VMware {code} Community
stripeyfish
Contributor
Contributor
‎06-27-2013 12:29 AM

Adding hosts against 5.1 now failing due to SSL requirements

I have some WebServices C# code that used to switch off the vCenter Server advanced setting client.VerifySLLCertificates (set to false) then use the .AddStandaloneHost_Task to add a host. This was against vSphere4 and worked no problem.

Now trying to do the same thing with 5.1, except that due to SSO, client.VerifySLLCertificates is set to true and greyed out. Using UpdateOptions to try to set this to false fails. Trying to add a host using .AddStandaloneHost_Task fails with SSLVerifyFault.

So how do I add a host now!? I dont want to go through replacing certificates at the point of setting up the infrastructure.

The PowerCLI equivilent command seems to have a force flag but need to get this done in in C# WebServices.

Basically need code equivalent of ticking the checkbox in the GUI when adding a host to say you verify the thumbprint.

All pointers gratefully received!

SF.

Reply
0 Kudos
4 Replies
stumpr
Virtuoso
Virtuoso
‎06-27-2013 06:16 AM

You'll need to generate an SSL thumbprint.  You can get it by trying to add the host and failing (error will contain the thumbprint), or you can get the certificate and generate it yourself.

Here's an example in Perl that might be useful: http://www.virtuin.com/2012/11/automate-adding-esxi-hosts-to-vcenter.html

Reuben Stump | http://www.virtuin.com | @ReubenStump
Reply
stripeyfish
Contributor
Contributor
‎06-27-2013 07:18 AM

Thanks - had been wondering about how to get the thumbprint from the self signed certs on the new hosts. Will give that a try. Might try to extract from the fault first but already have code to upload new certs once certificate server built so should be able to cobble something this way too. Am in a chicken and egg scenario as building lots of environments, the cert server gets built within each new environment. Once its built I use it to gen the certs and replace the default ones. But obviously whilst building up each environment from ground up the cert server not built yet.

Cheers for speedy reply Smiley Happy

Reply
0 Kudos
stumpr
Virtuoso
Virtuoso
‎06-27-2013 09:39 AM

Yeah, if you're managing the certs you can generate the thumbprints. If using the self-signed have to dig into the system to get them to get the thumbprint (or use the fault error message, which is a little clutter ugly if you are a perfectionist in your vSphere task/events tab).

You could certainly work into your kickstart some wget fetch of a certificate that is generated by web request or something to remove that chicken-egg scenario.  I've had customers do similar tooling to address the issue (they wanted all hosts built to auto-request a CA signed cert from a central authority vs self-signed).

Definitely doable, might require a little setup and a few bits of code (shell or what not).

Reuben Stump | http://www.virtuin.com | @ReubenStump
Reply
0 Kudos
stripeyfish
Contributor
Contributor
‎06-27-2013 10:12 AM

Thanks again for pointing me in right direction... all sorted! :smileygrin:

All done in C#

I connect direct to the new host using System.Net.WebClient and download the default SSL cert from host/ssl_cert

Then read file into byte stream and process using System.Security.Cryptography.X509Certificates.X509Certtifcate2 to get at the thumbprint.

Finally split up into pairs with : in between (took me a few moments of wondering why still not working until looked up HostConnectSpec!)

Then host added.. at last!!!

Reply
0 Kudos