voltron/NodeMgmt
1
1
Fork 0
Code Issues Pull Requests Releases 1 Activity

Update vCenter-SSL.ps1

Browse Source
This commit is contained in:
David Schroeder
2025-11-15 18:50:05 -06:00
parent d3bc931565
commit 13abb3b808
1 changed files with 183 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

249
inc/vCenter-SSL.ps1
View File

@@ -1,49 +1,106 @@
#!/usr/bin/env pwsh #!/usr/bin/env pwsh
# Integrated, Linux-safe vCenter + Posh-ACME script
# - Uses Accept-Encoding: identity to avoid GZipDecompressedContent disposal bugs
# - Safe Show-Failure that won't try to read disposed streams
# - Option A: vCenter session POST with NO body
# - Defensive file/content reads and clearer logging
. /opt/idssys/nodemgmt/conf/powerwall/settings.ps1 . /opt/idssys/nodemgmt/conf/powerwall/settings.ps1
# ---------------------------- # ----------------------------
# Error handler # Global variables for troubleshooting
# ----------------------------
$global:helpme = $null
$global:responseBody = $null
# ----------------------------
# Error handler (robust across platforms)
# ---------------------------- # ----------------------------
function Show-Failure { function Show-Failure {
param($ErrorRecord) param([System.Management.Automation.ErrorRecord]$ErrorRecord)
$global:responseBody = "<No response body available>"
try { try {
$response = $ErrorRecord.Exception.Response $ex = $ErrorRecord.Exception
if ($response -is [System.Net.Http.HttpResponseMessage]) {
$global:responseBody = $response.Content.ReadAsStringAsync().Result # If the exception contains an HttpResponseMessage (PowerShell Core)
if ($ex.Response -is [System.Net.Http.HttpResponseMessage]) {
$resp = $ex.Response
if ($resp -and $resp.Content) {
try {
# Safe synchronous read of async task
$global:responseBody = $resp.Content.ReadAsStringAsync().GetAwaiter().GetResult()
}
catch {
# If content was disposed or unreadable, capture the message
$global:responseBody = "<Failed to read HTTP content: $($_.Exception.Message)>"
}
}
else {
$global:responseBody = "<HTTP response had no content>"
}
} }
elseif ($response -is [System.Net.WebResponse]) { # Legacy WebResponse (rare with pwsh, but handle anyway)
$stream = $response.GetResponseStream() elseif ($ex.Response -is [System.Net.WebResponse]) {
$reader = New-Object System.IO.StreamReader($stream) try {
$global:responseBody = $reader.ReadToEnd() $stream = $ex.Response.GetResponseStream()
if ($stream) {
$reader = [System.IO.StreamReader]::new($stream)
$global:responseBody = $reader.ReadToEnd()
}
else {
$global:responseBody = "<WebResponse had no stream>"
}
}
catch {
$global:responseBody = "<Failed to read WebResponse: $($_.Exception.Message)>"
}
} }
else { else {
$global:responseBody = $ErrorRecord.Exception.Message # default to exception message if no response object present
$global:responseBody = $ex.Message
} }
} }
catch { catch {
$global:responseBody = $_.Exception.Message $global:responseBody = "<Error extracting failure detail: $($_.Exception.Message)>"
} }
Write-Host -BackgroundColor Black -ForegroundColor Red "Status: A system exception was caught." # Save for later inspection
Write-Host -BackgroundColor Black -ForegroundColor Red $global:responseBody $global:helpme = $global:responseBody
Write-Host -BackgroundColor Black -ForegroundColor Red "The request body has been saved to `$global:helpme"
break Write-Host "----------------------------------------" -ForegroundColor Red
Write-Host "Status: A system exception was caught." -ForegroundColor Red
Write-Host $global:responseBody -ForegroundColor Red
Write-Host "The request/response body has been saved to `$global:helpme" -ForegroundColor Red
Write-Host "----------------------------------------" -ForegroundColor Red
# Terminate script (consistent and explicit)
exit 1
} }
# ---------------------------- # ----------------------------
# Unified REST wrapper (TLS 1.2 + skip cert check) # Unified REST wrapper (TLS 1.2 + skip cert check + gzip-safe)
# ---------------------------- # ----------------------------
function Invoke-SafeRestMethod { function Invoke-SafeRestMethod {
param( param(
[string]$Uri, [Parameter(Mandatory=$true)][string]$Uri,
[string]$Method = 'Get', [string]$Method = 'Get',
[hashtable]$Headers, [hashtable]$Headers,
$Body, $Body,
[switch]$AsJson [switch]$AsJson,
[int]$TimeoutSec = 60
) )
try { try {
if (-not $Headers) { $Headers = @{} }
# Force identity encoding to avoid GZip decompression disposal bugs on pwsh
if (-not $Headers.ContainsKey('Accept-Encoding')) {
$Headers['Accept-Encoding'] = 'identity'
}
$params = @{ $params = @{
Uri = $Uri Uri = $Uri
Method = $Method Method = $Method
@@ -51,13 +108,16 @@ function Invoke-SafeRestMethod {
SslProtocol = 'Tls12' SslProtocol = 'Tls12'
SkipCertificateCheck = $true SkipCertificateCheck = $true
ErrorAction = 'Stop' ErrorAction = 'Stop'
TimeoutSec = $TimeoutSec
} }
if ($Body) { if ($PSBoundParameters.ContainsKey('Body') -and $Body -ne $null) {
if ($AsJson) { if ($AsJson) {
$params.Body = ($Body | ConvertTo-Json -Depth 10 -Compress) # Convert to JSON with reasonable depth for certificates etc.
