Solved

Using Lets Encrypt certificates on Prism Central & Prism Element


Badge
I am looking to replace my SSL certificates on my Prism Central and Prism Element deployments with Lets Encrypt wildcard certificates.

I can request the wildcard certificates easily enough

sudo certbot -d example.com -d *.example.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly

I get generated three files:
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

Can anyone advise what openssl commands I can use to convert these .pem files to the required format needed for Prism Central/Prism Element? I have attempted multiple commands from https://www.sslsupportdesk.com/openssl-commands/ but I can't seem to find the exact one.

I can also grab the intermediate/root certificates from here if I need additional certs.
https://letsencrypt.org/certificates/

I'm looking to ultimately find a way to script this process as well, so if anyone knows how to replace the certs in Prism Central/Prism Element via CLI, I would appreciate that too. Initially though, I'd be happy just finding the correct certificate format to use.
icon

Best answer by Reinder 30 November 2018, 15:28

OK i'll post this here since this is top post if you google nutanix prism letsencrypt.

To answer your question, openssl is not needed to convert the certificates.

What is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:



ncli ssl-certificate import certificate-path=/full/path/to/cert.pem cacertificate-path=/full/path/to/mychain.pem key-path=/full/path/to/privkey.pem key-type="RSA_2048"



Where mychain.pem I created by combining https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt with https://letsencrypt.org/certs/isrgrootx1.pem.txt

So cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem



Hope this helps someone,



Reinder - TriOpSys - NL
View original

11 replies

Hi,

Better to use openssl to create the csr and the key file. Take the csr to your certificate authority and have it signed. You can get a pem from that. Take the pem file, key file, and the root/ca bundle and upload it to your prism console.

Make sure to use SAN as well or browsers will complain.
Badge
I appreciate the response @lapfcukle, but that's means I need to go buy a certificate from a CA. Using LetsEncrypt enables me to get a free, valid certificate.

I get valid certificates from LetsEncrypt, I just need to know how to convert them to a format that Prism Central/Prism Element can use.
OK i'll post this here since this is top post if you google nutanix prism letsencrypt.
To answer your question, openssl is not needed to convert the certificates.
What is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:

ncli ssl-certificate import certificate-path=/full/path/to/cert.pem cacertificate-path=/full/path/to/mychain.pem key-path=/full/path/to/privkey.pem key-type="RSA_2048"

Where mychain.pem I created by combining https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt with https://letsencrypt.org/certs/isrgrootx1.pem.txt
So cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem

Hope this helps someone,

Reinder - TriOpSys - NL
Userlevel 1
Badge +2

Just as a update for installing a SSL-Cert with Lets Encrypt, i’ve created the Certs with the Certbot certonly option and copy all the files to a cvm.

As you get already the full-Chain file, it’s not required to merge the chain-files together.
On my side it worked with the standart-files i get from letsencrypt.

Use for the cacertificate-path the fullchain.pem-file!

Thats all


Greets

Omero

Userlevel 1
Badge +4

I just get an error message:

Error: Problem with writing the data, class java.util.LinkedList, ContentType: multipart/form-data

when trying to load the certs in with ncli ssl-certificate import ...

Userlevel 1
Badge +4

And this error in the data/logs/prism_gateway.log 

INFO  2020-10-21 23:47:42,326Z http-nio-0.0.0.0-9081-exec-2 [] commands.keys.AddPemKey.checkCertPurpose:549 Purpose value for 'SSL server' is 'Yes'.
ERROR 2020-10-21 23:47:42,356Z http-nio-0.0.0.0-9081-exec-2 [] prism.aop.RequestInterceptor.invoke:235 Throwing exception from KeyAdministration.importFiles
com.nutanix.prism.exception.keys.KeyAdministrationException: com.nutanix.util.base.ValidationException: Import Files verification failed. Please upload a valid CA certificate/chain file and select relevant key type.
at com.nutanix.prism.services.keys.KeyAdministrationImpl.importFiles(KeyAdministrationImpl.java:111)

but that is with the RSA_2048 key type selected and a valid RSA 2048 certificate and CA chain.

Userlevel 1
Badge +4

Test post

Userlevel 1
Badge +4

​Ok I solved this, at least partially.

I was using the https://github.com/srvrco/getssl project for generating the certs and it was creating a ‘fullchain.crt’ file which included only the server cert and intermediate CA cert, but not the root CA cert. Also Reinder’s answer used the isgrootx1.pem file whereas my intermediate CA was signed with a different cert.

I have not managed to replace the certs with ncli yet.

Userlevel 1
Badge +4

ncli seems broken in CE.2020.09.16 versions, I keep getting the error above

However, using an undocumented v1 API call that Prism uses, I have been able to install certificates with curl as follows

$ curl --user 'admin:password' \
-F caChain=@fullchain.crt \
-F cert=@server.crt \
-F key=@server.key \
-F keyType=RSA_2048 \
-k https://127.0.0.1:9440/PrismGateway/services/rest/v1/keys/pem/import

where fullchain.crt contains both the intermediate and root CA certificates in PEM format.

Badge +1

Did you ever get further than this, having the same issue with LetsEncrypt managed to use your curl above, and its installed, however seemingly not “published”

Badge +1

Top tip... Reboot the cvm (single node in my case)... Job done !!

Reply