Last year I wrote the follow guide Install Free Let’s Encrypt SSL Certificate for your vCenter 6.7 Lab. The certificate was issued by Let’s Encrypt via a project called ZeroSSL. Recently ZeroSSL stopped using Let’s Encrypt, and started issuing the certificates themselves, therefore the process to generate the certificate outlined in that guide is no longer valid. In this post, I’ll provide the updated steps to generate a certificate, still using ZeroSSL, and the good news is, the process is much simpler now!
Note: Be sure to check out my latest post https://virtuallywired.io/2021/05/15/automate-free-ssl-certificate-replacement-for-vcenter-7/
Step 1
Head over to ZeroSLL and sign up for a free account and login. The free plan allows you to generate and manage up to three 90-Day certificates.
Step 2
After you have signed in, press the “New Certificate” Button and follow the steps to generate an After you have signed in, press the “New Certificate” button and follow the steps to generate an SSL certificate for your domain. I let ZeroSSL auto-generate the CSR, you will also be required to validate ownership of the domain, I did this using DNS verification, but it can also be done via email or HTTP file upload. Once the domain is verified, you will have the option to download a zip file containing the certificates.
Step 3
You will now need to create the chain of trusted root certificates, to this you will need to download the Root Authority Certificate “SHA-2 Root : USERTrust RSA Certification Authority” which can be found here. You will need to chain the CA_Bundle certificate contained in the zip you download from ZeroSSL in the previous step, followed by the Root Certificate.
For your convenience you can copy the ZeroSSL chain of trusted root certificates below.
-----BEGIN CERTIFICATE-----
MIIG1TCCBL2gAwIBAgIQbFWr29AHksedBwzYEZ7WvzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjAw
MTMwMDAwMDAwWhcNMzAwMTI5MjM1OTU5WjBLMQswCQYDVQQGEwJBVDEQMA4GA1UE
ChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBSU0EgRG9tYWluIFNlY3VyZSBT
aXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAhmlzfqO1Mdgj
4W3dpBPTVBX1AuvcAyG1fl0dUnw/MeueCWzRWTheZ35LVo91kLI3DDVaZKW+TBAs
JBjEbYmMwcWSTWYCg5334SF0+ctDAsFxsX+rTDh9kSrG/4mp6OShubLaEIUJiZo4
t873TuSd0Wj5DWt3DtpAG8T35l/v+xrN8ub8PSSoX5Vkgw+jWf4KQtNvUFLDq8mF
WhUnPL6jHAADXpvs4lTNYwOtx9yQtbpxwSt7QJY1+ICrmRJB6BuKRt/jfDJF9Jsc
RQVlHIxQdKAJl7oaVnXgDkqtk2qddd3kCDXd74gv813G91z7CjsGyJ93oJIlNS3U
gFbD6V54JMgZ3rSmotYbz98oZxX7MKbtCm1aJ/q+hTv2YK1yMxrnfcieKmOYBbFD
hnW5O6RMA703dBK92j6XRN2EttLkQuujZgy+jXRKtaWMIlkNkWJmOiHmErQngHvt
iNkIcjJumq1ddFX4iaTI40a6zgvIBtxFeDs2RfcaH73er7ctNUUqgQT5rFgJhMmF
x76rQgB5OZUkodb5k2ex7P+Gu4J86bS15094UuYcV09hVeknmTh5Ex9CBKipLS2W
2wKBakf+aVYnNCU6S0nASqt2xrZpGC1v7v6DhuepyyJtn3qSV2PoBiU5Sql+aARp
wUibQMGm44gjyNDqDlVp+ShLQlUH9x8CAwEAAaOCAXUwggFxMB8GA1UdIwQYMBaA
FFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQWBBTI2XhootkZaNU9ct5fCj7c
tYaGpjAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIgYDVR0gBBswGTANBgsrBgEEAbIxAQIC
TjAIBgZngQwBAgEwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2VydHJ1
c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYG
CCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3Qu
Y29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRw
Oi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQAVDwoIzQDV
ercT0eYqZjBNJ8VNWwVFlQOtZERqn5iWnEVaLZZdzxlbvz2Fx0ExUNuUEgYkIVM4
YocKkCQ7hO5noicoq/DrEYH5IuNcuW1I8JJZ9DLuB1fYvIHlZ2JG46iNbVKA3ygA
Ez86RvDQlt2C494qqPVItRjrz9YlJEGT0DrttyApq0YLFDzf+Z1pkMhh7c+7fXeJ
qmIhfJpduKc8HEQkYQQShen426S3H0JrIAbKcBCiyYFuOhfyvuwVCFDfFvrjADjd
4jX1uQXd161IyFRbm89s2Oj5oU1wDYz5sx+hoCuh6lSs+/uPuWomIq3y1GDFNafW
+LsHBU16lQo5Q2yh25laQsKRgyPmMpHJ98edm6y2sHUabASmRHxvGiuwwE25aDU0
2SAeepyImJ2CzB80YG7WxlynHqNhpE7xfC7PzQlLgmfEHdU+tHFeQazRQnrFkW2W
kqRGIq7cKRnyypvjPMkjeiV9lRdAM9fSJvsB3svUuu1coIG1xxI1yegoGM4r5QP4
RGIVvYaiI76C0djoSbQ/dkIUUXQuB8AL5jyH34g3BZaaXyvpmnV4ilppMXVAnAYG
ON51WhJ6W0xNdNJwzYASZYH+tmCWI+N60Gv2NNMGHwMZ7e9bXgzUCZH5FaBFDGR5
S9VWqHB73Q+OyIVvIbKYcSc2w/aSuFKGSA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----Step 4
Login to the vCenter server, under Menu > Administration, Select Certificate Management.
