Skip to content

vBlog.nl

All about technology

Menu
  • Home
  • VMware Cloud Director
  • vSphere
  • Automation
    • PowerCLI
    • PowerShell
    • Terraform
  • NSX
  • Horizon DaaS
  • About Us
Menu
VMware Cloud Director

How to: Request and Install a Lets Encrypt Wildcard SSL on VMware Cloud Director 10.4

Posted on October 17, 2022

Table of Contents

  • Intro
  • Official VMware Documentation
  • Request a Let’s Encrypt Wildcard SSL Certificate
    • Install Posh-ACME module
    • Request the Let’s Encrypt Wildcard SSL Certificate
    • Add TXT records to DNS Zone
    • Remove TXT records from DNS Zone
  • Install the Wildcard Certificate in VMware Cloud Director 10.4
    • Prepare PEM file for installation
    • Create a backup of the existing files
    • Install certificate files on Cloud Director Cell
  • Notes for Multi-Cell deployments

Intro

In this article I will demonstrate how you can request and install a Wildcard SSL certificate from Let’s Encrypt on VMware Cloud Director 10.4.

Official VMware Documentation

VMware Cloud Director 10.3

Importing SSL Certificates from External Services

Import Private Keys and CA-Signed SSL Certificates to the VMware Cloud Director Appliance

VMware Cloud Director 10.4

Deploy the VMware Cloud Director Appliance with a Signed Wildcard Certificate for HTTPS Communication

Replacing Certificates for the HTTPS Endpoint

So much for official documentation, let’s get started!

Request a Let’s Encrypt Wildcard SSL Certificate

The first step is to request a new Wildcard SSL Certificate.

In this example I will request a new Let’s Encrypt wildcard SSL Certificate which I will install on the VMware Cloud Director cell(s) later.

Install Posh-ACME module

Start an administrative Powershell session and execute the following command:

Install-Module -Name Posh-ACME -Scope AllUsers
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Import-Module Posh-ACME
Set-PAServer https://acme-v02.api.letsencrypt.org/directory
Get-PAServer

Request the Let’s Encrypt Wildcard SSL Certificate

With the Posh-ACME module installed, we’re ready to request a Let’s Encrypt Wildcard Certificate.
Replace the domain and email information in the code below and execute the commands:

* Do not use a fake e-mail address here, this address will be used for expiration notifications.

$certNames = '*.domain.nl','domain.nl'
$email = 'm.roeleveld@domain.nl'
New-PACertificate $certNames -AcceptTOS -Contact $email

The following figure illustrates what a successful command looks like.
Do not “press any key to continue” yet!

New-PACertificate

First we need to add the two TXT records to our DNS zone.
Let’s Encrypt uses these TXT records to validate ownership of the domain name.

Add TXT records to DNS Zone

The next step is to create two TXT records on my domain’s DNS zone.
The following example shows my Siteground DNS Zone Editor.

dns-zone-txt-record

When the TXT files have been added to the DNS Zone succesfully, navigate back to the Powershell screen and press any key to continue.

After successful implementation of the TXT records, the output will look like the following example:

New-PACertificate

Remove TXT records from DNS Zone

After the request has been completed successfully, the TXT records can safely be removed from your DNS Zone.

dns-zone-txt-record

We now have the requested certificate.

To access the certificate files, open windows Explorer and go to the following location.
You will find all the needed certificate files in a sub folder that contains the name of your domain.

%LOCALAPPDATA%\Posh-ACME

-LOCALAPPDATA-Posh-ACME

Install the Wildcard Certificate in VMware Cloud Director 10.4

Prepare PEM file for installation

First, create a copy of the “fullchain.cer” and rename the file from .CER to .PEM.

Rename .CER to .PEM
Rename .CER to .PEM

Next step is to upload the .PEM and the cert.key file to the /opt/vmware/vcloud-director/data/transfer folder of the Cloud Director cell with WinSCP.

opt-vmware-vcloud-director-data-transfer cer.key and fullchain.pem files

After uploading the files to the Transfer director of the VMware Cloud Director cell, update the Group, Owner and Permissions of the files as shown in the following figure.

opt-vmware-vcloud-director-data-transfer file properties

You can update the Group, Owner and Permissions can be done from the command line too:

chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/fullchain.pem
chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/cert.key
chmod 0750 /opt/vmware/vcloud-director/data/transfer/fullchain.pem
chmod 0750 /opt/vmware/vcloud-director/data/transfer/cert.key

Create a backup of the existing files

Before we can start with the installation of the new Let’s Encrypt Wildcard SSL Certificate, we need to create a backup of the following files first:

  • user.http.key
  • user.http.pem
  • user.consoleproxy.key
  • user.consoleproxy.pem

By running the following commands from the command line

cp /opt/vmware/vcloud-director/data/transfer/user.http.pem /opt/vmware/vcloud-director/data/transfer/user.http.pem.original
cp /opt/vmware/vcloud-director/data/transfer/user.http.key /opt/vmware/vcloud-director/data/transfer/user.http.key.original
cp /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem.original
cp /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key.original

Install certificate files on Cloud Director Cell

Connect to your Cloud Director cell via SSH, and run the following commands: (Replace <ROOTPASSWORD> for the root password of your VCD cell)

# Replace HTTP certificate
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/data/transfer/fullchain.pem --key /opt/vmware/vcloud-director/data/transfer/cert.key --key-password <ROOTPASSWORD>
# Replace Consoleproxy certificate
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /opt/vmware/vcloud-director/data/transfer/fullchain.pem --key /opt/vmware/vcloud-director/data/transfer/cert.key --key-password <ROOTPASSWORD>

Browse to the Cloud Director’s Provider Admin Portal and navigate to:
Administration > Settings > Public Addresses

Change the Web Portal public address to match your deployment and upload the fullchain.pem file in the certificate chain wizard.