$params.Body = $Body | ConvertTo-Json -Depth 12 -Compress
$params.ContentType = 'application/json' $params.ContentType = 'application/json'
} else { }
else {
$params.Body = $Body $params.Body = $Body
} }
} }
@@ -65,13 +125,13 @@ function Invoke-SafeRestMethod {
return Invoke-RestMethod @params return Invoke-RestMethod @params
} }
catch { catch {
# Provide the full ErrorRecord to Show-Failure
Show-Failure -ErrorRecord $_ Show-Failure -ErrorRecord $_
exit 1
} }
} }
# ---------------------------- # ----------------------------
# Variables # Variables (pulled from settings.ps1)
# ---------------------------- # ----------------------------
$vCenterURL = $VCENTERHOST $vCenterURL = $VCENTERHOST
$CommonName = $VCENTERHOST $CommonName = $VCENTERHOST
@@ -81,45 +141,61 @@ $EmailContact = $ACMEEMAIL
$pArgs = @{ $pArgs = @{
PowerDNSApiHost = $WDNSHOST PowerDNSApiHost = $WDNSHOST
PowerDNSApiKey = $PDNSAPI | ConvertTo-SecureString -AsPlainText -Force PowerDNSApiKey = $PDNSAPI # keep as plain string for plugin
PowerDNSUseTLS = $true PowerDNSUseTLS = $true
PowerDNSPort = 443 PowerDNSPort = 443
PowerDNSServerName = 'localhost' PowerDNSServerName = 'localhost'
} }
# ---------------------------- # ----------------------------
# Ensure Posh-ACME Module # Ensure Posh-ACME Module (install if missing, then import)
# ---------------------------- # ----------------------------
Write-Host "Checking for Required Module Posh-ACME" -ForegroundColor Green Write-Host "Checking for Required Module Posh-ACME" -ForegroundColor Green
if (Get-Module -ListAvailable -Name Posh-ACME) { if (Get-Module -ListAvailable -Name Posh-ACME) {
Write-Host "Posh-ACME Module Already Installed" -ForegroundColor Green Write-Host "Posh-ACME Module Already Installed" -ForegroundColor Green
} } else {
else {
Write-Host "Posh-ACME Module Not Found, Installing..." -ForegroundColor Yellow Write-Host "Posh-ACME Module Not Found, Installing..." -ForegroundColor Yellow
Install-Module -Name Posh-ACME -Force -Confirm:$false Install-Module -Name Posh-ACME -Force -Confirm:$false -Scope AllUsers
Write-Host "Please restart this script after module install." -ForegroundColor Yellow Write-Host "Posh-ACME installed. Continuing..." -ForegroundColor Green
return
} }
Do { # Try to import module (loop until available)
Write-Host "Waiting for Posh-ACME Module to load..." -ForegroundColor Cyan $importAttempts = 0
$PoshACME = Get-Module -ListAvailable -Name Posh-ACME do {
Start-Sleep -Seconds 5 try {
} Import-Module Posh-ACME -ErrorAction Stop
While ($PoshACME -eq $null) }
catch {
$importAttempts++
if ($importAttempts -ge 6) {
Write-Host "Unable to import Posh-ACME after multiple attempts." -ForegroundColor Red
Show-Failure -ErrorRecord $_
}
Write-Host "Waiting for Posh-ACME module to become available..." -ForegroundColor Cyan
Start-Sleep -Seconds 5
}
} while (-not (Get-Module -Name Posh-ACME))
Write-Host "Posh-ACME module loaded." -ForegroundColor Green
# ---------------------------- # ----------------------------
# vCenter API Session # vCenter API Session (Option A: POST with NO body)
# ---------------------------- # ----------------------------
$loginUri = "https://$vCenterURL/rest/com/vmware/cis/session" $loginUri = "https://$vCenterURL/rest/com/vmware/cis/session"
$session = Invoke-SafeRestMethod -Uri $loginUri -Method Post -Headers @{ } -Body @{ } -AsJson
$sessionToken = $session.value
if (-not $sessionToken) { Write-Host "Connecting to vCenter at $vCenterURL ..." -ForegroundColor Cyan
$sessionResponse = Invoke-SafeRestMethod -Uri $loginUri -Method Post -Headers @{}
if (-not $sessionResponse) {
Write-Error "Unable to get Session Token, Terminating Script" Write-Error "Unable to get Session Token, Terminating Script"
