Update vCenter-SSL.ps1
This commit is contained in:
@@ -130,6 +130,7 @@ if ($paCert) {
|
|||||||
$needNewCert = $true
|
$needNewCert = $true
|
||||||
} else {
|
} else {
|
||||||
Write-Log INFO "Skipping issuance — certificate valid >$RenewalWindow days."
|
Write-Log INFO "Skipping issuance — certificate valid >$RenewalWindow days."
|
||||||
|
$needNewCert = $false
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
Write-Log WARN "No existing cert found — issuance required."
|
Write-Log WARN "No existing cert found — issuance required."
|
||||||
@@ -200,93 +201,95 @@ foreach ($f in @($certPath,$keyPath,$chainPath)) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# ----------------------------
|
if ($needNewCert) {
|
||||||
# Add CA chain to trusted store (remove duplicates)
|
|
||||||
# ----------------------------
|
|
||||||
try {
|
|
||||||
Write-Log INFO "Cleaning old CA trust entries..."
|
|
||||||
$issuer = ($paCert.Issuer)
|
|
||||||
$existingCA = Get-VITrustedCertificate | Where-Object { $_.Subject -eq $issuer }
|
|
||||||
foreach ($ca in $existingCA) {
|
|
||||||
Remove-VITrustedCertificate -Certificate $ca -Confirm:$false -ErrorAction SilentlyContinue
|
|
||||||
}
|
|
||||||
|
|
||||||
$pemChain = Get-Content $chainPath -Raw
|
|
||||||
Write-Log INFO "Adding CA chain to vCenter trust store..."
|
|
||||||
Add-VITrustedCertificate -PemCertificateOrChain $pemChain -VCenterOnly -Confirm:$false | Out-Null
|
|
||||||
|
|
||||||
} catch {
|
|
||||||
Write-Log WARN "Failed to manage CA trust entries: $($_.Exception.Message)"
|
|
||||||
}
|
|
||||||
|
|
||||||
# ----------------------------
|
|
||||||
# Compare current vCenter cert
|
|
||||||
# ----------------------------
|
|
||||||
$needPush = $true
|
|
||||||
try {
|
|
||||||
$vcCert = Get-VIMachineCertificate -VCenterOnly -ErrorAction Stop
|
|
||||||
Write-Log INFO ("Current vCenter cert: Subject={0} NotAfter={1}" -f $vcCert.Subject, $vcCert.NotValidAfter)
|
|
||||||
|
|
||||||
if ($vcCert.Thumbprint -eq $paCert.Thumbprint) {
|
|
||||||
Write-Log INFO "vCenter already using this certificate."
|
|
||||||
$needPush = $false
|
|
||||||
}
|
|
||||||
} catch {
|
|
||||||
Write-Log WARN "Unable to read vCenter cert, assuming update required."
|
|
||||||
}
|
|
||||||
|
|
||||||
# ----------------------------
|
|
||||||
# Apply new certificate
|
|
||||||
# ----------------------------
|
|
||||||
if ($needPush) {
|
|
||||||
|
|
||||||
Write-Log INFO "Applying new Machine SSL certificate..."
|
|
||||||
|
|
||||||
$leafPem = Get-Content $certPath -Raw
|
|
||||||
$keyPem = Get-Content $keyPath -Raw
|
|
||||||
|
|
||||||
try {
|
|
||||||
Set-VIMachineCertificate -PemCertificate $leafPem -PemKey $keyPem -Confirm:$false | Out-Null
|
|
||||||
|
|
||||||
Write-Host "==========================================================="
|
|
||||||
Write-Host "SUCCESS: vCenter Machine SSL certificate updated." -ForegroundColor Green
|
|
||||||
Write-Host "==========================================================="
|
|
||||||
|
|
||||||
Write-Log INFO "Certificate updated successfully."
|
|
||||||
|
|
||||||
# ----------------------------
|
# ----------------------------
|
||||||
# Restart vpxd service
|
# Add CA chain to trusted store (remove duplicates)
|
||||||
# ----------------------------
|
# ----------------------------
|
||||||
try {
|
try {
|
||||||
Write-Log INFO "Restarting vpxd via Restart-VIApplianceService..."
|
Write-Log INFO "Cleaning old CA trust entries..."
|
||||||
$svc = Get-VIApplianceService -Name 'vpxd' -ErrorAction Stop
|
$issuer = ($paCert.Issuer)
|
||||||
$null = $svc | Restart-VIApplianceService -Confirm:$false
|
$existingCA = Get-VITrustedCertificate | Where-Object { $_.Subject -eq $issuer }
|
||||||
Write-Log INFO "vpxd restarted successfully."
|
foreach ($ca in $existingCA) {
|
||||||
} catch {
|
Remove-VITrustedCertificate -Certificate $ca -Confirm:$false -ErrorAction SilentlyContinue
|
||||||
Write-Log WARN "vpxd restart failed: $($_.Exception.Message)"
|
|
||||||
}
|
|
||||||
|
|
||||||
# ----------------------------
|
|
||||||
# Trigger Veeam rescan
|
|
||||||
# ----------------------------
|
|
||||||
if ($VEEAMHOSTSSH) {
|
|
||||||
try {
|
|
||||||
Write-Log INFO "Triggering Veeam host rescan on $VEEAMHOSTSSH..."
