In this article I will demonstre how you can request and install a Wildcard SSL certificate from Let’s Encrypt on VMware Cloud Director 10.3.
The reason for writing this article is that the procedures for installing SSL certificates on VMware Cloud Director has changed in version 10.3.
Documentation
The following links to VMware Docs show the difference between Cloud Director 10.2 and Cloud Director 10.3:
Cloud Director 10.2
Importing SSL Certificates from External Services
Import Private Keys and CA-Signed SSL Certificates to the VMware Cloud Director Appliance
Cloud Director 10.3
Importing SSL Certificates from External Services
Import Private Keys and CA-Signed SSL Certificates to the VMware Cloud Director Appliance
So much for official documentation, let’s get started!
Request a Let’s Encrypt Wildcard SSL Certificate
First, we need a new Wildcard SSL Certificate. In this example I will request a new Let’s Encrypt wildcard SSL Certificate which I will install on Cloud Director later.
Install Posh-ACME module
Start an administrative Powershell session and execute the following command:
Install-Module -Name Posh-ACME -Scope AllUsers
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Import-Module Posh-ACME
Set-PAServer https://acme-v02.api.letsencrypt.org/directory
Get-PAServer
Request the wildcard certificate
With the Posh-ACME module installed, we’re ready to request a Let’s Encrypt Wildcard Certificate.
Replace the domain and email information in the code below and execute the commands:
* Do not use a fake e-mail address, this address will be used for expiration notifications.
$certNames = '*.domain.nl','domain.nl'
$email = 'm.roeleveld@domain.nl'
New-PACertificate $certNames -AcceptTOS -Contact $email
Do not “press any key to continue” yet!
First we need to add the TXT records to our DNS zone.
Add TXT records to DNS
The next step is to create two TXT records on my domain’s DNS zone.
These two TXT records will be used to validate the domain name.
The following example shows my Siteground DNS Zone Editor.
Navigate back to the Powershell screen and press any key to continue.
The output will look like the following example:
Remove TXT records from DNS
The request has been completed and we are now able to remove the two TXT records.
We now have the requested certificate.
To access the certificate files, open windows Explorer and go to the following location.
You will find all the needed certificate files in a sub folder that contains the name of your domain.
%LOCALAPPDATA%\Posh-ACME
Install the Wildcard Certificate in VMware Cloud Director 10.3
Prepare PEM file for installation
First, copy the “fullchain.cer” and rename the file to _your-domain.nl.PEM
Upload the .PEM and the cert.key file to the /tmp folder of the Cloud Director cell using WinSCP.
Update the Rights of the files.
Install certificate files on Cloud Director Cell
Connect to your Cloud Director cell via SSH, and run the following commands: (replace name of the PEM file)
cd /opt/vmware/vcloud-director/bin
./cell-management-tool certificates -j --cert /tmp/_your-domain.pem --key /tmp/cert.key
./cell-management-tool certificates -p --cert /tmp/_your-domain.pem --key /tmp/cert.key
service vmware-vcd restartBrowse to the Cloud Director’s Provider Admin Portal and navigate to:
Administration > Settings > Public Addresses
Change the Web Portal public address as shown below.
I have not selected any certificate chain file, as those already have been installed.
Now, when you check the certificate in your browser, you will see that the Let’s Encrypt Wildcard SSL certificate is installed.
i am getting this error while executing below command.
root@vcd01 [ /opt/vmware/vcloud-director/bin ]# ./cell-management-tool certificates -j –cert /opt/vmware/vcloud-director/etc/user.http.pem –key /opt/vmware/vcloud-director/etc/user.http.key
Error executing command: Private key could not be read with the provided password