voltron/NodeMgmt
1
1
Fork 0
Code Issues Pull Requests Releases 1 Activity
Files
1805326b22a81fc506b870dfba7fa1513adfd924
NodeMgmt/inc/vCenter-SSL.ps1

327 lines
11 KiB
PowerShell
Raw Blame History

#!/usr/bin/env pwsh
# -----------------------------------------------------------------------------------
# vCenter SSL Automation (Posh-ACME 4.30, Linux/XDG compatible)
# Uses cert.cer / cert.key / fullchain.cer layout
# Rate-limit safe, fingerprint-based update, 30-day renewal window
# -----------------------------------------------------------------------------------
. /opt/idssys/nodemgmt/conf/powerwall/settings.ps1
# ----------------------------
# Logging
# ----------------------------
$LogFile = "/opt/idssys/nodemgmt/logs/vc-ssl.log"
$logDir = Split-Path -Path $LogFile -Parent
if (-not (Test-Path $logDir)) { New-Item -Path $logDir -ItemType Directory -Force | Out-Null }
function Write-Log {
param([string]$Level,[string]$Message,[string]$Color="White")
$ts = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
$line = "[{0}] {1}: {2}" -f $ts,$Level.ToUpper(),$Message
Write-Host $line -ForegroundColor $Color
Add-Content -Path $LogFile -Value $line
}
function Show-Banner {
param([string]$Text,[string]$Type="INFO")
switch ($Type.ToUpper()) {
"SUCCESS" { $C="Green"; $L="SUCCESS" }
"ERROR" { $C="Red"; $L="ERROR" }
"WARN" { $C="Yellow"; $L="WARN" }
default { $C="Cyan"; $L="INFO" }
}
$line = "=" * [math]::Max($Text.Length,40)
Write-Host $line -ForegroundColor $C
Write-Host "${L}: $Text" -ForegroundColor $C
Write-Host $line -ForegroundColor $C
Add-Content -Path $LogFile -Value ("[{0}] {1}: {2}" -f (Get-Date),$L,$Text)
}
# ----------------------------
# Error handling
# ----------------------------
$global:helpme = $null
function Show-Failure {
param([System.Management.Automation.ErrorRecord]$ErrorRecord)
$global:helpme = $ErrorRecord.Exception.Message
Show-Banner -Text $ErrorRecord.Exception.Message -Type "ERROR"
exit 1
}
# ----------------------------
# Cert fingerprint helper
# ----------------------------
function Get-CertFingerprintFromPem {
param([string]$PemString)
try {
$pemBody = $PemString -replace "`r","" -split "`n" |
Where-Object {$_ -notmatch "^-----" -and $_ -ne ""}
$bytes = [Convert]::FromBase64String(($pemBody -join ""))
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($bytes)
$sha256 = [System.Security.Cryptography.SHA256]::Create()
$hash = $sha256.ComputeHash($cert.RawData)
return ($hash | ForEach-Object { $_.ToString("X2") }) -join ""
}
catch { return $null }
}
# ----------------------------
# Discover Posh-ACME cert folder (Linux/XDG)
# ----------------------------
function Find-LocalPACertFolder {
param([string]$HostName)
$paRoot = Join-Path $HOME ".config/Posh-ACME"
if (-not (Test-Path $paRoot)) { return $null }
$folders = Get-ChildItem -Path $paRoot -Recurse -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -eq $HostName }
if (-not $folders) { return $null }
return ($folders | Select-Object -First 1).FullName
}
# ----------------------------
# Load VMware PowerCLI
# ----------------------------
if (-not (Get-Module -ListAvailable VMware.PowerCLI)) {
Install-Module VMware.PowerCLI -Force -Scope AllUsers
}
Import-Module VMware.PowerCLI -ErrorAction Stop
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false | Out-Null
# ----------------------------
# Connect to vCenter
# ----------------------------
try {
