for Machine SSL.
File : /root/cert.pem
Please provide valid custom key for Machine SSL.
File : /root/privkey.pem
Please provide the signing certificate of the Machine SSL certificate
File : /root/fullchain2.pem

And we will already select yes in this last question, the services will be restarted automatically:

You are going to replace Machine SSL cert using custom cert
Continue operation : Option[Y/N] ? : y
Command Output: /root/cert.pem: OK

Get site nameCompleted [Replacing Machine SSL Cert...]
default-site
Lookup all services
Get service default-site:c528e353-4680-4885-9e07-6d1d5b5b632d
Don't update service default-site:c528e353-4680-4885-9e07-6d1d5b5b632d
Get service default-site:612774a5-5093-4eaa-892c-d5735d3af0fe
...
Get service 9ae1be99-aabd-47a5-bd9a-f97f74eaf78f_com.vmware.vcenter.wcp
Don't update service 9ae1be99-aabd-47a5-bd9a-f97f74eaf78f_com.vmware.vcenter.wcp
Updated 0 service(s)
Status : 100% Completed [All tasks completed successfully]

Check that our VCSA already has the new valid SSL Certificate

The moment of truth has arrived, we will go to our vCenter, remember that the certificate is only valid for the FQDN, if you access by IP it will always come out that it is not secure, and if it is the FQDN we will see the so desired green lock: In addition, we can see when the SSL certificate expires, properties, etc:

If we want to monitor our SSL Certificate to see when it expires so that we can renew it, I have a ticket for that:

That’s all friends, I hope you like it and find it useful. A big greeting.

Author: jorgeuk

Father, writing in https://www.jorgedelacruz.es and https://jorgedelacruz.uk Blogger, Systems Engineer @veeam - vExpert 2014/2020 & NTC 2018/19

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.