Under __MACHINE_CERT select ACTIONS > Import and Replace Certificate.
Select the option > Replace with external CA certificate(requires private key)
Copy the text from the certificate files as described below, NOTE: I recommend you copy and paste the text instead of using the “Browse File” option as the file may contain invalid characters or carriage returns.
Ensure there are no invalid spaces or characters and press REPLACE
If successful the vCenter should automatically restart to load the new certificates.
Step 5
After the restart, log back in and you should see a valid SSL certificate issued by ZeroSSL.
I hope you found this guide useful, please comment below if you have any questions!
Hi – I just finished installing vSphere 7 at home lab. Will be installing SSL cert during the weekend. Just one question – after 90 days is the cert renewable or will it expire.
Hi Ram, the SSL is fully manageable via your ZeroSSL account, you should receive a notification on its near expiry. I haven’t tried to renew yet, but I believe you would be able to simply hit the renew option to generate an updated 90-day cert. You shouldn’t have to replace the other certificates, only the cert. I’ll test this out soon and post an update. Good Luck!
Thanks for responding. Look forward to your update.
Just finished installing VCSA. I want not aware vmware discontinued vcenter for windows in vSphere 7. It is ok – VCSA is working fine.
Hi Ram, So I will need to wait a little while before posting an update on renewals as I can only renew within 30 days of expiry. https://zerossl.com/help/renew-certificate/
Hi,
I cannot get ZeroSSL working. When, I press replace the certificate – getting this error “Error occurred while fetching tls: Exception found (Invalid input certificate : The Subject of the provided certificate does not contain the correct CN value)”
I checked the name of vcenter. It is all correct. Yet the cert replacement not working. Not sure what is the issue.
Ram
Strange, I used this process multiple times. Maybe troubleshoot the certificate using a decoder tool online. https://www.geocerts.com/certificate-decoder
Double check you are pasting the cert content correctly with no additional characters. If all fails reboot VC and try again.
Reach out to me via Twitter @virtuallywired
I am getting the same error, was there a resolution to this?
Hi ramg1967, not sure why you are getting the error, several people have successfully replaced the certificate following these steps. Are you following every single step exactly? Have you tested the steps on a new vCenter installation?
If this is the error, please check out this post https://virtuallywired.io/2020/10/24/invalid-vcenter-cert-using-macos-catalina-and-chrome/
Hi Lee!
Did you solved this issue? I’m hitting the same.
Thanks
Johny
How are you adding the Certs, are you copying and pasting the text or using the browse file option? And what text editor are you using?
Hey Ram, I removed the decoded cert from the comments for security reasons. Reach out to me via Twitter if you want @virtuallywired
I tried both (Copy and Paste + Browse). Still no luck. Restarting VC now.
OK will do.
Hi RAMG1967!
Were you able to solve this issue, please?
I’m getting the same error and out of ideas.
Thanks
Thanks for the guide!! it really helped me i just deployed a vcenter on a customer and wasn’t able to import the cert after tinkering with it for a week now.
You’re Welcome, Thank you for the feedback.
Hi , im using DDNS by No-IP, is it worked?
Using DDNS Should not affect it, the common name is the DNS name.
