voltron/NodeMgmt
1
1
Fork 0
Code Issues Pull Requests Releases 1 Activity

Update vCenter-SSL.ps1

Browse Source
This commit is contained in:
David Schroeder
2025-11-15 23:36:55 -06:00
parent 24edded18f
commit f51834c3b4
1 changed files with 69 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
inc/vCenter-SSL.ps1
View File

@@ -1,11 +1,10 @@
#!/usr/bin/env pwsh #!/usr/bin/env pwsh
# ----------------------------------------------------------------------------------- # -----------------------------------------------------------------------------------
# vCenter SSL Automation (vCenter 8u3 + Posh-ACME 4.30, Linux/XDG) # vCenter SSL Automation (Posh-ACME + PowerDNS + vCenter REST CertMgmt)
# Uses cert.cer / cert.key / fullchain.cer from ~/.config/Posh-ACME # - Uses ~/.config/Posh-ACME/LE_PROD/.../vcenter.scity.us
# - Skips ACME if existing cert valid >30 days # - Files: cert.cer / cert.key / fullchain.cer
# - Rate-limit safe # - vCenter Cert API: /rest/vcenter/certificate-management/vcenter/tls
# - Fingerprint-based vCenter update # - Auth: CIS REST session token (vmware-api-session-id)
# - vpxd restart: try REST, fall back to SSH instructions
# ----------------------------------------------------------------------------------- # -----------------------------------------------------------------------------------
. /opt/idssys/nodemgmt/conf/powerwall/settings.ps1 . /opt/idssys/nodemgmt/conf/powerwall/settings.ps1
@@ -105,7 +104,7 @@ Import-Module VMware.PowerCLI -ErrorAction Stop
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false | Out-Null Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false | Out-Null
# ---------------------------- # ----------------------------
# Connect to vCenter # Connect to vCenter (PowerCLI)
# ---------------------------- # ----------------------------
try { try {
Write-Log INFO "Connecting to vCenter $VCENTERHOST..." Cyan Write-Log INFO "Connecting to vCenter $VCENTERHOST..." Cyan
@@ -113,6 +112,14 @@ try {
Show-Banner "Connected to vCenter." SUCCESS Show-Banner "Connected to vCenter." SUCCESS
} catch { Show-Failure $_ } } catch { Show-Failure $_ }
# Optional: show VMs just to confirm connectivity
try {
$vms = Get-VM
Write-Log INFO "Retrieved $($vms.Count) VMs from vCenter." Cyan
} catch {
Write-Log WARN "Unable to retrieve VM list, continuing..." Yellow
}
# ---------------------------- # ----------------------------
# Load Posh-ACME # Load Posh-ACME
# ---------------------------- # ----------------------------
@@ -122,7 +129,7 @@ if (-not (Get-Module -ListAvailable Posh-ACME)) {
Import-Module Posh-ACME -ErrorAction Stop Import-Module Posh-ACME -ErrorAction Stop
# ---------------------------- # ----------------------------
# ACME / Certificate selection logic # ACME / certificate selection logic
# ---------------------------- # ----------------------------
$certSuccess = $false $certSuccess = $false
$certPath = $keyPath = $chainPath = $null $certPath = $keyPath = $chainPath = $null
@@ -178,7 +185,7 @@ if (-not $renewCert -and $existingPACert) {
# Posh-ACME Linux file layout: # Posh-ACME Linux file layout:
# cert.cer - leaf cert # cert.cer - leaf cert
# cert.key - private key # cert.key - private key
# fullchain.cer - cert + chain # fullchain.cer - cert + chain (we'll use this as chain)
$certPath = Join-Path $certFolder "cert.cer" $certPath = Join-Path $certFolder "cert.cer"
$keyPath = Join-Path $certFolder "cert.key" $keyPath = Join-Path $certFolder "cert.key"
$chainPath = Join-Path $certFolder "fullchain.cer" $chainPath = Join-Path $certFolder "fullchain.cer"
@@ -197,7 +204,7 @@ if (-not $renewCert -and $existingPACert) {
# Request new ACME certificate if needed # Request new ACME certificate if needed
# ------------------------------------------------------- # -------------------------------------------------------
if ($renewCert) { if ($renewCert) {
Write-Log INFO "Requesting new ACME certificate..." Cyan Write-Log INFO "Requesting new ACME certificate via Posh-ACME..." Cyan
$securePDNSAPI = if ($PDNSAPI -is [string]) { $securePDNSAPI = if ($PDNSAPI -is [string]) {
