Created
November 3, 2021 14:29
-
-
Save msuksong/5d664dfc42d7c844cfe765b08a059834 to your computer and use it in GitHub Desktop.
vcenter machine certificate auto updater
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # vCenter/PSC SSL Certificate Updater. | |
| # For more information see | |
| # https://wiki.9r.com.au/display/9R/LetsEncrypt+Certificates+for+vCenter+and+PSC | |
| # Copyright (c) 2018 - Rob Thomas - xrobau@linux.com | |
| # This program is free software: you can redistribute it and/or modify | |
| # it under the terms of the GNU General Public License as published by | |
| # the Free Software Foundation, either version 3 of the License, or | |
| # (at your option) any later version. | |
| # This program is distributed in the hope that it will be useful, | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| # GNU General Public License for more details. | |
| # You should have received a copy of the GNU General Public License | |
| # along with this program. If not, see <http://www.gnu.org/licenses/>. | |
| # modified by Min Song <msuk.song@gmail.com> 2021/11/03 | |
| # Check if the script is run by root. | |
| # Find update.conf and certificate location based on this script path. | |
| # Change cert, key and chain filename that reflects certbot output. | |
| CERT_MANAGE_DIR=$(dirname $0) | |
| if [ $(id -u) -ne 0 ]; then | |
| echo "This script must be run as root!" | |
| exit 1 | |
| fi | |
| # Replacing the values, obviously. | |
| if [ ! -e ${CERT_MANAGE_DIR}/update.conf ]; then | |
| echo "No update.conf file configured, can not update. Read the update script for instructions!" | |
| exit 1 | |
| fi | |
| . ${CERT_MANAGE_DIR}/update.conf | |
| # This is the sample file we compare against the latest file from acme.sh, | |
| # and is present on both a PSC and a vCenter server. | |
| LIVE_CERT=/etc/vmware-rhttpproxy/ssl/rui.crt | |
| # These environment variables are needed by vCenter | |
| eval $(awk '{ print "export " $1 }' /etc/sysconfig/vmware-environment) | |
| # Nothing should need to be touched below here | |
| CERT=${CERT_MANAGE_DIR}/$CERTNAME/cert.pem | |
| if [ ! -e $CERT ]; then | |
| echo "Can't find cert $CERT - is update.conf correct?" | |
| exit 1 | |
| fi | |
| # Compare the MD5sums of the running cert and the current LE cert | |
| LIVE_MD5=$(md5sum $LIVE_CERT | cut -d\ -f1) | |
| NEW_MD5=$(md5sum $CERT | cut -d\ -f1) | |
| if [ "$LIVE_MD5" == "$NEW_MD5" ]; then | |
| echo "Nothing to be done. Current certificate is correct." | |
| exit 0 | |
| fi | |
| # We need to update this machine with the new certificate. | |
| KEY=${CERT_MANAGE_DIR}/$CERTNAME/privkey.pem | |
| CHAIN=${CERT_MANAGE_DIR}/$CERTNAME/chain.pem | |
| echo "CERT_FILE: $CERT" | |
| echo "KEY_FILE: $KEY" | |
| echo "CHAIN_FILE: $CHAIN" | |
| # We delay briefly between account and password, as it's trying to open /dev/tty | |
| # which has the potential to lose characters. To be on the safe side, we sleep | |
| # between important bits. I feel that adding a 3 second delay to the upgrade that | |
| # takes 10 minutes to run is not a big deal! | |
| ( | |
| printf '1\n%s\n' "$ADMINACCOUNT" | |
| sleep 1 | |
| printf '%s\n' "$ADMINPASS" | |
| sleep 1 | |
| printf '2\n' | |
| sleep 1 | |
| printf '%s\n%s\n%s\ny\n\n' "$CERT" "$KEY" "$CHAIN" | |
| ) | setsid /usr/lib/vmware-vmca/bin/certificate-manager | |
| # 'setsid' detatches certman from /dev/tty, so it's forced to use stdin. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment