voltron/NodeMgmt
1
1
Fork 0
Code Issues Pull Requests Releases 1 Activity

Update vCenter-SSL.ps1

Browse Source
This commit is contained in:
David Schroeder
2025-11-15 18:53:13 -06:00
parent 45b36941db
commit 11f3607cc2
1 changed files with 147 additions and 193 deletions
Download Patch File Download Diff File Expand all files Collapse all files

340
inc/vCenter-SSL.ps1
View File

@@ -1,134 +1,152 @@
#!/usr/bin/env pwsh #!/usr/bin/env pwsh
# -----------------------------------------------------------------------------------
# Linux-safe vCenter + Posh-ACME Script
# - Uses HttpClient with AutomaticDecompression disabled (Fix1)
# - Handles Posh-ACME + PowerDNS plugin
# - Uploads & applies certificates to vCenter
# -----------------------------------------------------------------------------------
. /opt/idssys/nodemgmt/conf/powerwall/settings.ps1 . /opt/idssys/nodemgmt/conf/powerwall/settings.ps1
# ---------------------------- # ----------------------------
# Safe Failure Handler (cross-platform) # Global variables for troubleshooting
# ----------------------------
$global:helpme = $null
$global:responseBody = $null
# ----------------------------
# Error handler (robust across platforms)
# ---------------------------- # ----------------------------
function Show-Failure { function Show-Failure {
param([System.Management.Automation.ErrorRecord]$ErrorRecord) param([System.Management.Automation.ErrorRecord]$ErrorRecord)
$global:helpme = "<No response body available>" $global:responseBody = "<No response body available>"
try { try {
$ex = $ErrorRecord.Exception $ex = $ErrorRecord.Exception
# HttpResponseMessage path (PowerShell Core)
if ($ex.Response -is [System.Net.Http.HttpResponseMessage]) { if ($ex.Response -is [System.Net.Http.HttpResponseMessage]) {
$resp = $ex.Response $resp = $ex.Response
try {
if ($resp -and $resp.Content) { $global:responseBody = $resp.Content.ReadAsStringAsync().GetAwaiter().GetResult()
try {
# Defensive read; won't deadlock and will catch disposed stream
$global:helpme = $resp.Content.ReadAsStringAsync().GetAwaiter().GetResult()
if ([string]::IsNullOrWhiteSpace($global:helpme)) {
$global:helpme = "<HTTP response had an empty body>"
}
}
catch {
$global:helpme = "<Failed to read HTTP content: $($_.Exception.Message)>"
}
} }
else { catch {
$global:helpme = "<HTTP response object had no Content>" $global:responseBody = "<Failed to read HTTP content: $($_.Exception.Message)>"
} }
} }
# Legacy WebResponse path
elseif ($ex.Response -is [System.Net.WebResponse]) { elseif ($ex.Response -is [System.Net.WebResponse]) {
try { try {
$stream = $ex.Response.GetResponseStream() $stream = $ex.Response.GetResponseStream()
if ($stream) { if ($stream) {
$reader = [System.IO.StreamReader]::new($stream) $reader = [System.IO.StreamReader]::new($stream)
$global:helpme = $reader.ReadToEnd() $global:responseBody = $reader.ReadToEnd()
if ([string]::IsNullOrWhiteSpace($global:helpme)) {
$global:helpme = "<WebResponse returned empty body>"
}
} }
else { else {
$global:helpme = "<WebResponse had no stream>" $global:responseBody = "<WebResponse had no stream>"
} }
} }
catch { catch {
$global:helpme = "<Failed to read WebResponse: $($_.Exception.Message)>" $global:responseBody = "<Failed to read WebResponse: $($_.Exception.Message)>"
} }
} }
# Fallback to exception message
else { else {
$global:helpme = $ex.Message $global:responseBody = $ex.Message
} }
} }
catch { catch {
# In case the extraction itself fails $global:responseBody = "<Error extracting failure detail: $($_.Exception.Message)>"
$global:helpme = "<Error extracting failure detail: $($_.Exception.Message)>"
} }
Write-Host -ForegroundColor Red "Status: A system exception was caught." $global:helpme = $global:responseBody
Write-Host -ForegroundColor Red $global:helpme
Write-Host -ForegroundColor Red "The request body has been saved to `$global:helpme" Write-Host "----------------------------------------" -ForegroundColor Red
Write-Host "Status: A system exception was caught." -ForegroundColor Red
Write-Host $global:responseBody -ForegroundColor Red
Write-Host "The request/response body has been saved to `$global:helpme" -ForegroundColor Red
Write-Host "----------------------------------------" -ForegroundColor Red
exit 1 exit 1
} }
# ---------------------------- # ----------------------------
# Unified REST wrapper (TLS 1.2 + disable gzip + skip cert check) # HttpClient wrapper (TLS1.2, skip cert check, no decompression)
# ---------------------------- # ----------------------------
function Invoke-SafeRestMethod { function Invoke-SafeRestMethod {
param( param(
[Parameter(Mandatory=$true)][string]$Uri, [Parameter(Mandatory=$true)][string]$Uri,
[string]$Method = 'Get', [string]$Method = 'GET',
[hashtable]$Headers, [hashtable]$Headers = @{},
$Body, $Body = $null,
[switch]$AsJson, [switch]$AsJson,
[int]$TimeoutSeconds = 60 [int]$TimeoutSec = 60
) )
try { try {
# Ensure headers object # Handler: disable automatic decompression
if (-not $Headers) { $Headers = @{} } $handler = [System.Net.Http.HttpClientHandler]::new()
$handler.AutomaticDecompression = [System.Net.DecompressionMethods]::None
$handler.ServerCertificateCustomValidationCallback = { $true } # Skip cert check
# Avoid gzip → prevents GZipDecompressedContent disposal bugs $client = [System.Net.Http.HttpClient]::new($handler)
if (-not $Headers.ContainsKey("Accept-Encoding")) { $client.Timeout = [System.TimeSpan]::FromSeconds($TimeoutSec)
$Headers["Accept-Encoding"] = "identity"
# Add headers
foreach ($k in $Headers.Keys) {
$client.DefaultRequestHeaders.Remove($k) | Out-Null
$client.DefaultRequestHeaders.Add($k, $Headers[$k])
} }
# Ensure TLS1.2 (covers Windows & Pwsh where ServicePointManager is relevant) # Prepare content
try { if ($Body -ne $null) {
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
}
catch {
# If not applicable on this platform, ignore
}
$params = @{
Uri = $Uri
Method = $Method
Headers = $Headers
SkipCertificateCheck = $true
ErrorAction = 'Stop'
TimeoutSec = $TimeoutSeconds
}
if ($PSBoundParameters.ContainsKey('Body') -and $Body) {
if ($AsJson) { if ($AsJson) {
# ConvertTo-Json can produce arrays/objects -- use moderate depth $jsonBody = $Body | ConvertTo-Json -Depth 12 -Compress
$params.Body = $Body | ConvertTo-Json -Depth 12 -Compress $content = [System.Net.Http.StringContent]::new($jsonBody, [System.Text.Encoding]::UTF8, 'application/json')
$params.ContentType = 'application/json'
} }
else { else {
$params.Body = $Body $content = [System.Net.Http.StringContent]::new($Body)
} }
} }
else {
$content = $null
}
return Invoke-RestMethod @params # Send request
$method = [System.Net.Http.HttpMethod]::$Method
$request = [System.Net.Http.HttpRequestMessage]::new($method, $Uri)
if ($content) { $request.Content = $content }
$response = $client.SendAsync($request).GetAwaiter().GetResult()
$respBody = $null
if ($response.Content -ne $null) {
$respBody = $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()
}
if ($response.IsSuccessStatusCode) {
# Try to convert JSON if response body exists
if ($respBody -and $respBody.Trim().Length -gt 0) {
try { return $respBody | ConvertFrom-Json }
catch { return $respBody }
}
else {
return $respBody
}
}
else {
throw [System.Net.Http.HttpRequestException]::new("HTTP $($response.StatusCode): $($response.ReasonPhrase)", $null, $response)
}
} }
catch { catch {
Show-Failure -ErrorRecord $_ Show-Failure -ErrorRecord $_
# Show-Failure calls exit 1, so code here shouldn't run, but keep for safety }
throw finally {
$client.Dispose()
$handler.Dispose()
} }
} }
# ---------------------------- # ----------------------------
# Variables (from settings.ps1) # Variables
# ---------------------------- # ----------------------------
$vCenterURL = $VCENTERHOST $vCenterURL = $VCENTERHOST
$CommonName = $VCENTERHOST $CommonName = $VCENTERHOST
@@ -136,7 +154,6 @@ $EmailContact = $ACMEEMAIL
[PSCredential]$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList $VCENTERUSER, (ConvertTo-SecureString $VCENTERPASS -AsPlainText -Force) [PSCredential]$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList $VCENTERUSER, (ConvertTo-SecureString $VCENTERPASS -AsPlainText -Force)
# Posh-ACME / PowerDNS plugin args (PowerDNSApiKey as plain string)
$pArgs = @{ $pArgs = @{
PowerDNSApiHost = $WDNSHOST PowerDNSApiHost = $WDNSHOST
PowerDNSApiKey = $PDNSAPI PowerDNSApiKey = $PDNSAPI
@@ -149,167 +166,104 @@ $pArgs = @{
# Ensure Posh-ACME Module # Ensure Posh-ACME Module
# ---------------------------- # ----------------------------
Write-Host "Checking for Required Module Posh-ACME" -ForegroundColor Green Write-Host "Checking for Required Module Posh-ACME" -ForegroundColor Green
if (Get-Module -ListAvailable -Name Posh-ACME) { if (-not (Get-Module -ListAvailable -Name Posh-ACME)) {
Write-Host "Posh-ACME Module Already Installed" -ForegroundColor Green
}
else {
Write-Host "Posh-ACME Module Not Found, Installing..." -ForegroundColor Yellow Write-Host "Posh-ACME Module Not Found, Installing..." -ForegroundColor Yellow
Install-Module -Name Posh-ACME -Force -Confirm:$false Install-Module -Name Posh-ACME -Force -Confirm:$false -Scope AllUsers
Write-Host "Please restart this script after module install." -ForegroundColor Yellow
exit 0
}
# Try to import the module (force) and wait until available
Import-Module -Name Posh-ACME -Force -ErrorAction Stop
$maxWaitSec = 30
$waited = 0
Do {
$PoshACME = Get-Module -Name Posh-ACME -ListAvailable
if (-not $PoshACME) {
Write-Host "Waiting for Posh-ACME Module to load..." -ForegroundColor Cyan
Start-Sleep -Seconds 2
$waited += 2
} else {
break
}
}
While ($waited -lt $maxWaitSec)
if (-not $PoshACME) {
Write-Host "Posh-ACME failed to load within $maxWaitSec seconds." -ForegroundColor Red
exit 1
} }
Import-Module Posh-ACME -ErrorAction Stop
Write-Host "Posh-ACME module loaded." -ForegroundColor Green
# ---------------------------- # ----------------------------
# vCenter API Session (Option A: POST with NO body) # vCenter API Session (Option A)
# ---------------------------- # ----------------------------
$loginUri = "https://$vCenterURL/rest/com/vmware/cis/session" $loginUri = "https://$vCenterURL/rest/com/vmware/cis/session"
Write-Host "Connecting to vCenter at $vCenterURL ..." -ForegroundColor Cyan
try { $sessionResponse = Invoke-SafeRestMethod -Uri $loginUri -Method Post -Headers @{}
$session = Invoke-SafeRestMethod -Uri $loginUri -Method Post -Headers @{ } # <-- no body (Option A) if ($sessionResponse -is [string] -or -not $sessionResponse) {
# Session might be in header
$sessionToken = $null
try {
