vmware
VCH with custom certificates behavior
Background
We are using Hashicorp Vault to generate CA signed certificates for VCH and Client authentication. During VCH creation, we will keep the custom certificates in folder same as VCH name and the vic-machine-os picks it up automagically.
Issue 1: If we create VCH with custom certificate, we are able to connect to different VCH using same client certificate, so long its signed by the same CA. This doesn't seem right! However, this is not the case with VIC auto created certificates, as the CA is different for each VCH.
Issue 2. Documentation not clear to update custom generated certificates. There are no parameters to pass the client certificate or ca-cert. We tried the below commands as per document, its not working. We can only update the --tls-server-cert and --tls-server-key. Documentation and Error messages are not clear. In fact, some of the error messages are misleading!
Issue 3: VCH Configure --no-tlsverify command doesn't work, it checks for VCH folder and throws error "folder already exists". This doesn't seem logical. Why should disabling TLS worry about existing folder? Workaround is to rename the existing folder to different name.
vSphere and vCenter Server version
vSphere 6.5
VIC version
VIC 1.5 (probably all versions in the past too)
VCH configuration
vic-machine-os configure
####Current Command as per documents:
Command 1: Only VCH Certiticate is getting updated. No option to pass the client certificate.
$ vic-machine-operating_system configure --target vcenter_server_address --user [email protected] --password password --thumbprint certificate_thumbprint --id vch_id --tls-server-cert path_to_cert/certificate_name.pem --tls-server-key path_to_key/key_name.pem
Command 2: Below command throws error if we copy the custom generated in cert path and try to run command. Regardless, it doesn't seem like client certs are being used appropriately.
$ vic-machine-operating_system configure
--target vcenter_server_address
--user [email protected]
--password password
--thumbprint certificate_thumbprint
--id vch_id
--tls-cname *.example.com
--tls-cert-path path_to_cert_folder
Error: "Folder already exists"
#####Workaround: We tried the below command and we are able to update the VCH certificate and pass the ca.pem to VCH configure command Note: Below command fails if we copy the certificate in folder with same name as VCH, so we had to create a folder with different name and copy certs. Error message is not clear.
$ vic-machine-operating_system configure
--target vcenter_server_address
--user [email protected]
--password password
--thumbprint certificate_thumbprint
--id vch_id
--tls-server-cert path_to_cert/server-cert.pem
--tls-server-key path_to_key/server-key.pem
--tls-ca path_to_key/ca.pem
--tls-cname="
This is not useful also, as client auth doesn't seem to work.
Document Link
https://vmware.github.io/vic-product/assets/files/html/1.5/vic_vsphere_admin/configure_vch.html
@malikkal @hickeng
default certs that are auto generated has one year life. long-term VIC users would be hit with renewal issues.
BTW, if you use CA signed certs, as already explained above, any client certs issued by the CA is accepted! it would be great, if this could be prioritized high. Thank you.
default certs that are auto generated has one year life. long-term VIC users would be hit with renewal issues.
BTW, if you use CA signed certs, as already explained above, any client certs issued by the CA is accepted! it would be great, if this could be prioritized high. Thank you.
@malikkal Do you expect a authorization user list for each VCH, so only users in this list can access the VCH? If so, as a quick solution, a file based user list looks the simplest solution for access control.
@wjun : Can you please let us know if issue is fixed in latest version.
@cmrajiv