There is no getting away from automation as the ‘must have skill’ in today’s infrastructure team and this blog post is about my adventure deploying SSL certificates and updating the estate to ESXi 5.5 update 3a. Dr Spence has been presenting a technical deep-dive at the TUG events, so I felt empowered to try the process. However while the ESXi cert process looks simple enough and is easy to back out if the process fails, vCenter is another level of pain. The VMware instructions left me with a headache, confused and not that keen if I am honest. Then I found this blog post with a step by step guide.
Derek is Mr SSL and his toolkit55 is a ‘MUST HAVE’ item, if you are wanting to avoid problems. I created a vCenter with some ESXi hosts in the lab and set about deploying the SSL certs. Being PowerShell based, toolkit55 presented me a few errors that had me worried but in my case, these ‘errors’ where just scary looking alerts which could be safely ignored. Once the SSL certs where created it was time to deploy them to EVERY vCenter component and it is important to get the sequence correct. VMware has create a collection of scripts to help with this process.
The tool is on the vCenter install ISO or available to download from ‘my vmware’ and interface will not win any awards. Plus if you type the SQL database password incorrectly you can say hello to a world of pain! In the lab, I had SQL Express but the install does not ask for a database user, so the first step is to use VMwareInfrastructure foldervpxd.exe -p to change the password to something known. In production on 'full fat' SQL server, the database user is the service account used to install vCenter but “measure 3 times and then cut…”
Upgrading the ESXi hosts is child's play once vCenter is finished. Just use toolkit55 to MINT the certs and then place them on the hosts for you. It is worth pointing out that the script does not backup the current ESXi SSL certs before changing them. So back them up until you are happy the tool is working correctly. The hardest part for me was working out what the correct text was to describe the $rootCA & $ISSUING_CA, as I had them backwards. Also be sure that your VMware SSL template name does not have any spaces in the name, as the script does not like this or “! or =“ in the passwords.
While KB2006210 states the HA issue is fixed in 5.0, it caused me problems, so assume you will hit it to and be prepared to remove your ESXi hosts from the cluster and then vCenter. I was lucky and had all the information recorded as I had migrated a cluster between vCenters at the start of the week. So protect yourself with Mark Chuman’s vcenter_migration script. https://communities.vmware.com/thread/484284
Once the ESXi hosts where finished it was simple to deploy ESXi 5.5 update 3a with VMware update manager. I am a fan of the update manager tool… Now that toolkit55 is correctly configured for our environment, it is very simple to deploy SSL certs to ESXi hosts. So somebody else has been empowered to complete this task and I have moved on to the next toy to play with.
Big thanks to Derek Seaman for being so generous and sharing his scripts.