voltron/NodeMgmt
1
1
Fork 0
Code Issues Pull Requests Releases 1 Activity
Files
37dc1b931351b0cc976c884851dc2423a07954a8
NodeMgmt/inc/vCenter-SSL.ps1

218 lines
7.9 KiB
PowerShell
Raw Blame History

#!/usr/bin/env pwsh
# -----------------------------------------------------------------------------------
# vCenter + Posh-ACME Script (Linux/macOS-safe, TLS 1.2 enforced)
# -----------------------------------------------------------------------------------
. /opt/idssys/nodemgmt/conf/powerwall/settings.ps1
# ----------------------------
# Global variables for troubleshooting
# ----------------------------
$global:helpme = $null
$global:responseBody = $null
# ----------------------------
# Force TLS 1.2 globally
# ----------------------------
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# ----------------------------
# Error handler
# ----------------------------
function Show-Failure {
param([System.Management.Automation.ErrorRecord]$ErrorRecord)
$global:responseBody = "<No response body available>"
try {
$ex = $ErrorRecord.Exception
if ($ex.Response -is [System.Net.Http.HttpResponseMessage]) {
try { $global:responseBody = $ex.Response.Content.ReadAsStringAsync().GetAwaiter().GetResult() } catch { $global:responseBody = "<Failed to read HTTP content>" }
} elseif ($ex.Response -is [System.Net.WebResponse]) {
try {
$stream = $ex.Response.GetResponseStream()
if ($stream) { $global:responseBody = [System.IO.StreamReader]::new($stream).ReadToEnd() }
} catch { $global:responseBody = "<Failed to read WebResponse>" }
} else { $global:responseBody = $ex.Message }
} catch { $global:responseBody = "<Error extracting failure detail>" }
$global:helpme = $global:responseBody
Write-Host "----------------------------------------" -ForegroundColor Red
Write-Host "Status: A system exception was caught." -ForegroundColor Red
Write-Host $global:responseBody -ForegroundColor Red
Write-Host "The request/response body has been saved to `$global:helpme" -ForegroundColor Red
Write-Host "----------------------------------------" -ForegroundColor Red
exit 1
}
# ----------------------------
# Invoke-RestMethod wrapper with SkipCertificateCheck
# ----------------------------
function Invoke-SafeRestMethod {
param(
[Parameter(Mandatory=$true)][string]$Uri,
[string]$Method = 'GET',
[hashtable]$Headers = @{},
$Body = $null,
[switch]$AsJson
)
try {
$params = @{
Uri = $Uri
Method = $Method
Headers = $Headers
SkipCertificateCheck = $true
ErrorAction = 'Stop'
}
if ($Body -ne $null) {
if ($AsJson) {
$params.Body = ($Body | ConvertTo-Json -Depth 12 -Compress)
$params.ContentType = 'application/json'
} else {
$params.Body = $Body
}
}
return Invoke-RestMethod @params
} catch {
Show-Failure -ErrorRecord $_
}
}
# ----------------------------
# Variables
# ----------------------------
$vCenterURL = $VCENTERHOST
$CommonName = $VCENTERHOST
$EmailContact = $ACMEEMAIL
[PSCredential]$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList $VCENTERUSER, (ConvertTo-SecureString $VCENTERPASS -AsPlainText -Force)
# PowerDNS plugin args (plain string API key)
$pArgs = @{
PowerDNSApiHost = $WDNSHOST
PowerDNSApiKey = $PDNSAPI
PowerDNSUseTLS = $true
PowerDNSPort = 443
PowerDNSServerName = 'localhost'
}
# ----------------------------
# Ensure Posh-ACME Module
# ----------------------------
if (-not (Get-Module -ListAvailable -Name Posh-ACME)) {
Install-Module -Name Posh-ACME -Force -Confirm:$false -Scope AllUsers
}
Import-Module Posh-ACME -ErrorAction Stop
# ----------------------------
# Connect to vCenter API using HttpClient (TLS 1.2 enforced)
# ----------------------------
Write-Host "Connecting to vCenter at $vCenterURL ..." -ForegroundColor Cyan
try {
$handler = [System.Net.Http.HttpClientHandler]::new()
