vCenter Server 使用 ACME 证书

一、前置条件

首先需要有个装好的 vCenter Server(等于没说), 其次就是如果在安装时没有正确的设置 FQDN(PNID), 那么是没法直接使用 ACME 证书的, 只能通过反向代理套一下解决.

二、安装 acme.sh

这里采用 acme.sh 作为证书申请工具, 安装方式正常 ssh 到 vCenter Server 主机然后按照官方教程安装即可:

curl https://get.acme.sh | sh -s email=my@example.com

三、申请证书

由于是在内网使用, 所以只能使用 DNS API 的方式申请证书:

# 请自行更换为自己的 DNS 提供商
export GANDI_LIVEDNS_KEY="###########################"
./acme.sh --issue -d xxxxx.com --dns dns_gandi_livedns

四、替换原有证书

vCenter Server 内置了一个 certificate-manager 工具用于在命令行更新证书, 先使用此命令更新证书:

root@vc [ ~/.acme.sh ]# /usr/lib/vmware-vmca/bin/certificate-manager                                                                                                               [520/982]
                 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
                |                                                                     |
                |      *** Welcome to the vSphere 7.0 Certificate Manager  ***        |
                |                                                                     |                                                                                                                     |                   -- Select Operation --                            |                                                                                                                     |                                                                     |                                                                                                                     |      1. Replace Machine SSL certificate with Custom Certificate     |
                |                                                                     |
                |      2. Replace VMCA Root certificate with Custom Signing           |
                |         Certificate and replace all Certificates                    |
                |                                                                     |
                |      3. Replace Machine SSL certificate with VMCA Certificate       |
                |                                                                     |
                |      4. Regenerate a new VMCA Root Certificate and                  |
                |         replace all certificates                                    |
                |                                                                     |
                |      5. Replace Solution user certificates with                     |
                |         Custom Certificate                                          |
                |         NOTE: Solution user certs will be deprecated in a future    |
                |         release of vCenter. Refer to release notes for more details.|                                                                                                                     |                                                                     |                                                                                                                     |      6. Replace Solution user certificates with VMCA certificates   |                                                                                                                     |                                                                     |
                |      7. Revert last performed operation by re-publishing old        |
                |         certificates                                                |
                |                                                                     |
                |      8. Reset all Certificates                                      |
                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 1

Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:
         1. Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate

         2. Import custom certificate(s) and key(s) to replace existing Machine SSL certificate

Option [1 or 2]: 2

Please provide valid custom certificate for Machine SSL.
File : /root/.acme.sh/xxxxx.com/xxxxx.com.cer

Please provide valid custom key for Machine SSL.
File : /root/.acme.sh/xxxxx.com/xxxxx.com.key

Please provide the signing certificate of the Machine SSL certificate
File : /root/.acme.sh/xxxxx.com/fullchain.cer

You are going to replace Machine SSL cert using custom cert
Continue operation : Option[Y/N] ? : Y
Command Output: /root/.acme.sh/xxxxx.com/xxxxx.com.cer: OK

Status : 100% Completed [All tasks completed successfully]

五、自动化脚本

确认证书替换成功后, 我们就可以弄个自动化脚本然后自动更新了; 不过需要注意的是: 如果 vCenter Server 的 FQDN(PNID) 在安装时配置错误(域名没有做解析), 那么此时 vCenter Server PNID 将会变为 IP, 更新证书必然会失败.

curl -sSL https://raw.githubusercontent.com/emryl/vcenter-letsencrypt-auto-updater/main/auto-updater.sh > ~/.acme.sh/auto-updater.sh
curl -sSL https://raw.githubusercontent.com/emryl/vcenter-letsencrypt-auto-updater/main/update.conf > ~/.acme.sh/update.conf

chmod +x ~/.acme.sh/auto-updater.sh

然后编辑 ~/.acme.sh/update.conf 内的账户信息, 尝试使用 ~/.acme.sh/auto-updater.sh 更新证书; 如果更新成功接下来添加定时任务即可:

root@vc [ ~/.acme.sh ]# crontab -l
@reboot /usr/bin/python /usr/lib/applmgmt/security/scripts/hash_mode_update.py
13 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
30 5 * * sun "/root/.acme.sh/auto_updater.sh"

不过根据原作者文章下的评论, 可能仍需要在脚本后添加一刚重启命令:

/etc/init.d/vami-lighttp restart

六、本文参考


vCenter Server 使用 ACME 证书
https://mritd.com/2022/12/30/vcenter-server-uses-acme-cert/
作者
bleem
发布于
2022年12月30日
许可协议