Write-Log INFO "Connecting to vCenter $VCENTERHOST..." Cyan
$vCenterConn = Connect-VIServer -Server $VCENTERHOST -User $VCENTERUSER -Password $VCENTERPASS -Force
Show-Banner "Connected to vCenter." SUCCESS
} catch { Show-Failure $_ }
# ----------------------------
# Load Posh-ACME
# ----------------------------
if (-not (Get-Module -ListAvailable Posh-ACME)) {
Install-Module Posh-ACME -Force -Scope AllUsers
}
Import-Module Posh-ACME -ErrorAction Stop
# ----------------------------
# ACME logic
# ----------------------------
$certSuccess = $false
$certPath = $keyPath = $chainPath = $null
$allPACerts = Get-PACertificate -ErrorAction SilentlyContinue
if ($allPACerts) {
Write-Log INFO "Found $($allPACerts.Count) Posh-ACME cert(s)." Gray
foreach ($c in $allPACerts) {
Write-Log INFO " MainDomain=$($c.MainDomain) SANs=$($c.AllSANs -join ',') Exp=$($c.NotAfter)" Gray
}
}
# Select cert for vcenter.scity.us
$existingPACert = $allPACerts |
Where-Object { $_.MainDomain -eq $VCENTERHOST -or ($_.AllSANs -contains $VCENTERHOST) } |
Sort-Object NotAfter -Descending |
Select-Object -First 1
$renewCert = $true
$skipReason = ""
# If valid for >30 days, skip issuance
if ($existingPACert) {
$daysLeft = ($existingPACert.NotAfter - (Get-Date)).TotalDays
Write-Log INFO "Existing cert expires $($existingPACert.NotAfter) (~$([math]::Round($daysLeft)) days)" Gray
if ($daysLeft -gt 30) {
$renewCert = $false
$skipReason = "Existing certificate valid >30 days."
}
}
# Rate-limit safety: don't issue if created <168 hours (LE window)
if ($renewCert -and $existingPACert) {
$hoursSince = ((Get-Date) - $existingPACert.Created).TotalHours
if ($hoursSince -lt 168) {
$renewCert = $false
$skipReason = "Rate-limit: cert issued $([math]::Round($hoursSince)) hours ago."
}
}
# -------------------------------------------------------
# USE EXISTING CERT (no ACME issuance)
# -------------------------------------------------------
if (-not $renewCert -and $existingPACert) {
Write-Log INFO "Skipping ACME issuance: $skipReason" Yellow
$certFolder = Find-LocalPACertFolder -HostName $VCENTERHOST
if (-not $certFolder) {
Show-Banner "Could not locate certificate files on disk. Aborting." ERROR
exit 1
}
# Posh-ACME Linux filenames:
$certPath = Join-Path $certFolder "cert.cer"
$keyPath = Join-Path $certFolder "cert.key"
$chainPath = Join-Path $certFolder "fullchain.cer"
foreach ($f in @($certPath,$keyPath,$chainPath)) {
if (-not (Test-Path $f)) {
Write-Log ERROR "Missing certificate file: $f" Red
exit 1
}
}
$certSuccess = $true
}
# -------------------------------------------------------
# NEW ACME CERTIFICATE
# -------------------------------------------------------
if ($renewCert) {
Write-Log INFO "Requesting new ACME certificate..." Cyan
$securePDNSAPI = if ($PDNSAPI -is [string]) {
ConvertTo-SecureString $PDNSAPI -AsPlainText -Force
} else { $PDNSAPI }
$pArgs = @{
PowerDNSApiHost = $WDNSHOST
PowerDNSApiKey = $securePDNSAPI
PowerDNSUseTLS = $true
PowerDNSPort = 443
PowerDNSServerName = "localhost"
}
try {
New-PACertificate `
-Domain $VCENTERHOST `
-DnsPlugin PowerDNS `
-PluginArgs $pArgs `
-Contact $ACMEEMAIL `
-AcceptTOS `
-DnsSleep 15 `
-Force `
-Verbose
$certFolder = Find-LocalPACertFolder -HostName $VCENTERHOST
if (-not $certFolder) { Show-Banner "ACME OK but no files found!" ERROR; exit 1 }
