Hi,
We have recently switched to use let's encrypt certs for our vmware 6.5 appliance. I have the process automated thanks to some linux bash scripting and a bit of Linux expect scripting - this works well.
The problem is that whenever the thumbprint of the vcentre server changes, the backup jobs can then not start as the thumbprint is different to the cert assigned to the Veeam vcentre Backup Infrastructure item.
To fix this I have to got to; Veeam B&R>home>Backup Infrastructure>vcentre server>properties>next>>save
Is there a way of triggering this automatically through a REST API or similar so that I can fully automate the cert rpelacement process?
I guess the SSL thumbprint is also stored under Veeam monitor as well so I'd need the same functionality there as well.
cheers
Ashley
-
ashleyw
- Service Provider
- Posts: 181
- Liked: 30 times
- Joined: Oct 28, 2010 10:55 pm
- Full Name: Ashley Watson
- Contact:
-
ashleyw
- Service Provider
- Posts: 181
- Liked: 30 times
- Joined: Oct 28, 2010 10:55 pm
- Full Name: Ashley Watson
- Contact:
Re: SSL thumbprint - let's encrypt - veeam API?
anyone out there?
-
Regnor
- VeeaMVP
- Posts: 938
- Liked: 289 times
- Joined: Jan 31, 2011 11:17 am
- Full Name: Max
- Contact:
Re: SSL thumbprint - let's encrypt - veeam API?
You could try Set-VBRvCenter via PowerShell. I'm not sure if it will update the SSL thumbprint but perhaps it works the same way like via the GUI.
-
ashleyw
- Service Provider
- Posts: 181
- Liked: 30 times
- Joined: Oct 28, 2010 10:55 pm
- Full Name: Ashley Watson
- Contact:
Re: SSL thumbprint - let's encrypt - veeam API?
thanks @Regnor, Finally got back to this after a long break!
the call worked;
ps> Add-PSSnapin VeeamPSSnapin
ps> $server=Get-VBRServer -Type VC -Name abc.def.com
ps> Set-VBRvCenter -Server $server
Incidentally for anyone battling with Let's Encrypt Certs in VMware 6.7 appliance, what is missing in the standard appliance is the the Lets encrypt root X3 cert so it can be imported using;
# curl -J -L https://www.identrust.com/node/935 > trustidrootx3_chain.p7b
# openssl pkcs7 -print_certs -inform der -in trustidrootx3_chain.p7b -out DSTRootCAX3.cer
# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/DSTRootCAX3.cer --login administrator@vsphere.local --password abcdefg
and then replace the cert (I use an expect script from a linux machine orchestrate this) and after replacing the machine certs with let's encrypt cert, you need to run a;
# /etc/init.d/vami-lighttp restart
(to refresh the cert on the appliance because of; https://kb.vmware.com/s/article/2136693)
Thinking about it, the amount of time I've lost on this probably warrants some sort of updated blog post on using let's encrypt certs with VMware 6.7 appliance (vCSA).
Now if only VMware would include the the X3 root cert by default like every other vendor it would be great.
And if only Veeam would accept the SSL fingerprint of a valid cert from vCentre without having to refresh their VBRvCenter information.
cheers
Ashley
the call worked;
ps> Add-PSSnapin VeeamPSSnapin
ps> $server=Get-VBRServer -Type VC -Name abc.def.com
ps> Set-VBRvCenter -Server $server
Incidentally for anyone battling with Let's Encrypt Certs in VMware 6.7 appliance, what is missing in the standard appliance is the the Lets encrypt root X3 cert so it can be imported using;
# curl -J -L https://www.identrust.com/node/935 > trustidrootx3_chain.p7b
# openssl pkcs7 -print_certs -inform der -in trustidrootx3_chain.p7b -out DSTRootCAX3.cer
# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/DSTRootCAX3.cer --login administrator@vsphere.local --password abcdefg
and then replace the cert (I use an expect script from a linux machine orchestrate this) and after replacing the machine certs with let's encrypt cert, you need to run a;
# /etc/init.d/vami-lighttp restart
(to refresh the cert on the appliance because of; https://kb.vmware.com/s/article/2136693)
Thinking about it, the amount of time I've lost on this probably warrants some sort of updated blog post on using let's encrypt certs with VMware 6.7 appliance (vCSA).
Now if only VMware would include the the X3 root cert by default like every other vendor it would be great.
And if only Veeam would accept the SSL fingerprint of a valid cert from vCentre without having to refresh their VBRvCenter information.
cheers
Ashley
-
Regnor
- VeeaMVP
- Posts: 938
- Liked: 289 times
- Joined: Jan 31, 2011 11:17 am
- Full Name: Max
- Contact:
Re: SSL thumbprint - let's encrypt - veeam API?
Thanks for the feedback; that's good to know for the future 
Who is online
Users browsing this forum: Origin 2000, Semrush [Bot] and 57 guests