$httpclient = [System.Net.Http.HttpClient]::new()
$req = [System.Net.Http.HttpRequestMessage]::new([System.Net.Http.HttpMethod]::Post, $loginUri)
$resp = $httpclient.SendAsync($req).GetAwaiter().GetResult()
if ($resp.Headers.Contains("vmware-api-session-id")) {
$sessionToken = $resp.Headers.GetValues("vmware-api-session-id") | Select-Object -First 1
}
$httpclient.Dispose()
}
catch {
Show-Failure -ErrorRecord $_
}
} }
catch { else {
# Invoke-SafeRestMethod will call Show-Failure and exit on error $sessionToken = $sessionResponse.value
exit 1
}
# Extract session token
$sessionToken = $null
if ($session -and $session.value) {
$sessionToken = $session.value
} }
if (-not $sessionToken) { if (-not $sessionToken) {
Write-Error "Unable to get Session Token, Terminating Script" Show-Failure -ErrorRecord ([pscustomobject]@{ Exception = [System.Exception] "Unable to get vCenter session token" })
exit 1
} }
Write-Host "Connected to vCenter API. Session established." -ForegroundColor Green Write-Host "Connected to vCenter API. Session established." -ForegroundColor Green
# ---------------------------- # ----------------------------
# Example: Retrieve VMs # Retrieve VM list
# ---------------------------- # ----------------------------
$headers = @{ 'vmware-api-session-id' = $sessionToken } $headers = @{ 'vmware-api-session-id' = $sessionToken }
$vmList = Invoke-SafeRestMethod -Uri "https://$vCenterURL/rest/vcenter/vm" -Method Get -Headers $headers $vmList = Invoke-SafeRestMethod -Uri "https://$vCenterURL/rest/vcenter/vm" -Headers $headers
Write-Host "Retrieved VM list from vCenter:" -ForegroundColor Cyan if ($vmList.value) {
if ($vmList -and $vmList.value) { Write-Host "Retrieved VM list from vCenter:" -ForegroundColor Cyan
$vmList.value | ForEach-Object { Write-Host " - $($_.name)" } $vmList.value | ForEach-Object { Write-Host " - $($_.name)" }
} }
else {
Write-Host "No VMs returned (empty result)" -ForegroundColor Yellow
}
# ---------------------------- # ----------------------------
# PowerDNS Integration (via Posh-ACME plugin args) # PowerDNS / Posh-ACME certificate
# ----------------------------
Write-Host "Configuring PowerDNS with Posh-ACME" -ForegroundColor Green
# Ensure plugin args are plain strings where required
$pArgs = @{
PowerDNSApiHost = $WDNSHOST
PowerDNSApiKey = $PDNSAPI
PowerDNSUseTLS = $true
PowerDNSPort = 443
PowerDNSServerName = 'localhost'
}
# ----------------------------
# Example ACME order with DNS plugin
# ---------------------------- # ----------------------------
$certName = "vcenter-cert" $certName = "vcenter-cert"
try { try {
Write-Host "Requesting certificate for $CommonName via Posh-ACME (PowerDNS plugin)" -ForegroundColor Cyan New-PACertificate -Domain $CommonName -DnsPlugin PowerDNS -PluginArgs $pArgs -Contact $EmailContact -AcceptTOS -Verbose -Force
# This will create the order, perform DNS challenge via plugin args, and fetch certs Write-Host "ACME certificate request completed." -ForegroundColor Green
New-PACertificate -Domain $CommonName -DnsPlugin PowerDNS -PluginArgs $pArgs -Contact $EmailContact -AcceptTOS -Verbose
} }
catch { catch {
Show-Failure -ErrorRecord $_ Show-Failure -ErrorRecord $_
exit 1
} }
# ---------------------------- # ----------------------------
# Push certificate back to vCenter # Collect certificate paths
# ---------------------------- # ----------------------------
try { $paAccount = Get-PAAccount
$paAccount = Get-PAAccount -ErrorAction Stop $certFolder = $paAccount.CertFolder
