I. Pre-requisites
Firstly, you need to have an installed vCenter Server, secondly, if the FQDN(PNID) is not set correctly during installation, then you cannot use ACME certificate directly, you can only use reverse proxy to solve the problem.
II. Install acme.sh
acme.sh is used here as the certificate request tool. Use ssh to log in to the vCenter Server host and follow the official tutorial to install it.
1
|
curl https://get.acme.sh | sh -s email=my@example.com
|
III. Apply for a certificate
Since you are using the intranet, you can only use the DNS API to apply for a certificate.
1
2
3
|
# Please change to your own DNS provider
export GANDI_LIVEDNS_KEY="###########################"
./acme.sh --issue -d xxxxx.com --dns dns_gandi_livedns
|
IV. Replacing the original certificate
vCenter Server has a built-in certificate-manager utility for updating certificates from the command line. Use this command to update the certificate first.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
root@vc [ ~/.acme.sh ]# /usr/lib/vmware-vmca/bin/certificate-manager [520/982]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 7.0 Certificate Manager *** |
| | | -- Select Operation -- | | | | 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| NOTE: Solution user certs will be deprecated in a future |
| release of vCenter. Refer to release notes for more details.| | | | 6. Replace Solution user certificates with VMCA certificates | | |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 1
Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:
1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate
2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate
Option [1 or 2]: 2
Please provide valid custom certificate for Machine SSL.
File : /root/.acme.sh/xxxxx.com/xxxxx.com.cer
Please provide valid custom key for Machine SSL.
File : /root/.acme.sh/xxxxx.com/xxxxx.com.key
Please provide the signing certificate of the Machine SSL certificate
File : /root/.acme.sh/xxxxx.com/fullchain.cer
You are going to replace Machine SSL cert using custom cert
Continue operation : Option[Y/N] ? : Y
Command Output: /root/.acme.sh/xxxxx.com/xxxxx.com.cer: OK
Status : 100% Completed [All tasks completed successfully]
|
V. Automation Scripts
After confirming that the certificate is successfully replaced, we can create an automation script and update it automatically; however, it should be noted that if the FQDN(PNID) of vCenter Server is incorrectly configured during installation (the domain name is not resolved), then the vCenter Server PNID will be changed to IP and the certificate update will definitely fail.
1
2
3
4
|
curl -sSL https://raw.githubusercontent.com/emryl/vcenter-letsencrypt-auto-updater/main/auto-updater.sh > ~/.acme.sh/auto-updater.sh
curl -sSL https://raw.githubusercontent.com/emryl/vcenter-letsencrypt-auto-updater/main/update.conf > ~/.acme.sh/update.conf
chmod +x ~/.acme.sh/auto-updater.sh
|
Then edit the account information in ~/.acme.sh/update.conf and try to update the certificate using ~/.acme.sh/auto-updater.sh; if the update is successful then add a timed task.
1
2
3
4
|
root@vc [ ~/.acme.sh ]# crontab -l
@reboot /usr/bin/python /usr/lib/applmgmt/security/scripts/hash_mode_update.py
13 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
30 5 * * sun "/root/.acme.sh/auto_updater.sh"
|
However, according to the comments under the original author’s article, it may still be necessary to add a restart command to the end of the script.
1
|
/etc/init.d/vami-lighttp restart
|
VI. Reference