Here’s a powershell script to generate a Let’s Encrypt certificate and upload that certificate to your Nutanix cluster and/or Prism Central.
I want my clusters to be available via:
- cluster-a.tielenconsultancy.nl
- cluster-b.tielenconsultancy.nl
- cluster-c.tielenconsultancy.nl
- tielanix.tielenconsultancy.nl (This is Prism Central)
The tielenconsultancy.nl domain is avaiable on the internet and internal. The clusters aren’t available via the internet offcourse π
So this will only work if you have a public domain where you can add a cname record pointing to a code Let’s Encrypt will provide. On the internal DNS server you can make the a records pointing to clusters virtual ip’s.
Read the comments in the script, they will explain everything. (Renewing will be added later when my certificates expire :P)
NOTE : I’m using a wildcard certificate. This is not recommended anymore ;).
<#
This script will generate a Let's Encrypt certificate and will bind it to your Nutanix clusters and, if needed, to Prism Central.
If the script is restarted a renewal will be done.
THIS WILL ONLY WORK ON POWERSHELL 7.
Version : 1.1
Date : 22 April 2024
Created by : Jeroen Tielen - Tielen Consultancy B.V.
Email : jeroen@tielenconsultancy.nl
History :
1.0 : 5 May 2023 - Initial setup script.
1.1 : 22 April 2024 - Typo's fixed. Renewal info added.
#>
# Stop script if PowerShell 7 isn't used.
If ($PSVersionTable.PSVersion.Major -lt 7) {
Write-Host "PowerShell version 7 or higher is required."
Exit
}
# Install posh-acme if not installed yet.
If (Get-Module -ListAvailable -Name Posh-ACME) {
Write-Host "Module exists, skipping module installation."
} Else {
Write-Host "Module does not exist, installing."
Install-Module -name posh-acme -AcceptLicense
}
# This command will generate a new wildcard certificate. If this is the first time you run it, it will show you a cname record which is needed on your public DNS server.
# Change is to your own dns name.
# The check, after created the cname, can take up to two (2) minutes. Please be patient.
New-PACertificate *.tielenconsultancy.nl -accepttos -contact jeroen@tielenconsultancy.nl -CertKeyLength 2048 -dnsplugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'} -Install
# Let's list the required certificate and fill the variable with it.
Get-PACertificate | Format-List
$Certificatefiles = Get-PACertificate
# Ask for your Nutanix credentials and construct the authorization header.
$Credentials = Get-Credential -Message "Enter your Nutanix credentials" -UserName "admin"
$UserName = $Credentials.UserName
$Password = $Credentials.GetNetworkCredential().Password
$AuthHeader = @{
Authorization = "Basic " + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($UserName + ":" + $Password))
}
# Generate the payload to upload via API to the cluster.
$Form = @{
keyType = "RSA_2048"
key = Get-Item -Path $Certificatefiles.KeyFile
cert = Get-Item -Path $Certificatefiles.CertFile
caChain = Get-Item -Path $Certificatefiles.ChainFile
}
# Assign the certificate to the clusters. Change to IP-Address to your cluster(s) ipadresses, remove the last 2 lines if you only have 1 cluster ;)
Invoke-RestMethod -Method Post -Uri "https://192.168.2.72:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck
Invoke-RestMethod -Method Post -Uri "https://192.168.2.74:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck
Invoke-RestMethod -Method Post -Uri "https://192.168.2.76:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck
# Assign the certificate to Prism Central. Change to IP-Address to your Prism Central virtual ip.
Invoke-RestMethod -Method Post -Uri "https://192.168.2.70:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck
One thought on “Replace Nutanix SSL certificate with Let’s Encrypt certificate”