|
|
||||||
$veeamCmd = "Rescan-VBREntity -AllHosts"
|
|
||||||
$sshCmd = "ssh -tq -o ConnectTimeout=3 -o ConnectionAttempts=1 $VEEAMHOSTSSH '$veeamCmd'"
|
|
||||||
$result = bash -c $sshCmd
|
|
||||||
Write-Log INFO "Veeam rescan result: $result"
|
|
||||||
} catch {
|
|
||||||
Write-Log WARN "Veeam rescan failed: $($_.Exception.Message)"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$pemChain = Get-Content $chainPath -Raw
|
||||||
|
Write-Log INFO "Adding CA chain to vCenter trust store..."
|
||||||
|
Add-VITrustedCertificate -PemCertificateOrChain $pemChain -VCenterOnly -Confirm:$false | Out-Null
|
||||||
|
|
||||||
|
} catch {
|
||||||
|
Write-Log WARN "Failed to manage CA trust entries: $($_.Exception.Message)"
|
||||||
}
|
}
|
||||||
|
|
||||||
} catch {
|
# ----------------------------
|
||||||
Show-Failure $_
|
# Compare current vCenter cert
|
||||||
}
|
# ----------------------------
|
||||||
|
$needPush = $true
|
||||||
|
try {
|
||||||
|
$vcCert = Get-VIMachineCertificate -VCenterOnly -ErrorAction Stop
|
||||||
|
Write-Log INFO ("Current vCenter cert: Subject={0} NotAfter={1}" -f $vcCert.Subject, $vcCert.NotValidAfter)
|
||||||
|
|
||||||
} else {
|
if ($vcCert.Thumbprint -eq $paCert.Thumbprint) {
|
||||||
Write-Log INFO "No certificate update needed. Skipping vpxd restart + Veeam rescan."
|
Write-Log INFO "vCenter already using this certificate."
|
||||||
|
$needPush = $false
|
||||||
|
}
|
||||||
|
} catch {
|
||||||
|
Write-Log WARN "Unable to read vCenter cert, assuming update required."
|
||||||
|
}
|
||||||
|
|
||||||
|
# ----------------------------
|
||||||
|
# Apply new certificate
|
||||||
|
# ----------------------------
|
||||||
|
if ($needPush) {
|
||||||
|
|
||||||
|
Write-Log INFO "Applying new Machine SSL certificate..."
|
||||||
|
|
||||||
|
$leafPem = Get-Content $certPath -Raw
|
||||||
|
$keyPem = Get-Content $keyPath -Raw
|
||||||
|
|
||||||
|
try {
|
||||||
|
Set-VIMachineCertificate -PemCertificate $leafPem -PemKey $keyPem -Confirm:$false | Out-Null
|
||||||
|
|
||||||
|
Write-Host "==========================================================="
|
||||||
|
Write-Host "SUCCESS: vCenter Machine SSL certificate updated." -ForegroundColor Green
|
||||||
|
Write-Host "==========================================================="
|
||||||
|
|
||||||
|
Write-Log INFO "Certificate updated successfully."
|
||||||
|
|
||||||
|
# ----------------------------
|
||||||
|
# Restart vpxd service
|
||||||
|
# ----------------------------
|
||||||
|
try {
|
||||||
|
Write-Log INFO "Restarting vpxd via Restart-VIApplianceService..."
|
||||||
|
$svc = Get-VIApplianceService -Name 'vpxd' -ErrorAction Stop
|
||||||
|
$null = $svc | Restart-VIApplianceService -Confirm:$false
|
||||||
|
Write-Log INFO "vpxd restarted successfully."
|
||||||
|
} catch {
|
||||||
|
Write-Log WARN "vpxd restart failed: $($_.Exception.Message)"
|
||||||
|
}
|
||||||
|
|
||||||
|
# ----------------------------
|
||||||
|
# Trigger Veeam rescan
|
||||||
|
# ----------------------------
|
||||||
|
if ($VEEAMHOSTSSH) {
|
||||||
|
try {
|
||||||
|
Write-Log INFO "Triggering Veeam host rescan on $VEEAMHOSTSSH..."
|
||||||
|
$veeamCmd = "Rescan-VBREntity -AllHosts"
|
||||||
|
$sshCmd = "ssh -tq -o ConnectTimeout=3 -o ConnectionAttempts=1 $VEEAMHOSTSSH '$veeamCmd'"
|
||||||
|
$result = bash -c $sshCmd
|
||||||
|
Write-Log INFO "Veeam rescan result: $result"
|
||||||
|
} catch {
|
||||||
|
Write-Log WARN "Veeam rescan failed: $($_.Exception.Message)"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
} catch {
|
||||||
|
Show-Failure $_
|
||||||
|
}
|
||||||
|
|
||||||
|
} else {
|
||||||
|
Write-Log INFO "No certificate update needed. Skipping vpxd restart + Veeam rescan."
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# ----------------------------
|
# ----------------------------
|
||||||
|
|||||||
Reference in New Issue
Block a user