The result should look like the following figure:

VMware Cloud Director - Valid Let's Encrypt Wildcard SSL certificate

Check the SSL certificate in your webbrowser. ou will see that the Let’s Encrypt Wildcard SSL certificate is installed.

VMware Cloud Director - Valid Let's Encrypt Wildcard SSL certificate

Notes for Multi-Cell deployments

Multi-cell VMware Cloud Director deployments use the responses.properties file located on the shared NFS storage for configuration of additional cells.

  • In the above procedure, the certificate files have been installed on the shared NFS storage
  • The file location of the SSL certificate and KEY have automatically been updated in the responses.properties file, where they can be reached by future cells.

The following figure shows how the responses.properties file has been updated by the Cell Management tool.

VMware Cloud Director - responses.properties

If you’re running VMware Cloud Director 10.3.x, you can use my older article about installing Let’s Encrypt Wildcard Certificates on VMware Cloud Director here.

 6,464 total views,  5 views today

Share on Social Media
twitter facebook linkedin reddit emailwhatsapptelegram

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent articles

  • VMware Cloud on AWS with FSx for NetApp ONTAP December 28, 2022
  • Workspace ONE Access – Change certificate December 22, 2022
  • UI themes for VMware Cloud Director 10.4.1 and later December 16, 2022
  • VMware Tanzu Kubernetes Grid December 15, 2022
  • Workspace One Access – Not logged in to server FQDN. Please invoke Save before Sync December 12, 2022
  • NSX Edge configuration has failed. 1G hugepage support required. December 7, 2022
  • Horizon DaaS – Unable to connect to Desktop November 24, 2022
  • How to: Request and Install a Lets Encrypt Wildcard SSL on VMware Cloud Director 10.4 October 17, 2022
  • New and improved vSAN 8 explained September 24, 2022
  • How to update a stand alone ESXi host September 13, 2022

Tags

Automation bootstrapping Container Service Extension Credential Manager Desktone.log ESXi EUC EXi GPU Horizon DaaS Instant-Clone Logging NSX nsx-t PowerCLI PowerShell Putty Raspberry PI SSL Tanzu Terraform update vcd-cli vCenter vCloud vCloud Availability vCloud Director VDI vGPU VMware VMworld vSAN vSphere vVols workspace one Zerto

VMware Cloud Provider Blog

  • NSX ALB Licensing with VMware Cloud Director
    by Jaikishan Tayal on March 27, 2023 at 10:33 am

    History of NSX ALB and VCD Licensing: From version 10.2, VMware Cloud Director began supporting NSX-T Advanced Load Balancer (AVI Load Balancer). This integration has become crucial for Cloud Services Providers, allowing them to provide their customers with a range of Load Balancing services (LBaaS) for Virtual Data Center workloads and Tanzu containers. Before the … Continued The post NSX ALB Licensing with VMware Cloud Director appeared first on VMware Cloud Provider Blog.

  • VMware vSAN 8 Update 1 for Cloud Services Providers
    by Christopher Wong on March 24, 2023 at 3:00 pm

    Recently, VMware announced the upcoming release of vSAN 8 Update 1. This latest update enhances vSAN’s capabilities and functionality with additional improvements for performance, data durability, and integration. Cloud Services Providers who are leveraging the capabilities of vSAN 8 can expect to see additional benefits in these areas as they deploy this upcoming release into … Continued The post VMware vSAN 8 Update 1 for Cloud Services Providers appeared first on VMware Cloud Provider Blog.

  • Terraform VMware Cloud Director Provider 3.9.0 – Beta early access build
    by Guy Bartram on March 24, 2023 at 11:06 am

    The release time for version 3.9.0 of Terraform VMware Cloud Director Provider is approaching,and for the first time, we’re releasing a beta, so users can try the new features and give helpful feedback that will improve the final release. What is a “beta” build? A beta build is a preliminary release of an intended new … Continued The post Terraform VMware Cloud Director Provider 3.9.0 – Beta early access build appeared first on VMware Cloud Provider Blog.

  • VMware Cloud Director Object Storage Extension 2.2.1
    by Astha Sharma on March 16, 2023 at 5:45 pm

    Object Storage Extension 2.1.1 The post VMware Cloud Director Object Storage Extension 2.2.1 appeared first on VMware Cloud Provider Blog.

  • Architecting VMware Cloud Director Availability Solution in a Multi-Cloud Environment
    by Nikolay Patrikov on March 15, 2023 at 1:09 pm

    Building a cloud based on VMware Cloud Director or Cloud Director service requires a considerable amount of deployment decisions for Cloud Providers concerning the infrastructure behind their services. They can operate fully on-premises within their data centers or combine them with any of the hyperscalers in a hybrid way. These design decisions affect the DRaaS … Continued The post Architecting VMware Cloud Director Availability Solution in a Multi-Cloud Environment appeared first on VMware Cloud Provider Blog.

©2023 vBlog.nl | Design: Newspaperly WordPress Theme