Renew Nutanix Guest Tools Certificate(s) Manual and/or Automatic

When installing the Nutanix Guest Tools (NGT) in your virtual Machines you are doing this for 1 of the following reasons:

When one (or more) applies then you will install the NGT. But there is some extra support/maintenance you need to do when installing the tool. For example, you need to upgrade the tools when a newer version is released and once in 1000 days you need to renew the client certificate. In this blogpost I will show you how to renew the client certificates manually or automatic.

It can hebben that something like this happens:

They are al info mails (and when ignoring they wil be critical mails) but I can imagine you will lightly panic when seeing this 😉 This is the info shown in the email:

Before we can fix this you need to meet the following requirements per virtual machine:

  • The VM must be running;
  • There must be a CD-ROM drive present at the virtual machine.

Now lets fix this.

Manual method 1:

The manual process is easy, open an ssh session to one of the CVM’s, grab the UUID (of the virtual machine) from the email and run:

This will renew the certificate and you are good to go for another 1000 days. But you can understand this is verry time consuming so lets make this easier.

Manual method 2:

Import this Playbook in Prism Central:

{"pcVersion":"2024.3","pcUuid":"1a8b3e98-23f2-4394-bdc1-15ce8d09ef45","hashValue":"NUMq3KNkkqxA5bx7gZwwTDn83N3Ykd5Z7FUFnXZjXII=","actionRuleList":[{"uuid":"ef60d5e2-2b33-45c1-7d8b-ba4e2c63bfad","name":"Refresh NGT Certificate","isEnabled":true,"validated":true,"triggerList":[{"uuid":"7f3039b2-3f77-4c4c-b913-47d349ba2fe4","triggerType":{"type":"trigger_type","uuid":"","name":"manual_trigger"},"displayName":"Manual","inputParameterList":[{"name":"entity_type","value":"vm"}]}],"actionList":[{"uuid":"ef9a50f2-f5f5-48f2-97c7-9b5b4503aa0d","actionType":{"type":"action_type","uuid":"","name":"rest_api_action"},"displayName":"REST API","inputParameterList":[{"name":"credential_type","value":"nutanix"},{"name":"url","value":"https://localhost:9440/api/nutanix/v3/vms/{{trigger[0].source_entity_info.uuid}}"},{"name":"use_credential_store","value":"true"},{"name":"method","value":"GET"}],"maxRetries":2,"description":"GET VM Information","childActionUuids":["f9620e2e-db5f-4e65-87c4-16c77d293d5b"]},{"uuid":"f9620e2e-db5f-4e65-87c4-16c77d293d5b","actionType":{"type":"action_type","uuid":"","name":"parse_action"},"displayName":"String Parser","inputParameterList":[{"name":"json_path","value":"$.status.cluster_reference.uuid"},{"name":"format","value":"json"},{"name":"string_to_parse","value":"{{action[0].response_body}}"}],"maxRetries":2,"description":"Get Cluster UUID where VM is located","childActionUuids":["307a95f9-cb20-4f4e-b9c0-c7523b550648"]},{"uuid":"307a95f9-cb20-4f4e-b9c0-c7523b550648","actionType":{"type":"action_type","uuid":"","name":"rest_api_action"},"displayName":"REST API","inputParameterList":[{"name":"credential_type","value":"nutanix"},{"name":"url","value":"https://localhost:9440/api/nutanix/v3/clusters/{{action[1].parsed_data}}"},{"name":"use_credential_store","value":"true"},{"name":"method","value":"GET"}],"maxRetries":2,"description":"Get Cluster Info","childActionUuids":["17acb973-45a5-4b16-91ca-b6cd9069979c"]},{"uuid":"17acb973-45a5-4b16-91ca-b6cd9069979c","actionType":{"type":"action_type","uuid":"","name":"parse_action"},"displayName":"String Parser","inputParameterList":[{"name":"json_path","value":"$.status.resources.network.external_ip"},{"name":"format","value":"json"},{"name":"string_to_parse","value":"{{action[2].response_body}}"}],"maxRetries":2,"description":"Get Cluster VIP","childActionUuids":["d90116b9-294c-4cad-a406-0d1069984b3c"]},{"uuid":"d90116b9-294c-4cad-a406-0d1069984b3c","actionType":{"type":"action_type","uuid":"","name":"ssh_using_ipaddr"},"displayName":"IP Address SSH","inputParameterList":[{"name":"ip_addr","value":"{{action[3].parsed_data}}"},{"name":"auth_mechanism","value":"password"},{"name":"username","value":"admin"},{"name":"ssh_command","value":"nutanix_guest_tools_cli refresh_vm_tools_entity vm_uuids={{trigger[0].source_entity_info.uuid}}"},{"name":"password","value":""},{"name":"allow_on_cvm","value":"true"}],"maxRetries":2,"description":"Refresh NGT Certificate"}],"isPrepackaged":false,"checkTriggerValidity":true,"description":"This manual playbook will refresh the VM his Nutanix Guest Tools (NGT) certificate.","triggerFilterableInputParamName":"entity_type","triggerFilterableInputParamValue":"vm","ruleType":"kXPlay"}]}

When imported update it with the correct name and password. The playbook is created in PC version 2024.3. So if importing is not working you need to create it yourself based on the following screenshots: (Click to enlarge)

When the Playbook is correctly configured you can run it against virtual machines. So right click on a VM and choose Intellegent Operation –> Run Playook –> Select the correct Playbook –> Run)

The certificate will be renewed.

You can monitor the renewal process in the tasks dashboard.

Automatic Method:

The above steps will work in small environments but what about large environments? Clone above Playbook and change the manual trigger to the following:

Now when the certificate expires there will be an info alert generated and the playbook will start and renew the certificate automatically. Yes, you can play with the severity on the playbook. But I want to have it run always when the alert is generated.

And there you go, another manual task automated 😉

Posts created 133

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top