From time to time I got nerved about the missing trust of my demo VMware vCenter Server. Since I’m using Let’s Encrypt (LE) for years for my blog and other sites, I thought about also using this nice service for my vCenter Server:
After playing around a bit with the vSphere 6.7 Certificate Manager, I found a nice (but dirty) solution:
The following is a very quick & dirty solution and I will not explain what the Certificate Manager does exactly. If you are interested in all of its features, please just read the documentation first 🙂
Let’s start. First of all, you need two requirements: you cannot run the LE stuff on your vCenter Server Appliance, so you need a linux host for doing this. Because you are running LE on a different ip than your vCenter Server, you need a DNS record of type TXT for verification. Let’s start on our linux host:
linux:/root # certbot certonly --manual --preferred-challenges=dns -d vcenter.ich-halt.net
While using this wizard, you need to create your TXT DNS record, for example:
linux:/root # dig TXT _acme-challenge.vcenter.ich-halt.net +short
After the LE wizard ran successfully, you got the three needed files for your vCenter Server:
linux:/etc/letsencrypt/live/vcenter.ich-halt.net # ls
(...) cert.pem fullchain.pem privkey.pem
Just copy these files to your vCenter Server Appliance, switch to its shell (login via ssh) and run the Certificate Manager:
root@vcenter [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager
1. Replace Machine SSL certificate with Custom Certificate
Option[1 to 8]: 1
2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate
Option [1 or 2]: 2
Please provide valid custom certificate for Machine SSL.
File : /root/cert.pem
Please provide valid custom key for Machine SSL.
File : /root/privkey.pem
Please provide the signing certificate of the Machine SSL certificate
File : /root/fullchain.pem
You are going to replace Machine SSL cert using custom cert
Continue operation : Option[Y/N] ? : y
For vCenter Server Appliance 6.5 this works fine. But (in my setup) with version 6.7 it doesn’t. You get some errors and the Certificate Manager will perform a revert of your changes:
Updated 0 service(s)
Status : 85% Completed [starting services...]
Error while starting services, please see service-control log for more details
Status : 0% Completed [Operation failed, performing automatic rollback]
Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
Performing rollback of Machine SSL Cert...
To prevent from this revert, you need to press CTRL + C instant after this “Updated 0 service(s)” and reboot your VCSA with “reboot”.
Get service 86b7419e-7b41-4aa1-9bc6-5eb01cb860ad
Don't update service 86b7419e-7b41-4aa1-9bc6-5eb01cb860ad
Updated 0 service(s)
After coming up again, all my services started correct and are using the LE certifiate:
Next step will be the challenge to automate the LE certificate renewal 🙂
Appendix: maybe it isn’t a generell vSphere 6.7 problem – now I have found a VCSA 6.7 which worked like 6.5 without problems …