I am looking to replace my SSL certificates on my Prism Central and Prism Element deployments with Lets Encrypt wildcard certificates.
I can request the wildcard certificates easily enough
sudo certbot -d example.com -d *.example.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly
I get generated three files:
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem
Can anyone advise what openssl commands I can use to convert these .pem files to the required format needed for Prism Central/Prism Element? I have attempted multiple commands from https://www.sslsupportdesk.com/openssl-commands/ but I can't seem to find the exact one.
I can also grab the intermediate/root certificates from here if I need additional certs.
https://letsencrypt.org/certificates/
I'm looking to ultimately find a way to script this process as well, so if anyone knows how to replace the certs in Prism Central/Prism Element via CLI, I would appreciate that too. Initially though, I'd be happy just finding the correct certificate format to use.
Solved
Using Lets Encrypt Certs on Prism Central & Prism Element
Best answer by Reinder
OK i'll post this here since this is top post if you google nutanix prism letsencrypt.
To answer your question, openssl is not needed to convert the certificates.
What is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:
ncli ssl-certificate import certificate-path=/full/path/to/cert.pem cacertificate-path=/full/path/to/mychain.pem key-path=/full/path/to/privkey.pem key-type="RSA_2048"
Where mychain.pem I created by combining https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt with https://letsencrypt.org/certs/isrgrootx1.pem.txt
So cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem
Hope this helps someone,
Reinder - TriOpSys - NL
To answer your question, openssl is not needed to convert the certificates.
What is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:
ncli ssl-certificate import certificate-path=/full/path/to/cert.pem cacertificate-path=/full/path/to/mychain.pem key-path=/full/path/to/privkey.pem key-type="RSA_2048"
Where mychain.pem I created by combining https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt with https://letsencrypt.org/certs/isrgrootx1.pem.txt
So cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem
Hope this helps someone,
Reinder - TriOpSys - NL
This topic has been closed for replies.
Hi,
Better to use openssl to create the csr and the key file. Take the csr to your certificate authority and have it signed. You can get a pem from that. Take the pem file, key file, and the root/ca bundle and upload it to your prism console.
Make sure to use SAN as well or browsers will complain.
Better to use openssl to create the csr and the key file. Take the csr to your certificate authority and have it signed. You can get a pem from that. Take the pem file, key file, and the root/ca bundle and upload it to your prism console.
Make sure to use SAN as well or browsers will complain.
I appreciate the response @lapfcukle, but that's means I need to go buy a certificate from a CA. Using LetsEncrypt enables me to get a free, valid certificate.
I get valid certificates from LetsEncrypt, I just need to know how to convert them to a format that Prism Central/Prism Element can use.
I get valid certificates from LetsEncrypt, I just need to know how to convert them to a format that Prism Central/Prism Element can use.
OK i'll post this here since this is top post if you google nutanix prism letsencrypt.
To answer your question, openssl is not needed to convert the certificates.
What is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:
ncli ssl-certificate import certificate-path=/full/path/to/cert.pem cacertificate-path=/full/path/to/mychain.pem key-path=/full/path/to/privkey.pem key-type="RSA_2048"
Where mychain.pem I created by combining https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt with https://letsencrypt.org/certs/isrgrootx1.pem.txt
So cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem
Hope this helps someone,
Reinder - TriOpSys - NL
To answer your question, openssl is not needed to convert the certificates.
What is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:
ncli ssl-certificate import certificate-path=/full/path/to/cert.pem cacertificate-path=/full/path/to/mychain.pem key-path=/full/path/to/privkey.pem key-type="RSA_2048"
Where mychain.pem I created by combining https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt with https://letsencrypt.org/certs/isrgrootx1.pem.txt
So cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem
Hope this helps someone,
Reinder - TriOpSys - NL
+2Just as a update for installing a SSL-Cert with Lets Encrypt, i’ve created the Certs with the Certbot certonly option and copy all the files to a cvm.
As you get already the full-Chain file, it’s not required to merge the chain-files together.
On my side it worked with the standart-files i get from letsencrypt.
Use for the cacertificate-path the fullchain.pem-file!
Thats all
Greets
Omero
I just get an error message:
Error: Problem with writing the data, class java.util.LinkedList, ContentType: multipart/form-datawhen trying to load the certs in with ncli ssl-certificate import ...
And this error in the data/logs/prism_gateway.log
INFO 2020-10-21 23:47:42,326Z http-nio-0.0.0.0-9081-exec-2 [] commands.keys.AddPemKey.checkCertPurpose:549 Purpose value for 'SSL server' is 'Yes'.
ERROR 2020-10-21 23:47:42,356Z http-nio-0.0.0.0-9081-exec-2 [] prism.aop.RequestInterceptor.invoke:235 Throwing exception from KeyAdministration.importFiles
com.nutanix.prism.exception.keys.KeyAdministrationException: com.nutanix.util.base.ValidationException: Import Files verification failed. Please upload a valid CA certificate/chain file and select relevant key type.
at com.nutanix.prism.services.keys.KeyAdministrationImpl.importFiles(KeyAdministrationImpl.java:111)but that is with the RSA_2048 key type selected and a valid RSA 2048 certificate and CA chain.
Ok I solved this, at least partially.
I was using the https://github.com/srvrco/getssl project for generating the certs and it was creating a ‘fullchain.crt’ file which included only the server cert and intermediate CA cert, but not the root CA cert. Also Reinder’s answer used the isgrootx1.pem file whereas my intermediate CA was signed with a different cert.
I have not managed to replace the certs with ncli yet.
ncli seems broken in CE.2020.09.16 versions, I keep getting the error above
However, using an undocumented v1 API call that Prism uses, I have been able to install certificates with curl as follows
$ curl --user 'admin:password' \
-F caChain=@fullchain.crt \
-F cert=@server.crt \
-F key=@server.key \
-F keyType=RSA_2048 \
-k https://127.0.0.1:9440/PrismGateway/services/rest/v1/keys/pem/importwhere fullchain.crt contains both the intermediate and root CA certificates in PEM format.
+1Did you ever get further than this, having the same issue with LetsEncrypt managed to use your curl above, and its installed, however seemingly not “published”
+1Top tip... Reboot the cvm (single node in my case)... Job done !!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.