exit 1 exit 1
} }
$sessionToken = $sessionResponse.value
if (-not $sessionToken) {
Write-Error "Unable to get Session Token value, Terminating Script"
exit 1
}
Write-Host "Connected to vCenter API. Session established." -ForegroundColor Green Write-Host "Connected to vCenter API. Session established." -ForegroundColor Green
# ---------------------------- # ----------------------------
@@ -127,13 +203,17 @@ Write-Host "Connected to vCenter API. Session established." -ForegroundColor Gre
# ---------------------------- # ----------------------------
$headers = @{ 'vmware-api-session-id' = $sessionToken } $headers = @{ 'vmware-api-session-id' = $sessionToken }
$vmList = Invoke-SafeRestMethod -Uri "https://$vCenterURL/rest/vcenter/vm" -Headers $headers $vmList = Invoke-SafeRestMethod -Uri "https://$vCenterURL/rest/vcenter/vm" -Headers $headers
Write-Host "Retrieved VM list from vCenter:" -ForegroundColor Cyan if ($vmList -and $vmList.value) {
$vmList.value | ForEach-Object { Write-Host " - $($_.name)" } Write-Host "Retrieved VM list from vCenter:" -ForegroundColor Cyan
$vmList.value | ForEach-Object { Write-Host " - $($_.name)" }
} else {
Write-Host "No VMs returned or unable to retrieve VM list." -ForegroundColor Yellow
}
# ---------------------------- # ----------------------------
# PowerDNS Integration (via Posh-ACME plugin args) # PowerDNS Integration (via Posh-ACME plugin args)
# ---------------------------- # ----------------------------
Write-Host "Configuring PowerDNS with Posh-ACME" -ForegroundColor Green Write-Host "Configuring PowerDNS plugin args for Posh-ACME" -ForegroundColor Green
$pArgs = @{ $pArgs = @{
PowerDNSApiHost = $WDNSHOST PowerDNSApiHost = $WDNSHOST
PowerDNSApiKey = $PDNSAPI PowerDNSApiKey = $PDNSAPI
@@ -142,58 +222,95 @@ $pArgs = @{
PowerDNSServerName = 'localhost' PowerDNSServerName = 'localhost'
} }
# ----------------------------
# Example ACME order with DNS plugin # Example ACME order with DNS plugin
# ----------------------------
$certName = "vcenter-cert" $certName = "vcenter-cert"
New-PACertificate $CommonName -DnsPlugin PowerDNS -PluginArgs $pArgs -Contact $EmailContact -AcceptTOS -Verbose Write-Host "Requesting certificate for $CommonName using PowerDNS plugin..." -ForegroundColor Cyan
# ---------------------------- # Wrap in try/catch to present friendly errors
# Push certificate back to vCenter (example) try {
# ---------------------------- New-PACertificate -Domain $CommonName -DnsPlugin PowerDNS -PluginArgs $pArgs -Contact $EmailContact -AcceptTOS -Verbose -Force
$certPath = (Join-Path -Path (Get-PAAccount).CertFolder -ChildPath "$certName\cert.pem") Write-Host "ACME certificate request completed (or is present)." -ForegroundColor Green
$keyPath = (Join-Path -Path (Get-PAAccount).CertFolder -ChildPath "$certName\privkey.pem") }
$chainPath = (Join-Path -Path (Get-PAAccount).CertFolder -ChildPath "$certName\chain.pem") catch {
Show-Failure -ErrorRecord $_
# Upload cert (example REST call to vCenter CertMgmt API)
$uploadUri = "https://$vCenterURL/rest/vcenter/certificate-management/vcenter/tls"
$headers = @{ 'vmware-api-session-id' = $sessionToken }
$body = @{
cert = Get-Content -Path $certPath -Raw
key = Get-Content -Path $keyPath -Raw
chain = Get-Content -Path $chainPath -Raw
} }
Invoke-SafeRestMethod -Uri $uploadUri -Method Post -Headers $headers -Body $body -AsJson # ----------------------------
Write-Host "New TLS certificate uploaded to vCenter" -ForegroundColor Green # Collect certificate paths from current Posh-ACME account
# ----------------------------
try {
$paAccount = Get-PAAccount
if (-not $paAccount) {
throw "Get-PAAccount returned no account information."
