Replace Nutanix SSL certificate with Let’s Encrypt certificate

Here’s a powershell script to generate a Let’s Encrypt certificate and upload that certificate to your Nutanix cluster and/or Prism Central.

I want my clusters to be available via:

  • cluster-a.tielenconsultancy.nl
  • cluster-b.tielenconsultancy.nl
  • cluster-c.tielenconsultancy.nl
  • tielanix.tielenconsultancy.nl (This is Prism Central)

The tielenconsultancy.nl domain is avaiable on the internet and internal. The clusters aren’t available via the internet offcourse πŸ˜‰

So this will only work if you have a public domain where you can add a cname record pointing to a code Let’s Encrypt will provide. On the internal DNS server you can make the a records pointing to clusters virtual ip’s.

Read the comments in the script, they will explain everything. (Renewing will be added later when my certificates expire :P)

NOTE : I’m using a wildcard certificate. This is not recommended anymore ;).

<#
    This script will generate a Let's Encrypt certificate and will bind it to your Nutanix clusters and, if needed, to Prism Central.
    If the script is restarted a renewal will be done. 
     
    THIS WILL ONLY WORK ON POWERSHELL 7.
 
    Version    : 1.1
    Date       : 22 April 2024
    Created by : Jeroen Tielen - Tielen Consultancy B.V.
    Email      : jeroen@tielenconsultancy.nl
 
    History :
         1.0   : 5 May 2023 - Initial setup script.
         1.1   : 22 April 2024 - Typo's fixed. Renewal info added.
#>
 
# Stop script if PowerShell 7 isn't used.
If ($PSVersionTable.PSVersion.Major -lt 7) {
    Write-Host "PowerShell version 7 or higher is required."
    Exit
}
 
# Install posh-acme if not installed yet.
If (Get-Module -ListAvailable -Name Posh-ACME) {
    Write-Host "Module exists, skipping module installation."
} Else {
    Write-Host "Module does not exist, installing."
    Install-Module -name posh-acme -AcceptLicense
}
 
# This command will generate a new wildcard certificate. If this is the first time you run it, it will show you a cname record which is needed on your public DNS server.
# Change is to your own dns name.
# The check, after created the cname, can take up to two (2) minutes. Please be patient.
New-PACertificate *.tielenconsultancy.nl -accepttos -contact jeroen@tielenconsultancy.nl -CertKeyLength 2048 -dnsplugin AcmeDns -PluginArgs @{ACMEServer='auth.acme-dns.io'} -Install

# Let's list the required certificate and fill the variable with it.
Get-PACertificate | Format-List
$Certificatefiles = Get-PACertificate
 
# Ask for your Nutanix credentials and construct the authorization header.
$Credentials = Get-Credential -Message "Enter your Nutanix credentials" -UserName "admin"
$UserName    = $Credentials.UserName
$Password    = $Credentials.GetNetworkCredential().Password
$AuthHeader  = @{
    Authorization = "Basic " + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($UserName + ":" + $Password))
}
 
# Generate the payload to upload via API to the cluster.
$Form = @{
    keyType = "RSA_2048"
    key     = Get-Item -Path $Certificatefiles.KeyFile
    cert    = Get-Item -Path $Certificatefiles.CertFile
    caChain = Get-Item -Path $Certificatefiles.ChainFile
}
 
# Assign the certificate to the clusters. Change to IP-Address to your cluster(s) ipadresses, remove the last 2 lines if you only have 1 cluster ;)
Invoke-RestMethod -Method Post -Uri "https://192.168.2.72:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck
Invoke-RestMethod -Method Post -Uri "https://192.168.2.74:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck
Invoke-RestMethod -Method Post -Uri "https://192.168.2.76:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck
 
# Assign the certificate to Prism Central. Change to IP-Address to your Prism Central virtual ip.
Invoke-RestMethod -Method Post -Uri "https://192.168.2.70:9440/PrismGateway/services/rest/v1/keys/pem/import" -Form $Form -Headers $AuthHeader -SkipCertificateCheck
Posts created 130

One thought on “Replace Nutanix SSL certificate with Let’s Encrypt certificate

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top