#!/usr/bin/env pwsh # ----------------------------------------------------------------------------------- # Linux-safe vCenter + Posh-ACME Script (Fully Fixed) # - SSL validation bypass (Linux-compatible) # - Proper ErrorRecord handling # - PowerDNS plugin works (plain string API key) # - Fault-tolerant certificate handling # ----------------------------------------------------------------------------------- . /opt/idssys/nodemgmt/conf/powerwall/settings.ps1 # ---------------------------- # Global variables for troubleshooting # ---------------------------- $global:helpme = $null $global:responseBody = $null # ---------------------------- # Error handler # ---------------------------- function Show-Failure { param([System.Management.Automation.ErrorRecord]$ErrorRecord) $global:responseBody = "" try { $ex = $ErrorRecord.Exception if ($ex.Response -is [System.Net.Http.HttpResponseMessage]) { try { $global:responseBody = $ex.Response.Content.ReadAsStringAsync().GetAwaiter().GetResult() } catch { $global:responseBody = "" } } elseif ($ex.Response -is [System.Net.WebResponse]) { try { $stream = $ex.Response.GetResponseStream() if ($stream) { $global:responseBody = [System.IO.StreamReader]::new($stream).ReadToEnd() } } catch { $global:responseBody = "" } } else { $global:responseBody = $ex.Message } } catch { $global:responseBody = "" } $global:helpme = $global:responseBody Write-Host "----------------------------------------" -ForegroundColor Red Write-Host "Status: A system exception was caught." -ForegroundColor Red Write-Host $global:responseBody -ForegroundColor Red Write-Host "The request/response body has been saved to `$global:helpme" -ForegroundColor Red Write-Host "----------------------------------------" -ForegroundColor Red exit 1 } # ---------------------------- # HttpClient wrapper (TLS1.2, skip cert check, no decompression) # ---------------------------- function Invoke-SafeRestMethod { param( [Parameter(Mandatory=$true)][string]$Uri, [string]$Method = 'GET', [hashtable]$Headers = @{}, $Body = $null, [switch]$AsJson, [int]$TimeoutSec = 60 ) try { $handler = [System.Net.Http.HttpClientHandler]::new() $handler.AutomaticDecompression = [System.Net.DecompressionMethods]::None # Proper SSL bypass $handler.ServerCertificateCustomValidationCallback = { param($sender, $cert, $chain, $sslPolicyErrors) return $true } $client = [System.Net.Http.HttpClient]::new($handler) $client.Timeout = [System.TimeSpan]::FromSeconds($TimeoutSec) foreach ($k in $Headers.Keys) { $client.DefaultRequestHeaders.Remove($k) | Out-Null $client.DefaultRequestHeaders.Add($k, $Headers[$k]) } if ($Body -ne $null) { if ($AsJson) { $jsonBody = $Body | ConvertTo-Json -Depth 12 -Compress $content = [System.Net.Http.StringContent]::new($jsonBody, [System.Text.Encoding]::UTF8, 'application/json') } else { $content = [System.Net.Http.StringContent]::new($Body) } } else { $content = $null } $methodObj = [System.Net.Http.HttpMethod]::$Method $request = [System.Net.Http.HttpRequestMessage]::new($methodObj, $Uri) if ($content) { $request.Content = $content } $response = $client.SendAsync($request).GetAwaiter().GetResult() $respBody = if ($response.Content) { $response.Content.ReadAsStringAsync().GetAwaiter().GetResult() } else { $null } if ($response.IsSuccessStatusCode) { if ($respBody -and $respBody.Trim().Length -gt 0) { try { return $respBody | ConvertFrom-Json } catch { return $respBody } } else { return $respBody } } else { throw [System.Net.Http.HttpRequestException]::new("HTTP $($response.StatusCode): $($response.ReasonPhrase)", $null, $response) } } catch { Show-Failure -ErrorRecord $_ } finally { $client.Dispose() $handler.Dispose() } } # ---------------------------- # Variables # ---------------------------- $vCenterURL = $VCENTERHOST $CommonName = $VCENTERHOST $EmailContact = $ACMEEMAIL [PSCredential]$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList $VCENTERUSER, (ConvertTo-SecureString $VCENTERPASS -AsPlainText -Force) # PowerDNS plugin args (plain string API key!) $pArgs = @{ PowerDNSApiHost = $WDNSHOST PowerDNSApiKey = $PDNSAPI PowerDNSUseTLS = $true PowerDNSPort = 443 PowerDNSServerName = 'localhost' } # ---------------------------- # Ensure Posh-ACME Module # ---------------------------- if (-not (Get-Module -ListAvailable -Name Posh-ACME)) { Install-Module -Name Posh-ACME -Force -Confirm:$false -Scope AllUsers } Import-Module Posh-ACME -ErrorAction Stop # ---------------------------- # Connect to vCenter API # ---------------------------- $loginUri = "https://$vCenterURL/rest/com/vmware/cis/session" Write-Host "Connecting to vCenter at $vCenterURL ..." -ForegroundColor Cyan try { $sessionResponse = Invoke-SafeRestMethod -Uri $loginUri -Method Post -Headers @{} $sessionToken = $sessionResponse.value if (-not $sessionToken) { throw [System.Exception] "Unable to obtain vCenter session token" } } catch { Show-Failure -ErrorRecord $_ } $headers = @{ 'vmware-api-session-id' = $sessionToken } Write-Host "Connected to vCenter API. Session established." -ForegroundColor Green # ---------------------------- # Retrieve VM list (optional) # ---------------------------- try { $vmList = Invoke-SafeRestMethod -Uri "https://$vCenterURL/rest/vcenter/vm" -Headers $headers if ($vmList.value) { $vmList.value | ForEach-Object { Write-Host " - $($_.name)" } } } catch { Write-Host "Unable to retrieve VM list, continuing..." -ForegroundColor Yellow } # ---------------------------- # Fault-tolerant ACME certificate request # ---------------------------- $certName = "vcenter-cert" $certSuccess = $false try { Write-Host "Requesting certificate via Posh-ACME..." -ForegroundColor Cyan New-PACertificate -Domain $CommonName -DnsPlugin PowerDNS -PluginArgs $pArgs -Contact $EmailContact -AcceptTOS -Verbose -Force $certSuccess = $true } catch { Write-Host "ACME certificate request failed: $($_.Exception.Message)" -ForegroundColor Yellow $global:helpme = $_.Exception.Message } # ---------------------------- # Collect certificate paths # ---------------------------- if ($certSuccess) { $paAccount = Get-PAAccount $certFolder = $paAccount.CertFolder $certPath = Join-Path $certFolder "$certName\cert.pem" $keyPath = Join-Path $certFolder "$certName\privkey.pem" $chainPath = Join-Path $certFolder "$certName\chain.pem" foreach ($f in @($certPath, $keyPath, $chainPath)) { if (-not (Test-Path $f)) { Write-Host "Certificate file missing: $f" -ForegroundColor Yellow $certSuccess = $false } } } # ---------------------------- # Upload and apply certificate # ---------------------------- if ($certSuccess) { try { Invoke-SafeRestMethod -Uri "https://$vCenterURL/rest/vcenter/certificate-management/vcenter/tls" -Method Post -Headers $headers -Body @{ cert = Get-Content -Path $certPath -Raw key = Get-Content -Path $keyPath -Raw chain = Get-Content -Path $chainPath -Raw } -AsJson Write-Host "Certificate uploaded successfully." -ForegroundColor Green Invoke-SafeRestMethod -Uri "https://$vCenterURL/rest/vcenter/certificate-management/vcenter/tls?action=apply" -Method Post -Headers $headers Write-Host "TLS certificate applied." -ForegroundColor Green } catch { Write-Host "Certificate upload/apply failed: $($_.Exception.Message)" -ForegroundColor Yellow $global:helpme = $_.Exception.Message } } else { Write-Host "Skipping certificate upload/apply due to previous errors." -ForegroundColor Yellow } # ---------------------------- # Restart vpxd service # ---------------------------- try { Invoke-SafeRestMethod -Uri "https://$vCenterURL/rest/appliance/system/services/vpxd?action=restart" -Method Post -Headers $headers Write-Host "vCenter vpxd service restart requested." -ForegroundColor Yellow } catch { Write-Host "Failed to restart vpxd service: $($_.Exception.Message)" -ForegroundColor Yellow $global:helpme = $_.Exception.Message } Write-Host "Script completed. Check `$global:helpme for any error details." -ForegroundColor Green