Replace Nutanix SSL certificate with Let’s Encrypt certificate

Here’s a powershell script to generate a Let’s Encrypt certificate and upload that certificate to your Nutanix cluster and/or Prism Central.

I want my clusters to be available via:

  • cluster-a.tielenconsultancy.nl
  • cluster-b.tielenconsultancy.nl
  • cluster-c.tielenconsultancy.nl
  • tielanix.tielenconsultancy.nl (This is Prism Central)

The tielenconsultancy.nl domain is avaiable on the internet and internal. The clusters aren’t available via the internet offcourse 😉

So this will only work if you have a public domain where you can add a cname record pointing to a code Let’s Encrypt will provide. On the internal DNS server you can make the a records pointing to clusters virtual ip’s.

Read the comments in the script, they will explain everything. (Renewing will be added later when my certificates expire :P)

NOTE 1: Only for the community edition 😉 Dont use it on you production clusters.

NOTE 2: I’m using a wildcard certificate. This is not recommended anymore ;).

<#
    This script will generate a Let's Encrypt certificate and will bind it to your Nutanix clusters and, if needed, to Prism Central.
     
    THIS WILL ONLY WORK ON POWERSHELL 7.
 
    Version    : 1.0
    Date       : 5 May 2023
    Created by : Jeroen Tielen - Tielen Consultancy B.V.
    Email      : jeroen@tielenconsultancy.nl
 
    History :
         1.0   : 5 May 20023 - Initial setup script.
#>
 
# Stop script is PowerShell 7 isn't used.
If ($PSVersionTable.PSVersion.Major -lt 7) {
    Write-Host "PowerShell version 7 or higher is required."
    Exit
}
 
# Install posh-acme if not installed yet.
If (Get-Module -ListAvailable -Name Posh-ACME) {
    Write-Host "Module exists, skipping module installation."
}
Else {
    Write-Host "Module does not exist, installing."
    Install-Module -name posh-acme -AcceptLicense
}
 
# This command will generate a new wildcard certificate. It this is the first time you run it, it will show you a cname record which is needed on your public DNS server.
# Change is to your own dns name.
# The check, after created the cname, can take up to two (2) minutes. Please be patient.
New-PACertificate *.tielenconsultancy.nl -accepttos -contact jeroen@tielenconsultancy.nl -CertKeyLength 4096 -dnsplugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'} -Install
New-PACertificate *.tyl.nl -accepttos -contact jeroen@tielenconsultancy.nl -CertKeyLength 4096 -dnsplugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'} -Install


# Let list the required certificate and fill the variable with it.
Get-PACertificate | Format-List
$Certificatefiles = Get-PACertificate
 
# Ask for your Nutanix credentials and construct the authorization header.
$Credentials = Get-Credential -Message "Enter your Nutanix credentials" -UserName "admin"
$UserName = $Credentials.UserName
$Password = $Credentials.GetNetworkCredential().Password
$AuthHeader = @{
    Authorization = "Basic " + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($UserName + ":" + $Password))
}
 
# Generate the payload to upload via API to the cluster.
$Form = @{
    keyType = "RSA_2048"
    key     = Get-Item -Path $Certificatefiles.KeyFile
    cert    = Get-Item -Path $Certificatefiles.CertFile
    caChain   = Get-Item -Path $Certificatefiles.ChainFile
}
 
# Assign the certificate to the clusters. Change to IP-Address to your cluster(s) ipadresses, remove the last 2 lines if you only have 1 cluster ;)
Invoke-RestMethod -Method Post -Uri "https://192.168.2.72:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck
Invoke-RestMethod -Method Post -Uri "https://192.168.2.74:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck
Invoke-RestMethod -Method Post -Uri "https://192.168.2.76:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck
 
# Assign the certificate to Prism Central. Change to IP-Address to your Prism Central virtual ip.
Invoke-RestMethod -Method Post -Uri "https://192.168.2.70:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck
Bookmark the permalink.

One Comment

  1. Pingback: Replace Nutanix SSL certificate with Let’s Encrypt certificate — Tielen Consultancy | Farhan Parkar's Weblog

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.