Background
VMware wants us to prepopulate an Excel-Sheet with SSH-Keys and SSL-Thumbprints of all ESXi-Hosts, who have been freshly deployed minutes before, which effectivly protects against man-in-the-middle-attacks – maybe a problem in US-datacenters.
Beginning with VMware Cloud Foundation Release VCF 4.2 the Cloud-Builder-App verifies the „CN“ of all ESXi-SSL-Certificates, which is in default-setup set to „localhost“ (to be overwritten when connecting to the vCenter so this is seemed to be no issue) – not accepted, CN has to be set to <server-fqdn>.
Solution
plink.exe
„plink.exe“ from the Putty-Suite allows to be called from PowerShell in automated fashion without interactive Password-Prompt. (In May 2021 there seems to be no other choice for Power-Shell Core 7)
Algorithm
- generate „correct“ self-signed certificate with „CN“ set to „fqdn“ not for „localhost“
- read the new certificate SSL-sha256-thumbprint
- reboot the ESXi-Host to activate the new SSL-Server-Certificate
Result
Correct SSL Server-Certificate
Log for four ESXi-Hosts
Contains SSL-Thumbprints to get copied into the VCF-Excel-Sheet.
Variables
- $VMPassword
- $VMUsername
have to be prepopulated.
PS T:\vmware vcf4> .\esxi_ssl_ssh.ps1
Generate SSL Self-Signed Certificate [ham01-m01-esx01]
Keyboard-interactive authentication prompts from server:
End of keyboard-interactive prompts from server
Fetch SSL-Thumbprint
Generate SSL Self-Signed Certificate [ham01-m01-esx02]
Keyboard-interactive authentication prompts from server:
End of keyboard-interactive prompts from server
Fetch SSL-Thumbprint
Generate SSL Self-Signed Certificate [ham01-m01-esx03]
Keyboard-interactive authentication prompts from server:
End of keyboard-interactive prompts from server
Fetch SSL-Thumbprint
Generate SSL Self-Signed Certificate [ham01-m01-esx04]
Keyboard-interactive authentication prompts from server:
End of keyboard-interactive prompts from server
Fetch SSL-Thumbprint
*** Result ***
172.16.11.101 ham01-m01-esx01
SSL-Thumbprint: D2:6E:01:AD:36:82:3E:D2:AC:F3:66:6E:27:FC:A5:2C:26:99:57:8D:E6:D9:24:E3:42:61:F3:C3:52:65:8C:36
172.16.11.102 ham01-m01-esx02
SSL-Thumbprint: 21:67:3F:11:E4:FE:F3:D2:D9:C6:C2:66:85:7D:3D:3F:02:49:F2:FE:D6:74:86:E1:8E:BE:CC:A2:66:41:72:D2
172.16.11.103 ham01-m01-esx03
SSL-Thumbprint: F6:D3:12:BD:53:36:F0:E5:FD:C9:F9:3C:41:60:80:79:C8:C4:69:30:52:AF:6C:AF:24:C3:C6:DE:2A:75:80:14
172.16.11.104 ham01-m01-esx04
SSL-Thumbprint: AC:0B:D0:E3:6D:03:12:3F:7E:69:5F:0F:75:F0:F5:F2:E1:59:61:46:83:35:1F:AD:2C:15:9D:EB:C1:9D:EF:DE
PowerShell Sourcecode
$NestedESXiHosts = @{
"ham01-m01-esx01"=@{"vmk0"="172.16.11.101"};
"ham01-m01-esx02"=@{"vmk0"="172.16.11.102"};
"ham01-m01-esx03"=@{"vmk0"="172.16.11.103"};
"ham01-m01-esx04"=@{"vmk0"="172.16.11.104"};
}
$NestedESXiHosts.GetEnumerator() | Sort-Object -Property key | Foreach-Object {
$VMName = $_.Key
$VMIPAddress = $_.Value.vmk0
write-host -ForegroundColor Green "Generate SSL Self-Signed Certificate [$VMName]"
#
$SSLThumbPrint = echo y | plink -ssh -pw $VMPassword $VMUsername@$VMIPAddress "/sbin/generate-certificates;openssl x509 -in /etc/vmware/ssl/rui.crt -fingerprint -sha256 -noout;reboot;"
#
write-host -ForegroundColor Green "Fetch SSL-Thumbprint"
#
$SSLThumbPrint = $SSLThumbPrint.split("=")[1]
$_.Value.SSL = $SSLThumbPrint
}
write-host
write-host -ForegroundColor Green "*** Result ***"
$NestedESXiHosts.GetEnumerator() | Sort-Object -Property key | Foreach-Object {
$VMName = $_.Key
$VMIPAddress = $_.Value.vmk0
$VMSSL = $_.Value.SSL
write-host -ForegroundColor Green "$VMIPAddress $VMName"
write-host "SSL-Thumbprint: $VMSSL"
}