From f51834c3b4627c2e3db4d254106bce90cee331de Mon Sep 17 00:00:00 2001 From: David Schroeder Date: Sat, 15 Nov 2025 23:36:55 -0600 Subject: [PATCH] Update vCenter-SSL.ps1 --- inc/vCenter-SSL.ps1 | 112 +++++++++++++++++++++++++++----------------- 1 file changed, 69 insertions(+), 43 deletions(-) diff --git a/inc/vCenter-SSL.ps1 b/inc/vCenter-SSL.ps1 index 647cd343..4e8d301a 100644 --- a/inc/vCenter-SSL.ps1 +++ b/inc/vCenter-SSL.ps1 @@ -1,11 +1,10 @@ #!/usr/bin/env pwsh # ----------------------------------------------------------------------------------- -# vCenter SSL Automation (vCenter 8u3 + Posh-ACME 4.30, Linux/XDG) -# Uses cert.cer / cert.key / fullchain.cer from ~/.config/Posh-ACME -# - Skips ACME if existing cert valid >30 days -# - Rate-limit safe -# - Fingerprint-based vCenter update -# - vpxd restart: try REST, fall back to SSH instructions +# vCenter SSL Automation (Posh-ACME + PowerDNS + vCenter REST CertMgmt) +# - Uses ~/.config/Posh-ACME/LE_PROD/.../vcenter.scity.us +# - Files: cert.cer / cert.key / fullchain.cer +# - vCenter Cert API: /rest/vcenter/certificate-management/vcenter/tls +# - Auth: CIS REST session token (vmware-api-session-id) # ----------------------------------------------------------------------------------- . /opt/idssys/nodemgmt/conf/powerwall/settings.ps1 @@ -105,7 +104,7 @@ Import-Module VMware.PowerCLI -ErrorAction Stop Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false | Out-Null # ---------------------------- -# Connect to vCenter +# Connect to vCenter (PowerCLI) # ---------------------------- try { Write-Log INFO "Connecting to vCenter $VCENTERHOST..." Cyan @@ -113,6 +112,14 @@ try { Show-Banner "Connected to vCenter." SUCCESS } catch { Show-Failure $_ } +# Optional: show VMs just to confirm connectivity +try { + $vms = Get-VM + Write-Log INFO "Retrieved $($vms.Count) VMs from vCenter." Cyan +} catch { + Write-Log WARN "Unable to retrieve VM list, continuing..." Yellow +} + # ---------------------------- # Load Posh-ACME # ---------------------------- @@ -122,7 +129,7 @@ if (-not (Get-Module -ListAvailable Posh-ACME)) { Import-Module Posh-ACME -ErrorAction Stop # ---------------------------- -# ACME / Certificate selection logic +# ACME / certificate selection logic # ---------------------------- $certSuccess = $false $certPath = $keyPath = $chainPath = $null @@ -178,7 +185,7 @@ if (-not $renewCert -and $existingPACert) { # Posh-ACME Linux file layout: # cert.cer - leaf cert # cert.key - private key - # fullchain.cer - cert + chain + # fullchain.cer - cert + chain (we'll use this as chain) $certPath = Join-Path $certFolder "cert.cer" $keyPath = Join-Path $certFolder "cert.key" $chainPath = Join-Path $certFolder "fullchain.cer" @@ -197,7 +204,7 @@ if (-not $renewCert -and $existingPACert) { # Request new ACME certificate if needed # ------------------------------------------------------- if ($renewCert) { - Write-Log INFO "Requesting new ACME certificate..." Cyan + Write-Log INFO "Requesting new ACME certificate via Posh-ACME..." Cyan $securePDNSAPI = if ($PDNSAPI -is [string]) { ConvertTo-SecureString $PDNSAPI -AsPlainText -Force @@ -277,66 +284,87 @@ Write-Log INFO " KEY : $keyPath" Green Write-Log INFO " CHAIN: $chainPath" Green # ------------------------------------------------------- -# vCenter 8u3 certificate API (/api/vcenter/certificate-management/vcenter/tls) +# Create CIS REST session (vmware-api-session-id) # ------------------------------------------------------- -$sessionHeaders = @{ - 'vmware-api-session-id' = $vCenterConn.ExtensionData.Content.SessionManager.SessionId +try { + $loginUri = "https://$VCENTERHOST/rest/com/vmware/cis/session" + $creds = "$VCENTERUSER`:$VCENTERPASS" + $authHeader = "Basic " + [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($creds)) + + $sessionResponse = Invoke-RestMethod -Uri $loginUri ` + -Method Post ` + -Headers @{ Authorization = $authHeader } ` + -SkipCertificateCheck ` + -ErrorAction Stop + + $sessionToken = $sessionResponse.value + $restHeaders = @{ "vmware-api-session-id" = $sessionToken } + + Write-Log INFO "CIS REST session established." Green +} +catch { + Show-Banner "Failed to create CIS REST session: $($_.Exception.Message)" ERROR + exit 1 } -$vcCertBaseUri = "https://$VCENTERHOST/api/vcenter/certificate-management/vcenter/tls" -$vcCertGetUri = $vcCertBaseUri -$vcCertApplyUri = "$vcCertBaseUri?action=apply" - +# ------------------------------------------------------- +# OPTIONAL: compare fingerprints using REST cert GET +# ------------------------------------------------------- $updateNeeded = $true - try { - $vcResp = Invoke-RestMethod -Uri $vcCertGetUri -Method Get -Headers $sessionHeaders -SkipCertificateCheck -ErrorAction Stop - - $currentPem = $null - if ($vcResp.value -and $vcResp.value.cert) { - $currentPem = $vcResp.value.cert - } elseif ($vcResp.cert) { - $currentPem = $vcResp.cert - } + $getUri = "https://$VCENTERHOST/rest/vcenter/certificate-management/vcenter/tls" + $resp = Invoke-RestMethod -Uri $getUri -Method Get -Headers $restHeaders -SkipCertificateCheck -ErrorAction Stop + $currentPem = $resp.value.cert if ($currentPem) { $currentFp = Get-CertFingerprintFromPem $currentPem $newFp = Get-CertFingerprintFromPem (Get-Content -Raw $certPath) if ($currentFp -and $newFp -and ($currentFp -eq $newFp)) { - Show-Banner "vCenter certificate already matches Posh-ACME certificate." SUCCESS + Show-Banner "vCenter certificate already matches Posh-ACME certificate. No update needed." SUCCESS $updateNeeded = $false } else { Write-Log INFO "vCenter certificate differs from Posh-ACME cert. Update required." Yellow } } else { - Write-Log WARN "vCenter cert API did not return a 'cert' field. Assuming update required." Yellow + Write-Log WARN "vCenter cert GET did not return 'cert'. Assuming update required." Yellow } } catch { - Write-Log WARN "Could not read vCenter certificate via /api endpoint; assuming update required. $($_.Exception.Message)" Yellow + Write-Log WARN "Could not read vCenter certificate via REST; assuming update required. $($_.Exception.Message)" Yellow } # ------------------------------------------------------- -# Upload + apply certificate (vCenter 8u3 API) +# Upload + apply certificate via /rest/vcenter/certificate-management/vcenter/tls # ------------------------------------------------------- $restartNeeded = $false if ($updateNeeded) { try { + $uploadUri = "https://$VCENTERHOST/rest/vcenter/certificate-management/vcenter/tls" + $applyUri = "https://$VCENTERHOST/rest/vcenter/certificate-management/vcenter/tls?action=apply" + $body = @{ cert = Get-Content -Raw $certPath key = Get-Content -Raw $keyPath chain = Get-Content -Raw $chainPath } - Write-Log INFO "Uploading certificate to vCenter via /api/vcenter/certificate-management..." Cyan - Invoke-RestMethod -Uri $vcCertBaseUri -Method Post -Headers $sessionHeaders ` - -ContentType "application/json" -Body ($body | ConvertTo-Json -Compress) -SkipCertificateCheck -ErrorAction Stop + Write-Log INFO "Uploading certificate to vCenter via /rest/vcenter/certificate-management..." Cyan + Invoke-RestMethod -Uri $uploadUri ` + -Method Post ` + -Headers $restHeaders ` + -ContentType "application/json" ` + -Body ($body | ConvertTo-Json -Compress) ` + -SkipCertificateCheck ` + -ErrorAction Stop Write-Log INFO "Applying uploaded certificate..." Cyan - Invoke-RestMethod -Uri $vcCertApplyUri -Method Post -Headers $sessionHeaders ` - -SkipCertificateCheck -ErrorAction Stop + Invoke-RestMethod -Uri $applyUri ` + -Method Post ` + -Headers $restHeaders ` + -SkipCertificateCheck ` + -ErrorAction Stop Show-Banner "Certificate successfully uploaded and applied to vCenter." SUCCESS $restartNeeded = $true @@ -351,7 +379,7 @@ else { } # ------------------------------------------------------- -# Restart vpxd (Option #3: try REST, fallback to SSH instructions) +# Restart vpxd (try REST, then show SSH fallback) # ------------------------------------------------------- if ($restartNeeded) { $maxRetries = 20 @@ -361,10 +389,10 @@ if ($restartNeeded) { for ($i=1; $i -le $maxRetries -and -not $restRestartSucceeded; $i++) { try { - Invoke-RestMethod -Uri $healthUri -Method Get -SkipCertificateCheck -ErrorAction Stop + Invoke-RestMethod -Uri $healthUri -Method Get -Headers $restHeaders -SkipCertificateCheck -ErrorAction Stop Write-Log INFO "Requesting vpxd restart via REST..." Cyan - Invoke-RestMethod -Uri $restartUri -Method Post -SkipCertificateCheck -ErrorAction Stop + Invoke-RestMethod -Uri $restartUri -Method Post -Headers $restHeaders -SkipCertificateCheck -ErrorAction Stop Show-Banner "vpxd restart requested successfully via REST." SUCCESS $restRestartSucceeded = $true } @@ -372,9 +400,8 @@ if ($restartNeeded) { $msg = $_.Exception.Message Write-Log WARN "vpxd REST restart attempt $i/$maxRetries failed: $msg" Yellow - # If 404 or obvious unsupported, no point retrying REST if ($msg -like "*404*" -or $msg -like "*Not Found*") { - Write-Log WARN "vpxd REST endpoint not available (404). Will fall back to SSH instructions." Yellow + Write-Log WARN "vpxd REST endpoint not available (404). Falling back to SSH instructions." Yellow break } @@ -383,9 +410,8 @@ if ($restartNeeded) { } if (-not $restRestartSucceeded) { - Show-Banner "Automatic vpxd restart not confirmed via REST. Please restart manually via SSH." WARN - Write-Log WARN "Manual restart command:" Yellow - Write-Log WARN " ssh root@$VCENTERHOST 'service-control --stop vpxd; service-control --start vpxd'" Yellow + Show-Banner "Automatic vpxd restart not confirmed via REST. Please restart manually via SSH:" WARN + Write-Host " ssh root@$VCENTERHOST 'service-control --stop vpxd; service-control --start vpxd'" -ForegroundColor Yellow } }