Certificate Replacement on vCenter: Part 2

Following up on my post about vCenter Certificate Replacement. I needed a scheduled way to update the certificate so I didn’t forget again and end up in the mess I was in to begin with. This turned out to be very simple. First I had to download the certificate from the load balancer again using the same code just with a different file name.

scp vcenter@<LB IP>:/conf/acme/vcenter.crt vcenter.crt.new

This saves the certificate to vcenter.crt.new. Next I reformat the file into the same format as the previous script.

sed -i -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' vcenter.crt.new

Then a diff with an exit code check to know what to do.

diff vcenter.crt vcenter.crt.new && echo "same cert" || ./replace_vcenter.sh

This diffs the old and new files if they are the same the exit code is 0 if they are the same and 1 if they are not. && tells the shell to run if the exit code is 0 and || tells the shell or run this if not. If the certificates are the same then the script exits with the message “same cert”. If the certificates are different then it calls the certificate replacement script.

The next and final part is scheduling. I added this file to cron via crontab. First edit the schedule via

crontab -e

This will open up the crontab editor. Then add the script to be executed the first minute of every day.

1 0 * * * /root/cert_check_and_run.sh

Save the file and exit the editor :wq

Now everyday my vCenter downloads the latest certificate from my load balancer, checks if the certificate is different, then if it is different installs the new certificate. Now I don’t have to worry about my certificate expiring. I’m sure this isn’t a supported way to do this and I should not have it live on the VCSA but it works and this is my lab. You could easily put all this somewhere else and call the same API for the replacement. The new script is here: https://github.com/khensler/VMware_Scripts/blob/main/cert_check_and_run.sh and the companion replacement script is here: https://github.com/khensler/VMware_Scripts/blob/main/replace_vcenter_cert.sh.