$certFolder = $paAccount.CertFolder $certPath = Join-Path -Path $certFolder -ChildPath "$certName\cert.pem"
$certPath = Join-Path -Path $certFolder -ChildPath "$certName\cert.pem" $keyPath = Join-Path -Path $certFolder -ChildPath "$certName\privkey.pem"
$keyPath = Join-Path -Path $certFolder -ChildPath "$certName\privkey.pem" $chainPath = Join-Path -Path $certFolder -ChildPath "$certName\chain.pem"
$chainPath = Join-Path -Path $certFolder -ChildPath "$certName\chain.pem" foreach ($f in @($certPath, $keyPath, $chainPath)) {
if (-not (Test-Path $f)) { Show-Failure -ErrorRecord ([pscustomobject]@{ Exception = [System.Exception] "Certificate file missing: $f" }) }
foreach ($p in @($certPath, $keyPath, $chainPath)) {
if (-not (Test-Path -Path $p)) {
Write-Host "Expected certificate file not found: $p" -ForegroundColor Red
throw "Certificate file missing: $p"
}
}
$body = @{
cert = (Get-Content -Path $certPath -Raw)
key = (Get-Content -Path $keyPath -Raw)
chain = (Get-Content -Path $chainPath -Raw)
}
$uploadUri = "https://$vCenterURL/rest/vcenter/certificate-management/vcenter/tls"
$headers = @{ 'vmware-api-session-id' = $sessionToken }
Invoke-SafeRestMethod -Uri $uploadUri -Method Post -Headers $headers -Body $body -AsJson
Write-Host "New TLS certificate uploaded to vCenter" -ForegroundColor Green
}
catch {
Show-Failure -ErrorRecord $_
exit 1
} }
# ---------------------------- # ----------------------------
# Apply certificate to vCenter # Upload certificate to vCenter
# ---------------------------- # ----------------------------
try { $uploadUri = "https://$vCenterURL/rest/vcenter/certificate-management/vcenter/tls"
$applyUri = "https://$vCenterURL/rest/vcenter/certificate-management/vcenter/tls?action=apply" $body = @{
$headers = @{ 'vmware-api-session-id' = $sessionToken } cert = Get-Content -Path $certPath -Raw
key = Get-Content -Path $keyPath -Raw
Invoke-SafeRestMethod -Uri $applyUri -Method Post -Headers $headers chain = Get-Content -Path $chainPath -Raw
Write-Host "New TLS certificate applied to vCenter" -ForegroundColor Green
}
catch {
Show-Failure -ErrorRecord $_
exit 1
} }
Invoke-SafeRestMethod -Uri $uploadUri -Method Post -Headers $headers -Body $body -AsJson
Write-Host "Certificate uploaded to vCenter." -ForegroundColor Green
# ---------------------------- # ----------------------------
# Restart vCenter Services (optional) # Apply certificate
# ---------------------------- # ----------------------------
try { $applyUri = "https://$vCenterURL/rest/vcenter/certificate-management/vcenter/tls?action=apply"
$restartUri = "https://$vCenterURL/rest/appliance/system/services/vpxd?action=restart" Invoke-SafeRestMethod -Uri $applyUri -Method Post -Headers $headers
$headers = @{ 'vmware-api-session-id' = $sessionToken } Write-Host "TLS certificate applied." -ForegroundColor Green
Invoke-SafeRestMethod -Uri $restartUri -Method Post -Headers $headers # ----------------------------
Write-Host "vCenter service restart initiated (vpxd)" -ForegroundColor Yellow # Restart vCenter vpxd service
Write-Host "Note: UI/API may briefly be unavailable while services restart." -ForegroundColor Yellow # ----------------------------
} $restartUri = "https://$vCenterURL/rest/appliance/system/services/vpxd?action=restart"
catch { Invoke-SafeRestMethod -Uri $restartUri -Method Post -Headers $headers
Show-Failure -ErrorRecord $_ Write-Host "vCenter vpxd service restart requested." -ForegroundColor Yellow
exit 1
}
Write-Host "Script completed." -ForegroundColor Green Write-Host "Script completed successfully." -ForegroundColor Green