In the past, I’ve posted some guides for replacing the default self-signed vCenter certificate with a free, trusted Let’s Encrypt 90 Day certificate. I recently started to look into generating the free SSL using an ACME client and stumbled across this PowerShell module Posh-ACME (Credit to Ryan Bolger – https://github.com/rmbolger for this module). I decided to develop this easy-to-use PowerShell script Install-vCenterSSL.ps1 which generates certificates and then formats and replaces the default certificate directly to a vCenter server with minimal effort.
Prerequisites
- Download my Install-vCenterSSL.ps1 Script, can be found on my Github page here.
- The script requires internet access to generate the certificate.
- Ability to create a DNS TXT record to validate domain ownership.
- vCenter account with administrator privileges.
- Highly recommended to take a snapshot or backup of your vCenter server.
Step 1 – Update Script Variables
Download the script but, before running it, update the parameters at the top of the script.
Step 2 – Entering vCenter Credentials
Enter vCenter credentials when prompted.
Step 3 – DNS Challenge Validation
This is really the only manual step that’s required. When prompted, you will need to create the following TXT record on DNS provider.
Alternatively, you can automate the DNS Challenge Validation to by using one of the many supported plugins found here on Ryan Bolger’s Github repository.
Step 4 – DNS Propagation Timer
Press any key to continue and the 2 minute sleep timer will start, waiting for DNS to propagate.
Step 5 – vCenter Certificate Validation
Once your domain ownership is confirmed, the certificates will be generated, converted and installed directly to your vCenter using the Rest API. After this operation completes, the services using the certificate will be restarted for the new certificate to take effect.
Optional Step – Use Previously Generated SSL
If you have previously generated an SSL that is valid, the script should detect it and provide the option to reuse it.
Thanks for reading, and, I hope you found this useful, feel free to comment below. If you found any bugs please raise an issue here.
Follow @nmangraviti
thanks. its GREAT !!!!
7 4ever.
the more i see of big brother/ the more i am glad i was an orphan…just one more shot/ ooppsdate.
Hi,
thanks for this great script. i get the bellow error when run the script:
_________________________________________________
Failed to Replace Certificate, Terminating Script
At line:1 char:1
+ .\Install-vCenterSSL.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-vCenterSSL.ps1
Status: A system exception was caught.
The request body has been saved to $global:helpme
________________________________________________
Hi Shab, what version of vCenter and Powershell are you using?
This is great!! Now just need it to be able to run as a scheduled task. 🙂 When the 90 days is up, do you have to update the txt record? Or does it stay static?
Hi!
The script worked fine on the installation of the certificate the first time.
Now the cert is expired and I wanted to replace it with a fresh and new one.
What I got is similar to the previous posting:
C:\Users\Administrator\Desktop\install.ps1 : Failed to Replace Certificate, Terminating Script
In Zeile:1 Zeichen:1
+ .\install.ps1
+ ~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,install.ps1
Status: A system exception was caught.
{“error_type”:”ERROR”,”messages”:[{“args”:[“create trusted root chain failed : AFD Native Error Occured: 11″],”default_message”:”Exception found (create trusted root chain failed : AFD Native Error Occured: 11)”,”id”:”com.vmware.certificatemanagement.error”}]}
The request body has been saved to $global:helpme
Any ideas how to fix it?
Addon to my last posting:
after using /usr/lib/vmware-vmca/bin/certificate-manager on vSphere and choosing option 3 I was able to use the script and create a new certificate with Letsencrypt and everything is running good and smooth again. Maybe this might help to examine the issue.
Cheers
Hello,
Thank you for sharing such a cool script
Happy Holidays !
Please excuse my noob question
but i can’t even connect to a vmWare PowerCli
i get an error when i try to connect to vcenter from MacOS : Connect-VIServer -Server IP
Permission to perform this operation was denied. Required privileges: ‘Folder-group-d1’ : ‘System.View’
do i need to create a user and set some privileges ?
thx
Yep that sounds like a vCenter permission, what user are you trying to connect with?
thank you for getting back so fast)
with root
what privileges shall a user have to complete the task?
No, you would want to connect with an sso account, perhaps administrator@vsphere.local
thx , worked like a charm)