vCenter and Lets Encrypt

miguemely · October 12, 2017, 10:53pm

So a little bit of background.

I have a reverse proxy setup to have vCenter be public.

Of course, this is setup and dandy, but I want to use the same cert on the vCenter instance to cover the ports I’m not redirecting, and for a few things to work properly.

The domain in question is vcenter.netrouter.us.

However, I’m getting an issue. The first time, the fullchain.pem doesnt actually have the full chain, as its missing the DST cert. Once that was taken care of, in logfile #1, this was found:
17-10-12T23:04:46.002505+00:00 warning vmcad t@140292071352064: error code: 0x00011170
17-10-12T23:04:46.002828+00:00 err vmcad t@140292071352064: Failed to update root certs due to error [70000]
In logfile #2:
2017-10-12T21:01:27.731Z INFO certificate-manager Command executed successfully
2017-10-12T21:01:27.731Z INFO certificate-manager Selected operation: Replace SSL certificate with Custom CA Certificate
2017-10-12T21:01:30.827Z INFO certificate-manager Please provide valid custom certificate for Machine SSL.

Commands ran:
/usr/lib/vmware-vmca/bin/certool --rootca --cert=/root/fullchain.pem --privkey=privkey.pem

Output:
Error: 70011, VMCAAddRootCertificatePrivate() failedStatus : Failed
Error Code : 70011
Error Message : Not a CA Cert

Don’t know if this would be a LE issue or a VMWare issue. Where would I begin?

jsha · October 13, 2017, 1:34am

This is a VMWare issue. I’m not 100% familiar, but I think the command you used (certool --rootca) is intended for setting up your own CA to be able to sign certificates locally. But it sounds like you want to install a TLS certificate you got from Let’s Encrypt. That will be a different command, but I don’t know what it would be.

miguemely · October 13, 2017, 2:19am

I can try another command. The reason I was using that command because it’s
easier to automate. This other one is interactive . Let’s see what I can do!

rg305 · October 13, 2017, 3:02am

Manually adding the LE root cert would only be required if the system doesn’t already have it.
Which it already should have it - the DST Root CA X3 cert was issued in 2000.
If that is the case, it doesn’t have it, then you should probably update the root cert trust store.
The how-to on that would be a VMWare question.

jsha · October 13, 2017, 5:11am

@rg305 note that the error was about root cert and private key, which is why I think it’s about configuring your own signing root rather than importing one.

rg305 · October 13, 2017, 5:39am

@jsha

The fullchain.pem never includes the root cert.
By adding the DST root cert to that file, he is essentially trying to add the root cert to his system.

certool --publish-roots
Forces an update of root certificates. This command requires administrative privileges.

The commands he is looking for aren't part of certool - it can only create a CSR.
He needs to look into vecs-cli:
vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert fullchain.cer --key priv.key

system · November 12, 2017, 5:39am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.