Comments on: VMware: How-to Secure our vCenter Server 7 (VCSA) with a Let’s Encrypt SSL Certificate

By: esxsi.com – How to Install vSphere 7.0 – vCenter Server Appliance – Unified Networking

Wed, 01 May 2024 00:25:02 +0000

[…] For information on applying an SSL certificate to the vCenter Server Appliance see How-to Secure vCenter Server 7 (VCSA) with a Let’s Encrypt SSL Certificate. […]

By: Billy

Billy — Wed, 14 Jun 2023 09:30:08 +0000

Yes, using this guide was able to get this working. The old cross signed certificates had expired so needed to add the new within the chain.pem:

—–BEGIN CERTIFICATE—–
MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu
VHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw
MTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw
JQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT
3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU
+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp
S0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1
bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi
T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL
vYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK
Vsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK
dHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT
c+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv
l7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N
iGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD
ggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH
6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt
LRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93
nAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3
+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK
W2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT
AwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq
l1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG
4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ
mUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A
7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
—–END CERTIFICATE—–

after doing so was able to import these into vcenter using the certificate manager in the shell.

By: Scott White

Scott White — Sun, 05 Mar 2023 11:43:32 +0000

I wanted to let you know it is possible to also do this with 8.0.0.10200 if you use /usr/lib/vmware-vmca/bin/certificate-manager and the method from virtuallywired to create the keys

docker-compose -f /root/certbot/docker-compose.yml run –rm certbot-renew #Or whatever method to use to get your keys
cat /etc/letsencrypt/lets-encrypt-r3.pem /etc/letsencrypt/isrgrootx1.pem > /tmp/chain.pem
cat /etc/letsencrypt/live/vc.mydomain.me/cert.pem /etc/letsencrypt/lets-encrypt-r3.pem /etc/letsencrypt/isrgrootx1.pem > /tmp/cert.pem
scp /tmp/cert.pem vc.mydomain.me:
scp /etc/letsencrypt/live/vc.mydomain.me/privkey.pem vc.mydomain.me:
scp /tmp/chain.pem vc.mydomain.me:

Then use /usr/lib/vmware-vmca/bin/certificate-manager to update.

Please provide valid custom certificate for Machine SSL.
File : /root/cert.pem

Please provide valid custom key for Machine SSL.
File : /root/privkey.pem

Please provide the signing certificate of the Machine SSL certificate
File : /root/chain.pem

My previous method of automating this with 7 sadly no longer works. I used to combine the certs as you describe and then run

ssh vc.mydomain.me service-control –stop –all
ssh vc.mydomain.me service-control –start vmafdd
ssh vc.mydomain.me service-control –start vmdird
ssh vc.mydomain.me service-control –start vmcad
ssh vc.mydomain.me /usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store MACHINE_SSL_CERT –alias __MACHINE_CERT -y
ssh vc.mydomain.me /usr/lib/vmware-vmafd/bin/vecs-cli entry create –store MACHINE_SSL_CERT –alias __MACHINE_CERT –cert /root/cert.pem –key /root/privkey.pem
ssh vc.mydomain.me service-control –start –all

This results in vmware-content-library failing to start and a 500 error on the URL. I suspect it has something to do with the following being added to the instructions

https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-authentication/GUID-DC693417-78CF-477F-9A4F-AFC9AA1D74E7.html

/usr/lib/vmware-lookupsvc/tools/ls_update_certs.py –url https:///lookupservice/sdk –certfile –user ‘administrator@vsphere.local’ –password ” –fingerprint

but I am probably going to need to dig through the logs for certificate-manager to be sure

By: jorgeuk

jorgeuk — Sun, 29 May 2022 11:36:02 +0000

In reply to Scott White. AMAZING! Will give it a try and update the steps, thanks for being stubborn with this, I almost gave up after a million of attempts. Appreciated it!

By: Scott White

Scott White — Sat, 28 May 2022 19:12:28 +0000

Gosh I have made it work on the latest VCSA 7.0.3.00600 following this guys instructions https://virtuallywired.io/2021/11/29/replace-default-vcenter-certificate-with-a-free-lets-encrypt-ssl/

Basically

curl -o /tmp/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
curl -o /tmp/isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt

scp /tmp/cert.pem /tmp/chain.pem /etc/letsencrypt/live/vc.whatever.me/privkey.pem root@vc.whatever.me:

Then go through the normal /usr/lib/vmware-vmca/bin/certificate-manager and it works

Now to see if I can adjust his automation here https://github.com/virtuallywired/Install-vCenterSSL/blob/main/Install-vCenterSSL.ps1

By: jorgeuk

jorgeuk — Tue, 23 Nov 2021 16:45:42 +0000

In reply to gigabrit.

Hello,
My advice will be, clean all your system, using this https://jorgedelacruz.uk/2021/11/23/vmware-fixing-annoying-error-cannot-connect-to-profile-driven-storage-service-related-to-ssl-certificates/ then use the latest lets encrypt from certbot, from snap not from repo, and try that way.
Or better, clean the system and run ZeroSSL – https://jorgedelacruz.uk/2021/10/18/vmware-how-to-secure-our-vcenter-server-7-vcsa-with-a-zerossl-certificate/
Let me know

By: gigabrit

gigabrit — Tue, 23 Nov 2021 16:36:51 +0000

Whenever I replace this certificate, the vcenter takes it, but I can no longer access the UI. All I see is a message that states “no healthy upstream”? Have you seen this before?

By: jorgeuk

jorgeuk — Tue, 23 Nov 2021 10:21:35 +0000

In reply to waxling.

Yes, it is has been a real pain. To the point, I’ve broken my VCSA and I could not access storage policies and others by trying to remove the trusted CA, and others. My solution? This very fresh article – https://jorgedelacruz.uk/2021/11/23/vmware-fixing-annoying-error-cannot-connect-to-profile-driven-storage-service-related-to-ssl-certificates/ After that, you will have all fresh, and you can try Let’s Encrypt again if you like, with the new CA, etc.

Although, I have transitioned to ZeroSSL for now, and all is working smoothly.

By: waxling

waxling — Tue, 23 Nov 2021 09:31:04 +0000

The issue is that the OpenSSL version (and likely many other libraries) will fail when the old/expired DST Root CA X3 is seen as an invalid cert in any path – in the case of any cert issued by LE this will mean that with these versions of OpenSSL and libraries the cert chain will fail.

The solution is to scalpel out the failed CA from the trusted CA store: https://www.frozenak.com/2020/11/02/vsphere-ssl-certificate-issues-trust-anchors/ as well as remove the expired trust achors https://www.frozenak.com/2020/11/02/vsphere-ssl-certificate-issues-trust-anchors/

This makes it start with an LE cert, however I’ve hit a problem with the SDK endpoint still not functioning correctly so I’m still confirming what that issue is and whether its related

By: jorgeuk

jorgeuk — Mon, 18 Oct 2021 08:13:15 +0000

In reply to jorgeuk.

I gave up for now, so I am using another service and it worked very well, the steps can be found here https://jorgedelacruz.uk/2021/10/18/vmware-how-to-secure-our-vcenter-server-7-vcsa-with-a-zerossl-certificate/ finally green lock again, jesuschrist!