Here’s a powershell script to generate a Let’s Encrypt certificate and upload that certificate to your Nutanix cluster and/or Prism Central.
I want my clusters to be available via:
- cluster-a.tielenconsultancy.nl
- cluster-b.tielenconsultancy.nl
- cluster-c.tielenconsultancy.nl
- tielanix.tielenconsultancy.nl (This is Prism Central)
The tielenconsultancy.nl domain is avaiable on the internet and internal. The clusters aren’t available via the internet offcourse 😉
So this will only work if you have a public domain where you can add a cname record pointing to a code Let’s Encrypt will provide. On the internal DNS server you can make the a records pointing to clusters virtual ip’s.
Read the comments in the script, they will explain everything. (Renewing will be added later when my certificates expire :P)
NOTE 1: Only for the community edition 😉 Dont use it on you production clusters.
NOTE 2: I’m using a wildcard certificate. This is not recommended anymore ;).
<# This script will generate a Let's Encrypt certificate and will bind it to your Nutanix clusters and, if needed, to Prism Central. THIS WILL ONLY WORK ON POWERSHELL 7. Version : 1.0 Date : 5 May 2023 Created by : Jeroen Tielen - Tielen Consultancy B.V. Email : jeroen@tielenconsultancy.nl History : 1.0 : 5 May 20023 - Initial setup script. #> # Stop script is PowerShell 7 isn't used. If ($PSVersionTable.PSVersion.Major -lt 7) { Write-Host "PowerShell version 7 or higher is required." Exit } # Install posh-acme if not installed yet. If (Get-Module -ListAvailable -Name Posh-ACME) { Write-Host "Module exists, skipping module installation." } Else { Write-Host "Module does not exist, installing." Install-Module -name posh-acme -AcceptLicense } # This command will generate a new wildcard certificate. It this is the first time you run it, it will show you a cname record which is needed on your public DNS server. # Change is to your own dns name. # The check, after created the cname, can take up to two (2) minutes. Please be patient. New-PACertificate *.tielenconsultancy.nl -accepttos -contact jeroen@tielenconsultancy.nl -CertKeyLength 4096 -dnsplugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'} -Install New-PACertificate *.tyl.nl -accepttos -contact jeroen@tielenconsultancy.nl -CertKeyLength 4096 -dnsplugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'} -Install # Let list the required certificate and fill the variable with it. Get-PACertificate | Format-List $Certificatefiles = Get-PACertificate # Ask for your Nutanix credentials and construct the authorization header. $Credentials = Get-Credential -Message "Enter your Nutanix credentials" -UserName "admin" $UserName = $Credentials.UserName $Password = $Credentials.GetNetworkCredential().Password $AuthHeader = @{ Authorization = "Basic " + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($UserName + ":" + $Password)) } # Generate the payload to upload via API to the cluster. $Form = @{ keyType = "RSA_2048" key = Get-Item -Path $Certificatefiles.KeyFile cert = Get-Item -Path $Certificatefiles.CertFile caChain = Get-Item -Path $Certificatefiles.ChainFile } # Assign the certificate to the clusters. Change to IP-Address to your cluster(s) ipadresses, remove the last 2 lines if you only have 1 cluster ;) Invoke-RestMethod -Method Post -Uri "https://192.168.2.72:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck Invoke-RestMethod -Method Post -Uri "https://192.168.2.74:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck Invoke-RestMethod -Method Post -Uri "https://192.168.2.76:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck # Assign the certificate to Prism Central. Change to IP-Address to your Prism Central virtual ip. Invoke-RestMethod -Method Post -Uri "https://192.168.2.70:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck
Pingback: Replace Nutanix SSL certificate with Let’s Encrypt certificate — Tielen Consultancy | Farhan Parkar's Weblog