$handler.SslProtocols = [System.Security.Authentication.SslProtocols]::Tls12
$handler.ServerCertificateCustomValidationCallback = { $true }
$client = [System.Net.Http.HttpClient]::new($handler)
$client.Timeout = [System.TimeSpan]::FromSeconds(60)
$loginUri = "https://$vCenterURL/rest/com/vmware/cis/session"
$response = $client.PostAsync($loginUri, $null).GetAwaiter().GetResult()
if (-not $response.IsSuccessStatusCode) {
throw "vCenter session request failed: $($response.StatusCode)"
}
$content = $response.Content.ReadAsStringAsync().GetAwaiter().GetResult()
$json = $content | ConvertFrom-Json
$sessionToken = $json.value
if (-not $sessionToken) { throw "Failed to obtain vCenter session token" }
$headers = @{ 'vmware-api-session-id' = $sessionToken }
Write-Host "Connected to vCenter API. Session established." -ForegroundColor Green
} catch {
Show-Failure -ErrorRecord $_
}
# ----------------------------
# Retrieve VM list (optional)
# ----------------------------
try {
$vmList = Invoke-SafeRestMethod -Uri "https://$vCenterURL/rest/vcenter/vm" -Headers $headers
if ($vmList.value) { $vmList.value | ForEach-Object { Write-Host " - $($_.name)" } }
} catch { Write-Host "Unable to retrieve VM list, continuing..." -ForegroundColor Yellow }
# ----------------------------
# ACME certificate request
# ----------------------------
$certName = "vcenter-cert"
$certSuccess = $false
try {
Write-Host "Requesting certificate via Posh-ACME..." -ForegroundColor Cyan
New-PACertificate -Domain $CommonName -DnsPlugin PowerDNS -PluginArgs $pArgs -Contact $EmailContact -AcceptTOS -Verbose -Force
$certSuccess = $true
} catch {
Write-Host "ACME certificate request failed: $($_.Exception.Message)" -ForegroundColor Yellow
$global:helpme = $_.Exception.Message
}
# ----------------------------
# Collect certificate paths
# ----------------------------
if ($certSuccess) {
$paAccount = Get-PAAccount
$certFolder = $paAccount.CertFolder
$certPath = Join-Path $certFolder "$certName\cert.pem"
$keyPath = Join-Path $certFolder "$certName\privkey.pem"
$chainPath = Join-Path $certFolder "$certName\chain.pem"
foreach ($f in @($certPath, $keyPath, $chainPath)) {
if (-not (Test-Path $f)) {
Write-Host "Certificate file missing: $f" -ForegroundColor Yellow
$certSuccess = $false
}
}
}
# ----------------------------
# Upload and apply certificate
# ----------------------------
if ($certSuccess) {
try {
Invoke-SafeRestMethod -Uri "https://$vCenterURL/rest/vcenter/certificate-management/vcenter/tls" -Method Post -Headers $headers -Body @{
cert = Get-Content -Path $certPath -Raw
key = Get-Content -Path $keyPath -Raw
chain = Get-Content -Path $chainPath -Raw
} -AsJson
Write-Host "Certificate uploaded successfully." -ForegroundColor Green
Invoke-SafeRestMethod -Uri "https://$vCenterURL/rest/vcenter/certificate-management/vcenter/tls?action=apply" -Method Post -Headers $headers
Write-Host "TLS certificate applied." -ForegroundColor Green
} catch {
Write-Host "Certificate upload/apply failed: $($_.Exception.Message)" -ForegroundColor Yellow
$global:helpme = $_.Exception.Message
}
} else {
Write-Host "Skipping certificate upload/apply due to previous errors." -ForegroundColor Yellow
}
# ----------------------------
# Restart vpxd service
# ----------------------------
try {
Invoke-SafeRestMethod -Uri "https://$vCenterURL/rest/appliance/system/services/vpxd?action=restart" -Method Post -Headers $headers
Write-Host "vCenter vpxd service restart requested." -ForegroundColor Yellow
} catch {
Write-Host "Failed to restart vpxd service: $($_.Exception.Message)" -ForegroundColor Yellow
$global:helpme = $_.Exception.Message
}
Write-Host "Script completed. Check `$global:helpme for any error details." -ForegroundColor Green
Reference in New Issue View Git Blame Copy Permalink