ConvertTo-SecureString $PDNSAPI -AsPlainText -Force ConvertTo-SecureString $PDNSAPI -AsPlainText -Force
@@ -277,66 +284,87 @@ Write-Log INFO " KEY : $keyPath" Green
Write-Log INFO " CHAIN: $chainPath" Green Write-Log INFO " CHAIN: $chainPath" Green
# ------------------------------------------------------- # -------------------------------------------------------
# vCenter 8u3 certificate API (/api/vcenter/certificate-management/vcenter/tls) # Create CIS REST session (vmware-api-session-id)
# ------------------------------------------------------- # -------------------------------------------------------
$sessionHeaders = @{ try {
'vmware-api-session-id' = $vCenterConn.ExtensionData.Content.SessionManager.SessionId $loginUri = "https://$VCENTERHOST/rest/com/vmware/cis/session"
$creds = "$VCENTERUSER`:$VCENTERPASS"
$authHeader = "Basic " + [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($creds))
$sessionResponse = Invoke-RestMethod -Uri $loginUri `
-Method Post `
-Headers @{ Authorization = $authHeader } `
-SkipCertificateCheck `
-ErrorAction Stop
$sessionToken = $sessionResponse.value
$restHeaders = @{ "vmware-api-session-id" = $sessionToken }
Write-Log INFO "CIS REST session established." Green
}
catch {
Show-Banner "Failed to create CIS REST session: $($_.Exception.Message)" ERROR
exit 1
} }
$vcCertBaseUri = "https://$VCENTERHOST/api/vcenter/certificate-management/vcenter/tls" # -------------------------------------------------------
$vcCertGetUri = $vcCertBaseUri # OPTIONAL: compare fingerprints using REST cert GET
$vcCertApplyUri = "$vcCertBaseUri?action=apply" # -------------------------------------------------------
$updateNeeded = $true $updateNeeded = $true
try { try {
$vcResp = Invoke-RestMethod -Uri $vcCertGetUri -Method Get -Headers $sessionHeaders -SkipCertificateCheck -ErrorAction Stop $getUri = "https://$VCENTERHOST/rest/vcenter/certificate-management/vcenter/tls"
$resp = Invoke-RestMethod -Uri $getUri -Method Get -Headers $restHeaders -SkipCertificateCheck -ErrorAction Stop
$currentPem = $null
if ($vcResp.value -and $vcResp.value.cert) {
$currentPem = $vcResp.value.cert
} elseif ($vcResp.cert) {
$currentPem = $vcResp.cert
}
$currentPem = $resp.value.cert
if ($currentPem) { if ($currentPem) {
$currentFp = Get-CertFingerprintFromPem $currentPem $currentFp = Get-CertFingerprintFromPem $currentPem
$newFp = Get-CertFingerprintFromPem (Get-Content -Raw $certPath) $newFp = Get-CertFingerprintFromPem (Get-Content -Raw $certPath)
if ($currentFp -and $newFp -and ($currentFp -eq $newFp)) { if ($currentFp -and $newFp -and ($currentFp -eq $newFp)) {
Show-Banner "vCenter certificate already matches Posh-ACME certificate." SUCCESS Show-Banner "vCenter certificate already matches Posh-ACME certificate. No update needed." SUCCESS
$updateNeeded = $false $updateNeeded = $false
} else { } else {
Write-Log INFO "vCenter certificate differs from Posh-ACME cert. Update required." Yellow Write-Log INFO "vCenter certificate differs from Posh-ACME cert. Update required." Yellow
} }
} else { } else {
Write-Log WARN "vCenter cert API did not return a 'cert' field. Assuming update required." Yellow Write-Log WARN "vCenter cert GET did not return 'cert'. Assuming update required." Yellow
} }
} }
catch { catch {
Write-Log WARN "Could not read vCenter certificate via /api endpoint; assuming update required. $($_.Exception.Message)" Yellow Write-Log WARN "Could not read vCenter certificate via REST; assuming update required. $($_.Exception.Message)" Yellow
} }
# ------------------------------------------------------- # -------------------------------------------------------
# Upload + apply certificate (vCenter 8u3 API) # Upload + apply certificate via /rest/vcenter/certificate-management/vcenter/tls
# ------------------------------------------------------- # -------------------------------------------------------
$restartNeeded = $false $restartNeeded = $false
if ($updateNeeded) { if ($updateNeeded) {
try { try {
$uploadUri = "https://$VCENTERHOST/rest/vcenter/certificate-management/vcenter/tls"
