VMware Cloud DirectorVMware Cloud Director

Intro

In this article I will demonstrate how you can request and install a Wildcard SSL certificate from Let’s Encrypt on VMware Cloud Director 10.4.

Official VMware Documentation

VMware Cloud Director 10.3

Importing SSL Certificates from External Services

Import Private Keys and CA-Signed SSL Certificates to the VMware Cloud Director Appliance

VMware Cloud Director 10.4

Deploy the VMware Cloud Director Appliance with a Signed Wildcard Certificate for HTTPS Communication

Replacing Certificates for the HTTPS Endpoint

So much for official documentation, let’s get started!

Request a Let’s Encrypt Wildcard SSL Certificate

The first step is to request a new Wildcard SSL Certificate.

In this example I will request a new Let’s Encrypt wildcard SSL Certificate which I will install on the VMware Cloud Director cell(s) later.

Install Posh-ACME module

Start an administrative Powershell session and execute the following command:

Install-Module -Name Posh-ACME -Scope AllUsers
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
Import-Module Posh-ACME
Set-PAServer https://acme-v02.api.letsencrypt.org/directory
Get-PAServer

Request the Let’s Encrypt Wildcard SSL Certificate

With the Posh-ACME module installed, we’re ready to request a Let’s Encrypt Wildcard Certificate.
Replace the domain and email information in the code below and execute the commands:

* Do not use a fake e-mail address here, this address will be used for expiration notifications.

$certNames = '*.domain.nl','domain.nl'
$email = 'm.roeleveld@domain.nl'
New-PACertificate $certNames -AcceptTOS -Contact $email

The following figure illustrates what a successful command looks like.
Do not “press any key to continue” yet!

New-PACertificate

First we need to add the two TXT records to our DNS zone.
Let’s Encrypt uses these TXT records to validate ownership of the domain name.

Add TXT records to DNS Zone

The next step is to create two TXT records on my domain’s DNS zone.
The following example shows my Siteground DNS Zone Editor.

dns-zone-txt-record

When the TXT files have been added to the DNS Zone succesfully, navigate back to the Powershell screen and press any key to continue.

After successful implementation of the TXT records, the output will look like the following example:

New-PACertificate

Remove TXT records from DNS Zone

After the request has been completed successfully, the TXT records can safely be removed from your DNS Zone.

dns-zone-txt-record

We now have the requested certificate.

To access the certificate files, open windows Explorer and go to the following location.
You will find all the needed certificate files in a sub folder that contains the name of your domain.

%LOCALAPPDATA%\Posh-ACME

-LOCALAPPDATA-Posh-ACME

Install the Wildcard Certificate in VMware Cloud Director 10.4

Prepare PEM file for installation

First, create a copy of the “fullchain.cer” and rename the file from .CER to .PEM.

Rename .CER to .PEM
Rename .CER to .PEM

Next step is to upload the .PEM and the cert.key file to the /opt/vmware/vcloud-director/data/transfer folder of the Cloud Director cell with WinSCP.

opt-vmware-vcloud-director-data-transfer cer.key and fullchain.pem files

After uploading the files to the Transfer director of the VMware Cloud Director cell, update the Group, Owner and Permissions of the files as shown in the following figure.

opt-vmware-vcloud-director-data-transfer file properties

You can update the Group, Owner and Permissions can be done from the command line too:

chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/fullchain.pem
chown vcloud.vcloud /opt/vmware/vcloud-director/data/transfer/cert.key
chmod 0750 /opt/vmware/vcloud-director/data/transfer/fullchain.pem
chmod 0750 /opt/vmware/vcloud-director/data/transfer/cert.key

Create a backup of the existing files

Before we can start with the installation of the new Let’s Encrypt Wildcard SSL Certificate, we need to create a backup of the following files first:

  • user.http.key
  • user.http.pem
  • user.consoleproxy.key
  • user.consoleproxy.pem

By running the following commands from the command line

cp /opt/vmware/vcloud-director/data/transfer/user.http.pem /opt/vmware/vcloud-director/data/transfer/user.http.pem.original
cp /opt/vmware/vcloud-director/data/transfer/user.http.key /opt/vmware/vcloud-director/data/transfer/user.http.key.original
cp /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.pem.original
cp /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key /opt/vmware/vcloud-director/data/transfer/user.consoleproxy.key.original

Install certificate files on Cloud Director Cell

Connect to your Cloud Director cell via SSH, and run the following commands: (Replace <ROOTPASSWORD> for the root password of your VCD cell)

# Replace HTTP certificate
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/data/transfer/fullchain.pem --key /opt/vmware/vcloud-director/data/transfer/cert.key --key-password <ROOTPASSWORD>
# Replace Consoleproxy certificate
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /opt/vmware/vcloud-director/data/transfer/fullchain.pem --key /opt/vmware/vcloud-director/data/transfer/cert.key --key-password <ROOTPASSWORD>

Browse to the Cloud Director’s Provider Admin Portal and navigate to:
Administration > Settings > Public Addresses

Change the Web Portal public address to match your deployment and upload the fullchain.pem file in the certificate chain wizard.

The result should look like the following figure:

VMware Cloud Director - Valid Let's Encrypt Wildcard SSL certificate

Check the SSL certificate in your webbrowser. ou will see that the Let’s Encrypt Wildcard SSL certificate is installed.

VMware Cloud Director - Valid Let's Encrypt Wildcard SSL certificate

Notes for Multi-Cell deployments

Multi-cell VMware Cloud Director deployments use the responses.properties file located on the shared NFS storage for configuration of additional cells.

  • In the above procedure, the certificate files have been installed on the shared NFS storage
  • The file location of the SSL certificate and KEY have automatically been updated in the responses.properties file, where they can be reached by future cells.

The following figure shows how the responses.properties file has been updated by the Cell Management tool.

VMware Cloud Director - responses.properties

If you’re running VMware Cloud Director 10.3.x, you can use my older article about installing Let’s Encrypt Wildcard Certificates on VMware Cloud Director here.

Loading

By Marc Roeleveld

VCDX-DCV #299 | Cloud Architect | Owner at Roeleveld Cloud Services

Leave a Reply

Your email address will not be published. Required fields are marked *