Solved

Using Lets Encrypt certificates on Prism Central & Prism Element


Badge
I am looking to replace my SSL certificates on my Prism Central and Prism Element deployments with Lets Encrypt wildcard certificates.

I can request the wildcard certificates easily enough

sudo certbot -d example.com -d *.example.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly

I get generated three files:
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

Can anyone advise what openssl commands I can use to convert these .pem files to the required format needed for Prism Central/Prism Element? I have attempted multiple commands from https://www.sslsupportdesk.com/openssl-commands/ but I can't seem to find the exact one.

I can also grab the intermediate/root certificates from here if I need additional certs.
https://letsencrypt.org/certificates/

I'm looking to ultimately find a way to script this process as well, so if anyone knows how to replace the certs in Prism Central/Prism Element via CLI, I would appreciate that too. Initially though, I'd be happy just finding the correct certificate format to use.
icon

Best answer by Reinder 30 November 2018, 15:28

OK i'll post this here since this is top post if you google nutanix prism letsencrypt.
To answer your question, openssl is not needed to convert the certificates.
What is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:

ncli ssl-certificate import certificate-path=/full/path/to/cert.pem cacertificate-path=/full/path/to/mychain.pem key-path=/full/path/to/privkey.pem key-type="RSA_2048"

Where mychain.pem I created by combining https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt with https://letsencrypt.org/certs/isrgrootx1.pem.txt
So cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem

Hope this helps someone,

Reinder - TriOpSys - NL

View original

3 replies

Hi,

Better to use openssl to create the csr and the key file. Take the csr to your certificate authority and have it signed. You can get a pem from that. Take the pem file, key file, and the root/ca bundle and upload it to your prism console.

Make sure to use SAN as well or browsers will complain.
Badge
I appreciate the response @lapfcukle, but that's means I need to go buy a certificate from a CA. Using LetsEncrypt enables me to get a free, valid certificate.

I get valid certificates from LetsEncrypt, I just need to know how to convert them to a format that Prism Central/Prism Element can use.
OK i'll post this here since this is top post if you google nutanix prism letsencrypt.
To answer your question, openssl is not needed to convert the certificates.
What is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:

ncli ssl-certificate import certificate-path=/full/path/to/cert.pem cacertificate-path=/full/path/to/mychain.pem key-path=/full/path/to/privkey.pem key-type="RSA_2048"

Where mychain.pem I created by combining https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt with https://letsencrypt.org/certs/isrgrootx1.pem.txt
So cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem

Hope this helps someone,

Reinder - TriOpSys - NL

Reply