I can request the wildcard certificates easily enough
sudo certbot -d example.com -d *.example.com --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory certonly
I get generated three files:
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem
Can anyone advise what openssl commands I can use to convert these .pem files to the required format needed for Prism Central/Prism Element? I have attempted multiple commands from https://www.sslsupportdesk.com/openssl-commands/ but I can't seem to find the exact one.
I can also grab the intermediate/root certificates from here if I need additional certs.
https://letsencrypt.org/certificates/
I'm looking to ultimately find a way to script this process as well, so if anyone knows how to replace the certs in Prism Central/Prism Element via CLI, I would appreciate that too. Initially though, I'd be happy just finding the correct certificate format to use.
Better to use openssl to create the csr and the key file. Take the csr to your certificate authority and have it signed. You can get a pem from that. Take the pem file, key file, and the root/ca bundle and upload it to your prism console.
Make sure to use SAN as well or browsers will complain.
I get valid certificates from LetsEncrypt, I just need to know how to convert them to a format that Prism Central/Prism Element can use.
To answer your question, openssl is not needed to convert the certificates.
What is tricky is to get Nutanix to take the chain.pem, after some frustrating tries I got it to work like this:
ncli ssl-certificate import certificate-path=/full/path/to/cert.pem cacertificate-path=/full/path/to/mychain.pem key-path=/full/path/to/privkey.pem key-type="RSA_2048"
Where mychain.pem I created by combining https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt with https://letsencrypt.org/certs/isrgrootx1.pem.txt
So cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > mychain.pem
Hope this helps someone,
Reinder - TriOpSys - NL
Just as a update for installing a SSL-Cert with Lets Encrypt, i’ve created the Certs with the Certbot certonly option and copy all the files to a cvm.
As you get already the full-Chain file, it’s not required to merge the chain-files together.
On my side it worked with the standart-files i get from letsencrypt.
Use for the cacertificate-path the fullchain.pem-file!
Thats all
Greets
Omero
I just get an error message:
Error: Problem with writing the data, class java.util.LinkedList, ContentType: multipart/form-data
when trying to load the certs in with ncli ssl-certificate import ...
And this error in the data/logs/prism_gateway.log
INFO 2020-10-21 23:47:42,326Z http-nio-0.0.0.0-9081-exec-2 ] commands.keys.AddPemKey.checkCertPurpose:549 Purpose value for 'SSL server' is 'Yes'.
ERROR 2020-10-21 23:47:42,356Z http-nio-0.0.0.0-9081-exec-2 ] prism.aop.RequestInterceptor.invoke:235 Throwing exception from KeyAdministration.importFiles
com.nutanix.prism.exception.keys.KeyAdministrationException: com.nutanix.util.base.ValidationException: Import Files verification failed. Please upload a valid CA certificate/chain file and select relevant key type.
at com.nutanix.prism.services.keys.KeyAdministrationImpl.importFiles(KeyAdministrationImpl.java:111)
but that is with the RSA_2048 key type selected and a valid RSA 2048 certificate and CA chain.
Test post
Ok I solved this, at least partially.
I was using the https://github.com/srvrco/getssl project for generating the certs and it was creating a ‘fullchain.crt’ file which included only the server cert and intermediate CA cert, but not the root CA cert. Also Reinder’s answer used the isgrootx1.pem file whereas my intermediate CA was signed with a different cert.
I have not managed to replace the certs with ncli yet.
ncli seems broken in CE.2020.09.16 versions, I keep getting the error above
However, using an undocumented v1 API call that Prism uses, I have been able to install certificates with curl as follows
$ curl --user 'admin:password' \
-F caChain=@fullchain.crt \
-F cert=@server.crt \
-F key=@server.key \
-F keyType=RSA_2048 \
-k https://127.0.0.1:9440/PrismGateway/services/rest/v1/keys/pem/import
where fullchain.crt contains both the intermediate and root CA certificates in PEM format.
Did you ever get further than this, having the same issue with LetsEncrypt managed to use your curl above, and its installed, however seemingly not “published”
Top tip... Reboot the cvm (single node in my case)... Job done !!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.