12 Replies Latest reply on Jul 23, 2010 2:21 AM by LucD

    check certificate

    RobMokkink Expert

       

      I there a way i can check if there are any warnings with the certificate? Like for instance use the connect-viserver statement.

       

       

      I want to make sure that the certificate i replaced i oke.

       

       

        • 1. Re: check certificate
          LucD Guru
          vExpertUser ModeratorsCommunity Warriors

          Can't you capture the output of the Connect-VIServer cmdlet in a variable and check the content with a "match" or regex expression ?

           

           

           

           

          ____________

          Blog: LucD notes

          Twitter: lucd22

          Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
          1 person found this helpful
          • 2. Re: check certificate
            RobMokkink Expert

             

            Hi luc,

             

             

            That is a good idea.  I will have a look.

             

             

            • 3. Re: check certificate
              RvdNieuwendijk Virtuoso
              User ModeratorsvExpert

              You can use the Start-Transcript cmdlet to capture the warning output of the Connect-VIserver cmdlet. Something like:

               

              Start-Transcript -Path Transcript.txt
              Connect-VIserver vCenterServer
              Stop-Transcript
              $CertificateWarning = $false
              Get-Content Transcript.txt | ForEach-Object {
                if ($_ -like  "WARNING: There were one or more problems with the server certificate:") {
                  $CertificateWarning = $true
                }
              }
              

               

              Regards, Robert

              • 4. Re: check certificate
                RobMokkink Expert

                 

                thanks for the handy snippet.

                 

                 

                But i think i can do the same with:

                 

                 

                 

                 

                 

                $CHECK_CON = connect-viserver -server <esxhost>  | out-string

                And do some parsing there. I can split the lines using a 10 so i can examine each line.

                 

                 

                • 5. Re: check certificate
                  RvdNieuwendijk Virtuoso
                  vExpertUser Moderators

                  That will not work because the warning stream is a different stream and the Out-String cmdlet does not output the warning stream.

                  • 6. Re: check certificate
                    LucD Guru
                    vExpertUser ModeratorsCommunity Warriors

                    True, but there is, in my opinion, an easier method than the Transcript method.

                    If you do

                    $cmd = "Connect-ViServer -Server <your-vcenter-name>"
                    $t = powershell.exe -command $cmd
                    

                    you will have in the variable $t the connect messages (warnings included).

                     

                    Note that you can not specify -noprofile and that the profile should load the PowerCLI pssnapin.

                     

                     

                     

                     

                    ____________

                    Blog: LucD notes

                    Twitter: lucd22

                    Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
                    • 7. Re: check certificate
                      RvdNieuwendijk Virtuoso
                      User ModeratorsvExpert

                      Luc, you are right. That works also. What is easier is a matter of taste ;-). I changed your script into:

                       

                      $cmd = "Add-PsSnapin VMware.VimAutomation.Core ; Connect-ViServer -Server <your-vcenter-name>"
                      $t = powershell.exe -command $cmd
                      

                       

                      to not have to load the PowerCLI snapin from the profile.

                      1 person found this helpful
                      • 8. Re: check certificate
                        LucD Guru
                        vExpertUser ModeratorsCommunity Warriors

                        There is no messing with an external file, that's why I consider it easier.

                         

                        If you want to load the PowerCLI snapin like that, you can add -noprofile.

                         

                         

                         

                         

                         

                        ____________

                        Blog: LucD notes

                        Twitter: lucd22

                        Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
                        • 9. Re: check certificate
                          RobMokkink Expert

                           

                          Thanks guys.

                           

                           

                          I can continue with checking the certificates. Because i really want the certificate check automated, because of security reasons.

                           

                           

                          • 10. Re: check certificate
                            RobMokkink Expert

                             

                            I execute it as follows:

                             

                             

                             

                             

                             

                            $t = powershell -noprofile -command $CMD | out-string

                             

                             

                            if ($t.contains("WARNING:"))

                             

                             

                               {

                             

                             

                                return $False

                             

                             

                               }

                             

                             

                            else

                             

                             

                            {

                             

                             

                            return $True

                             

                             

                            }

                             

                             

                            I tested it a couple of times, and it works really well.

                             

                             

                             

                             

                             

                            For uploading the key and cert is rely on scp, i know not the most beatiful solution, but i disable ssh services right after that.

                             

                             

                            • 11. Re: check certificate
                              LucD Guru
                              Community WarriorsUser ModeratorsvExpert

                              Rob, I suspect you can leave out the pipe to Out-String.

                              Or did you encounter a case where it's needed ?

                               

                               

                               

                               

                              ____________

                              Blog: LucD notes

                              Twitter: lucd22

                              Blog: http://lucd.info | Twitter: @LucD22 | PowerCLI Reference co-author: http://tinyurl.com/hkn4glz
                              • 12. Re: check certificate
                                RobMokkink Expert

                                The out-string is need, because you get an error that contains method cannot be used on a object.