}
$certFolder = $paAccount.CertFolder
$certPath = Join-Path -Path $certFolder -ChildPath "$certName\cert.pem"
$keyPath = Join-Path -Path $certFolder -ChildPath "$certName\privkey.pem"
$chainPath = Join-Path -Path $certFolder -ChildPath "$certName\chain.pem"
foreach ($f in @($certPath, $keyPath, $chainPath)) {
if (-not (Test-Path $f)) {
throw "Required certificate file not found: $f"
}
}
}
catch {
Show-Failure -ErrorRecord $_
}
# ----------------------------
# Push certificate back to vCenter (REST API expects JSON)
# ----------------------------
Write-Host "Uploading certificate to vCenter..." -ForegroundColor Cyan
try {
$uploadUri = "https://$vCenterURL/rest/vcenter/certificate-management/vcenter/tls"
$headers = @{ 'vmware-api-session-id' = $sessionToken }
$body = @{
cert = (Get-Content -Path $certPath -Raw)
key = (Get-Content -Path $keyPath -Raw)
chain = (Get-Content -Path $chainPath -Raw)
}
Invoke-SafeRestMethod -Uri $uploadUri -Method Post -Headers $headers -Body $body -AsJson
Write-Host "New TLS certificate uploaded to vCenter" -ForegroundColor Green
}
catch {
Show-Failure -ErrorRecord $_
}
# ---------------------------- # ----------------------------
# Apply certificate to vCenter # Apply certificate to vCenter
# ---------------------------- # ----------------------------
try { try {
Write-Host "Applying new TLS certificate to vCenter..." -ForegroundColor Cyan
$applyUri = "https://$vCenterURL/rest/vcenter/certificate-management/vcenter/tls?action=apply" $applyUri = "https://$vCenterURL/rest/vcenter/certificate-management/vcenter/tls?action=apply"
$headers = @{ 'vmware-api-session-id' = $sessionToken } $headers = @{ 'vmware-api-session-id' = $sessionToken }
Invoke-SafeRestMethod -Uri $applyUri -Method Post -Headers $headers Invoke-SafeRestMethod -Uri $applyUri -Method Post -Headers $headers
Write-Host "New TLS certificate applied to vCenter" -ForegroundColor Green Write-Host "New TLS certificate applied to vCenter (action requested)." -ForegroundColor Green
} }
catch { catch {
Show-Failure -ErrorRecord $_ Show-Failure -ErrorRecord $_
exit 1
} }
# ---------------------------- # ----------------------------
# Restart vCenter Services (optional) # Restart vCenter Services (optional)
# ---------------------------- # ----------------------------
try { try {
Write-Host "Restarting vCenter service (vpxd)..." -ForegroundColor Yellow
$restartUri = "https://$vCenterURL/rest/appliance/system/services/vpxd?action=restart" $restartUri = "https://$vCenterURL/rest/appliance/system/services/vpxd?action=restart"
$headers = @{ 'vmware-api-session-id' = $sessionToken } $headers = @{ 'vmware-api-session-id' = $sessionToken }
Invoke-SafeRestMethod -Uri $restartUri -Method Post -Headers $headers Invoke-SafeRestMethod -Uri $restartUri -Method Post -Headers $headers
Write-Host "vCenter service restart initiated (vpxd)" -ForegroundColor Yellow Write-Host "vCenter service restart initiated (vpxd)." -ForegroundColor Yellow
Write-Host "Note: UI/API may briefly be unavailable while services restart." -ForegroundColor Yellow Write-Host "Note: UI/API may briefly be unavailable while services restart." -ForegroundColor Yellow
} }
catch { catch {
Show-Failure -ErrorRecord $_ Show-Failure -ErrorRecord $_
exit 1
} }
Write-Host "Script completed." -ForegroundColor Green