Intro
In this article I will demonstrate how you can request and install a Wildcard SSL certificate from Let’s Encrypt on VMware Cloud Director 10.4.
Official VMware Documentation
VMware Cloud Director 10.3
Importing SSL Certificates from External Services
Import Private Keys and CA-Signed SSL Certificates to the VMware Cloud Director Appliance
VMware Cloud Director 10.4
Replacing Certificates for the HTTPS Endpoint
So much for official documentation, let’s get started!
Request a Let’s Encrypt Wildcard SSL Certificate
The first step is to request a new Wildcard SSL Certificate.
In this example I will request a new Let’s Encrypt wildcard SSL Certificate which I will install on the VMware Cloud Director cell(s) later.
Install Posh-ACME module
Start an administrative Powershell session and execute the following command:
Install-Module -Name Posh-ACME -Scope AllUsers
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Import-Module Posh-ACME
Set-PAServer https://acme-v02.api.letsencrypt.org/directory
Get-PAServerRequest the Let’s Encrypt Wildcard SSL Certificate
With the Posh-ACME module installed, we’re ready to request a Let’s Encrypt Wildcard Certificate.
Replace the domain and email information in the code below and execute the commands:
* Do not use a fake e-mail address here, this address will be used for expiration notifications.
$certNames = '*.domain.nl','domain.nl'
$email = 'm.roeleveld@domain.nl'
New-PACertificate $certNames -AcceptTOS -Contact $emailThe following figure illustrates what a successful command looks like.
Do not “press any key to continue” yet!
First we need to add the two TXT records to our DNS zone.
Let’s Encrypt uses these TXT records to validate ownership of the domain name.
Add TXT records to DNS Zone
The next step is to create two TXT records on my domain’s DNS zone.
The following example shows my Siteground DNS Zone Editor.
When the TXT files have been added to the DNS Zone succesfully, navigate back to the Powershell screen and press any key to continue.
After successful implementation of the TXT records, the output will look like the following example:
Remove TXT records from DNS Zone
After the request has been completed successfully, the TXT records can safely be removed from your DNS Zone.
We now have the requested certificate.
To access the certificate files, open windows Explorer and go to the following location.
You will find all the needed certificate files in a sub folder that contains the name of your domain.
%LOCALAPPDATA%\Posh-ACME
Install the Wildcard Certificate in VMware Cloud Director 10.4
Prepare PEM file for installation
First, create a copy of the “fullchain.cer” and rename the file from .CER to .PEM.
Next step is to upload the .PEM and the cert.key file to the /opt/vmware/vcloud-director/data/transfer folder of the Cloud Director cell with WinSCP.
After uploading the files to the Transfer director of the VMware Cloud Director cell, update the Group, Owner and Permissions of the files as shown in the following figure.
You can update the Group, Owner and Permissions can be done from the command line too:
chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/fullchain.pem
chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/cert.key
chmod 0750 /opt/vmware/vcloud-director/data/transfer/fullchain.pem
chmod 0750 /opt/vmware/vcloud-director/data/transfer/cert.keyCreate a backup of the existing files
Before we can start with the installation of the new Let’s Encrypt Wildcard SSL Certificate, we need to create a backup of the following files first:
- user.http.key
- user.http.pem
- user.consoleproxy.key
- user.consoleproxy.pem
By running the following commands from the command line
cp /opt/vmware/vcloud-director/data/transfer/user.http.pem /opt/vmware/vcloud-director/data/transfer/user.http.pem.original
cp /opt/vmware/vcloud-director/data/transfer/user.http.key /opt/vmware/vcloud-director/data/transfer/user.http.key.original
cp /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem.original
cp /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key.originalInstall certificate files on Cloud Director Cell
Connect to your Cloud Director cell via SSH, and run the following commands: (Replace <ROOTPASSWORD> for the root password of your VCD cell)
# Replace HTTP certificate
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/data/transfer/fullchain.pem --key /opt/vmware/vcloud-director/data/transfer/cert.key --key-password <ROOTPASSWORD>
# Replace Consoleproxy certificate
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /opt/vmware/vcloud-director/data/transfer/fullchain.pem --key /opt/vmware/vcloud-director/data/transfer/cert.key --key-password <ROOTPASSWORD>Browse to the Cloud Director’s Provider Admin Portal and navigate to:
Administration > Settings > Public Addresses
Change the Web Portal public address to match your deployment and upload the fullchain.pem file in the certificate chain wizard.
The result should look like the following figure:
Check the SSL certificate in your webbrowser. ou will see that the Let’s Encrypt Wildcard SSL certificate is installed.
Notes for Multi-Cell deployments
Multi-cell VMware Cloud Director deployments use the responses.properties file located on the shared NFS storage for configuration of additional cells.
- In the above procedure, the certificate files have been installed on the shared NFS storage
- The file location of the SSL certificate and KEY have automatically been updated in the responses.properties file, where they can be reached by future cells.
The following figure shows how the responses.properties file has been updated by the Cell Management tool.
If you’re running VMware Cloud Director 10.3.x, you can use my older article about installing Let’s Encrypt Wildcard Certificates on VMware Cloud Director here.