$certPath = Join-Path $certFolder "cert.cer"
$keyPath = Join-Path $certFolder "cert.key"
$chainPath = Join-Path $certFolder "fullchain.cer"
$certSuccess = $true
Show-Banner "New ACME certificate created." SUCCESS
}
catch {
$msg = $_.Exception.Message
Write-Log ERROR "ACME failed: $msg" Red
$global:helpme = $msg
if ($msg -like "*too many certificates*") {
Show-Banner "Rate limit hit! Using existing cert." WARN
if (-not $existingPACert) {
Show-Banner "No fallback cert exists! Aborting." ERROR
exit 1
}
}
else { exit 1 }
}
}
# -------------------------------------------------------
# CERT SANITY CHECK
# -------------------------------------------------------
foreach ($f in @($certPath,$keyPath,$chainPath)) {
if (-not (Test-Path $f)) {
Write-Log ERROR "Missing certificate file: $f" Red
exit 1
}
}
# -------------------------------------------------------
# COMPARE CURRENT VCENTER CERT
# -------------------------------------------------------
$sessionHeaders = @{
'vmware-api-session-id' = $vCenterConn.ExtensionData.Content.SessionManager.SessionId
}
$vcenterCertUri = "https://$VCENTERHOST/rest/vcenter/certificate-management/vcenter/tls"
$updateNeeded = $true
try {
$vcCert = Invoke-RestMethod -Uri $vcenterCertUri -Method Get -Headers $sessionHeaders -SkipCertificateCheck
$currentPem = $vcCert.value.cert
$currentFp = Get-CertFingerprintFromPem $currentPem
$newFp = Get-CertFingerprintFromPem (Get-Content -Raw $certPath)
if ($currentFp -and $newFp -and ($currentFp -eq $newFp)) {
Show-Banner "vCenter certificate already up-to-date." SUCCESS
$updateNeeded = $false
}
}
catch {
Write-Log WARN "Could not read vCenter certificate; assuming update needed." Yellow
}
# -------------------------------------------------------
# UPLOAD + APPLY CERTIFICATE
# -------------------------------------------------------
if ($updateNeeded) {
try {
$body = @{
cert = Get-Content -Raw $certPath
key = Get-Content -Raw $keyPath
chain = Get-Content -Raw $chainPath
}
Write-Log INFO "Uploading certificate..." Cyan
Invoke-RestMethod -Uri $vcenterCertUri -Method Post -Headers $sessionHeaders `
-ContentType "application/json" -Body ($body | ConvertTo-Json -Compress) -SkipCertificateCheck
Write-Log INFO "Applying certificate..." Cyan
Invoke-RestMethod -Uri "$vcenterCertUri?action=apply" `
-Method Post -Headers $sessionHeaders -SkipCertificateCheck
Show-Banner "Certificate applied to vCenter." SUCCESS
$restartNeeded = $true
}
catch {
Show-Banner "Failed to apply certificate: $($_.Exception.Message)" ERROR
exit 1
}
}
else {
Write-Log INFO "Certificate update not required." Green
}
# -------------------------------------------------------
# Restart vpxd (optional, REST)
# -------------------------------------------------------
if ($restartNeeded) {
$maxRetries = 20
for ($i=1; $i -le $maxRetries; $i++) {
try {
Invoke-RestMethod -Uri "https://$VCENTERHOST/rest/appliance/health/system" `
-Method Get -SkipCertificateCheck -ErrorAction Stop
Invoke-RestMethod -Uri "https://$VCENTERHOST/rest/appliance/system/services/vpxd?action=restart" `
-Method Post -SkipCertificateCheck -ErrorAction Stop
Show-Banner "vpxd restarted successfully." SUCCESS
break
}
catch {
Write-Log WARN "vpxd not ready, retrying $i/$maxRetries..." Yellow
Start-Sleep -Seconds 15
}
}
}
Show-Banner "Script complete. Log: $LogFile" INFO
Reference in New Issue View Git Blame Copy Permalink