Discussions specific to the VMware vSphere hypervisor
Post Reply
ashleyw
Service Provider
Posts: 154
Liked: 20 times
Joined: Oct 28, 2010 10:55 pm
Full Name: Ashley Watson
Contact:

SSL thumbprint - let's encrypt - veeam API?

Post by ashleyw » May 22, 2018 3:45 am

Hi,

We have recently switched to use let's encrypt certs for our vmware 6.5 appliance. I have the process automated thanks to some linux bash scripting and a bit of Linux expect scripting - this works well.
The problem is that whenever the thumbprint of the vcentre server changes, the backup jobs can then not start as the thumbprint is different to the cert assigned to the Veeam vcentre Backup Infrastructure item.
To fix this I have to got to; Veeam B&R>home>Backup Infrastructure>vcentre server>properties>next>>save

Is there a way of triggering this automatically through a REST API or similar so that I can fully automate the cert rpelacement process?
I guess the SSL thumbprint is also stored under Veeam monitor as well so I'd need the same functionality there as well.

cheers
Ashley

ashleyw
Service Provider
Posts: 154
Liked: 20 times
Joined: Oct 28, 2010 10:55 pm
Full Name: Ashley Watson
Contact:

Re: SSL thumbprint - let's encrypt - veeam API?

Post by ashleyw » May 25, 2018 3:38 am

anyone out there?

Regnor
Service Provider
Posts: 320
Liked: 62 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: SSL thumbprint - let's encrypt - veeam API?

Post by Regnor » May 26, 2018 2:29 pm

You could try Set-VBRvCenter via PowerShell. I'm not sure if it will update the SSL thumbprint but perhaps it works the same way like via the GUI.

ashleyw
Service Provider
Posts: 154
Liked: 20 times
Joined: Oct 28, 2010 10:55 pm
Full Name: Ashley Watson
Contact:

Re: SSL thumbprint - let's encrypt - veeam API?

Post by ashleyw » Oct 31, 2018 3:11 am

thanks @Regnor, Finally got back to this after a long break!
the call worked;
ps> Add-PSSnapin VeeamPSSnapin
ps> $server=Get-VBRServer -Type VC -Name abc.def.com
ps> Set-VBRvCenter -Server $server

Incidentally for anyone battling with Let's Encrypt Certs in VMware 6.7 appliance, what is missing in the standard appliance is the the Lets encrypt root X3 cert so it can be imported using;
# curl -J -L https://www.identrust.com/node/935 > trustidrootx3_chain.p7b
# openssl pkcs7 -print_certs -inform der -in trustidrootx3_chain.p7b -out DSTRootCAX3.cer
# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/DSTRootCAX3.cer --login administrator@vsphere.local --password abcdefg
and then replace the cert (I use an expect script from a linux machine orchestrate this) and after replacing the machine certs with let's encrypt cert, you need to run a;
# /etc/init.d/vami-lighttp restart
(to refresh the cert on the appliance because of; https://kb.vmware.com/s/article/2136693)

Thinking about it, the amount of time I've lost on this probably warrants some sort of updated blog post on using let's encrypt certs with VMware 6.7 appliance (vCSA).
Now if only VMware would include the the X3 root cert by default like every other vendor it would be great.
And if only Veeam would accept the SSL fingerprint of a valid cert from vCentre without having to refresh their VBRvCenter information.

cheers
Ashley

Regnor
Service Provider
Posts: 320
Liked: 62 times
Joined: Jan 31, 2011 11:17 am
Full Name: Max
Contact:

Re: SSL thumbprint - let's encrypt - veeam API?

Post by Regnor » Nov 02, 2018 10:17 am

Thanks for the feedback; that's good to know for the future :)

Post Reply

Who is online

Users browsing this forum: No registered users and 19 guests