$applyUri = "https://$VCENTERHOST/rest/vcenter/certificate-management/vcenter/tls?action=apply"
$body = @{ $body = @{
cert = Get-Content -Raw $certPath cert = Get-Content -Raw $certPath
key = Get-Content -Raw $keyPath key = Get-Content -Raw $keyPath
chain = Get-Content -Raw $chainPath chain = Get-Content -Raw $chainPath
} }
Write-Log INFO "Uploading certificate to vCenter via /api/vcenter/certificate-management..." Cyan Write-Log INFO "Uploading certificate to vCenter via /rest/vcenter/certificate-management..." Cyan
Invoke-RestMethod -Uri $vcCertBaseUri -Method Post -Headers $sessionHeaders ` Invoke-RestMethod -Uri $uploadUri `
-ContentType "application/json" -Body ($body | ConvertTo-Json -Compress) -SkipCertificateCheck -ErrorAction Stop -Method Post `
-Headers $restHeaders `
-ContentType "application/json" `
-Body ($body | ConvertTo-Json -Compress) `
-SkipCertificateCheck `
-ErrorAction Stop
Write-Log INFO "Applying uploaded certificate..." Cyan Write-Log INFO "Applying uploaded certificate..." Cyan
Invoke-RestMethod -Uri $vcCertApplyUri -Method Post -Headers $sessionHeaders ` Invoke-RestMethod -Uri $applyUri `
-SkipCertificateCheck -ErrorAction Stop -Method Post `
-Headers $restHeaders `
-SkipCertificateCheck `
-ErrorAction Stop
Show-Banner "Certificate successfully uploaded and applied to vCenter." SUCCESS Show-Banner "Certificate successfully uploaded and applied to vCenter." SUCCESS
$restartNeeded = $true $restartNeeded = $true
@@ -351,7 +379,7 @@ else {
} }
# ------------------------------------------------------- # -------------------------------------------------------
# Restart vpxd (Option #3: try REST, fallback to SSH instructions) # Restart vpxd (try REST, then show SSH fallback)
# ------------------------------------------------------- # -------------------------------------------------------
if ($restartNeeded) { if ($restartNeeded) {
$maxRetries = 20 $maxRetries = 20
@@ -361,10 +389,10 @@ if ($restartNeeded) {
for ($i=1; $i -le $maxRetries -and -not $restRestartSucceeded; $i++) { for ($i=1; $i -le $maxRetries -and -not $restRestartSucceeded; $i++) {
try { try {
Invoke-RestMethod -Uri $healthUri -Method Get -SkipCertificateCheck -ErrorAction Stop Invoke-RestMethod -Uri $healthUri -Method Get -Headers $restHeaders -SkipCertificateCheck -ErrorAction Stop
Write-Log INFO "Requesting vpxd restart via REST..." Cyan Write-Log INFO "Requesting vpxd restart via REST..." Cyan
Invoke-RestMethod -Uri $restartUri -Method Post -SkipCertificateCheck -ErrorAction Stop Invoke-RestMethod -Uri $restartUri -Method Post -Headers $restHeaders -SkipCertificateCheck -ErrorAction Stop
Show-Banner "vpxd restart requested successfully via REST." SUCCESS Show-Banner "vpxd restart requested successfully via REST." SUCCESS
$restRestartSucceeded = $true $restRestartSucceeded = $true
} }
@@ -372,9 +400,8 @@ if ($restartNeeded) {
$msg = $_.Exception.Message $msg = $_.Exception.Message
Write-Log WARN "vpxd REST restart attempt $i/$maxRetries failed: $msg" Yellow Write-Log WARN "vpxd REST restart attempt $i/$maxRetries failed: $msg" Yellow
# If 404 or obvious unsupported, no point retrying REST
if ($msg -like "*404*" -or $msg -like "*Not Found*") { if ($msg -like "*404*" -or $msg -like "*Not Found*") {
Write-Log WARN "vpxd REST endpoint not available (404). Will fall back to SSH instructions." Yellow Write-Log WARN "vpxd REST endpoint not available (404). Falling back to SSH instructions." Yellow
break break
} }
@@ -383,9 +410,8 @@ if ($restartNeeded) {
} }
if (-not $restRestartSucceeded) { if (-not $restRestartSucceeded) {
Show-Banner "Automatic vpxd restart not confirmed via REST. Please restart manually via SSH." WARN Show-Banner "Automatic vpxd restart not confirmed via REST. Please restart manually via SSH:" WARN
Write-Log WARN "Manual restart command:" Yellow Write-Host " ssh root@$VCENTERHOST 'service-control --stop vpxd; service-control --start vpxd'" -ForegroundColor Yellow
Write-Log WARN " ssh root@$VCENTERHOST 'service-control --stop vpxd; service-control --start vpxd'" Yellow
} }
} }