Hi, I have a VMWare 7 baremetal server in my home lab. I also have a domain controller w/ DNS configured for the server. My workstation browser does resolve the server’s FQDN — however, I get a cert error. Since I’m not running VCenter, is it possible to fix this? If so, how?
What is the cert error you are getting?
NET::ERR_CERT_AUTHORITY_INVALID. I exported the cert from the Edge browser, then imported it (using the import wizard). It didn’t fix the problem.
I don’t think it’s the same error, but have checked this post https://virtuallywired.io/2020/10/24/invalid-vcenter-cert-using-macos-catalina-and-chrome/
love it, thanks for the info just used this to replace my VCSA certificate in the lab.
Cheers vMan, glad it helped 🙂
Hi, i found that some one said, can perform automatic renewal, do have any idea how to perform that?
Technically you can automate it, but you will need to setup certbot or similar and use vSphere APIs, otherwise every 60 – 90 days you generate a new cert and replace it manually.
Hi!
Has anyone solve this issue, please? “The Subject of the provided certificate does not contain the correct CN value”
Cheers
How are you creating CSR?
I had the same problem on the web.
but it was done by cli and it worked without problems. /usr/lib/vmware-vmca/bin/certificate-manager
Same error here. Try to update from web or cli. No more chance. I never seen that in all my life :((
Hi Ced, I wrote a script to automate this, why don’t you try this > https://virtuallywired.io/2021/05/15/automate-free-ssl-certificate-replacement-for-vcenter-7/
Hi friend, Thank you so much for your help but I get an error with Get-PACertificate (Not known as applet)
you need to install the Powershell module > Install-Module -Name Posh-ACME -Scope CurrentUser
Posh-ACME seems not to install correctly I think
What error are you getting ?
I get also an error when I try to install posh-acme . It seems to install but then the feature is not found.
PackageManagement\Install-Package : Impossible de trouver une partie du chemin d’accès ‘C:\Users\CED\Documents\WindowsPowerShell\Modules\Posh-ACME\4.6.0’.
Au caractère C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1809 : 21
+ … $null = PackageManagement\Install-Package @PSBoundParameters
It cannot find the ACME folder location. Do I have to create it manually ?
No I don’t think so. What version of PowerShell version are you using?
It is 5.1.19041.1151 and now I have an issue with Admin privilege even my session is admin and powershell is launched as admin.
Maybe contact me via twitter and DM me, I can try to help you install the SSL
It seemes to work now but it remains an error like
Get-PAAccount : No ACME server configured. Run Set-PAServer first. What is this ?
Simple.. Just run this first time > Set-PAServer LE_PROD
Just a little question, how to make my TXT record ? What value willi I enter ? Thank you !!
Who is your dns hosted with?
OVH I know how to go to DNS zone but I guess I have to fill with the script code but how ?
Your dns provider will allow you create a TXT record.
When you run the script, you will be given the txt record to create, this is so let’s Encrypt validates you own the domain.
So this is the only value I will enter in my TXT record right ? I did that but acme does not find the record 🙁
What is the exact record syntax please ?
Well TXT challenge worked but at the end the vsphere certificate can’t be replaced !! :((
see error below the error is quite the same as the manual method. It is a nighmare this f…g vcenter.
C:\Users\CED\Desktop\Install-vCenterSSL-main\Install-vCenterSSL.ps1 : Failed to Replace Certificate, Terminating Script
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-vCenterSSL.ps1
Status: A system exception was caught.
{“error_type”:”ERROR”,”messages”:[{“args”:[“Invalid input certificate : The Subject of the provided certificate does not contain the correct CN value”],”default_message”:”Exception found (Inv
alid input certificate : The Subject of the provided certificate does not contain the correct CN value)”,”id”:”com.vmware.certificatemanagement.error”}]}
The request body has been saved to $global:helpme
A new fresh cert is issued but this sucking vCenter says “no valid” !! I can’t believe that :((
What CN is expected to work in vSphere ?
CN is the domain name of your vCenter which the certificate gets issued to. Have you read my blog?
Hi friend, Yes I read it but my advice is it is impossible to replace the certificate with a custom one. I tried the automated way >> noway CN error. I tried the manual way with another fresh certificate >> same result ! Of course I did that with a normal certificate ( not wildcard one). It does not matter because now I just read that it is impossible to get a remote connection to the console. Nevertheless it is the only time I failed to replace a SSL cert :/
I would be happy to help you further, just message me via Twitter.
Hi, I contacted you via @crog_ed but nos response 🙁
Yes I replied to you.