Skip to content
This repository has been archived by the owner on Jun 28, 2023. It is now read-only.

[Docs](docs/site/content/docs/edge/ref-vsphere.md) Add GOVC example to retrieve SHA1 thumbprint for vCenter #4951

Closed
dominikzorgnotti opened this issue Jul 1, 2022 · 1 comment
Closed

[Docs](docs/site/content/docs/edge/ref-vsphere.md) Add GOVC example to retrieve SHA1 thumbprint for vCenter #4951

dominikzorgnotti opened this issue Jul 1, 2022 · 1 comment
Labels
kind/docs A change in documentation triage/needs-triage Needs triage by TCE maintainers

Comments

@dominikzorgnotti
Copy link
Contributor

dominikzorgnotti commented Jul 1, 2022
edited
Loading

Description

I propose adding a section with an example on the docs page:
Here we can show how to use govc to retrieve the SHA1 thumbprint of the vCenter (see location).
Today we require the admin to log into the vCenter appliance with an administrative user (like root) which is in many aspects bad.
Using govc it is really a single command to take care of this.

Location

I suggest adding this to the page Reference for vSphere account
somewhere below the section Obtain vSphere Certificate Thumbprints

The Code

# This assumes you have setup your GOVC environment per https://github.com/vmware/govmomi/tree/master/govc

#This works on any OS. The last line contains the SHA1 thumbprint
govc about.cert

#On MacOS/Linux you can directly extract the SHA1 thumbprint with jq
govc about.cert -k -json | jq -r .ThumbprintSHA1

Additional Context

If your vSphere environment uses untrusted, self-signed certificates to authenticate connections, you must verify the thumbprint of the vCenter Server when you deploy a management cluster. If your vSphere environment uses trusted certificates that are signed by a known Certificate Authority (CA), you do not need to verify the thumbprint.

Example output from govc:

❯ govc about.cert
Certificate Status:          good
Issued To:
  Common Name (CN):          cube-vcsa-01.lab.why-did-it.fail
  Organization (O):          <Not Part Of Certificate>
  Organizational Unit (OU):  <Not Part Of Certificate>
Issued By:
  Common Name (CN):          Why did IT fail - LAB CA Root CA
  Organization (O):          Why did IT fail - LAB CA
  Organizational Unit (OU):  <Not Part Of Certificate>
Validity Period:
  Issued On:                 2022-06-08 09:34:58 +0000 UTC
  Expires On:                2024-06-07 09:34:53 +0000 UTC
Thumbprints:
  SHA-256 Thumbprint:        DD:FE:F4:D6:5E:68:BE:8C:66:81:CB:C6:74:9B:2E:EB:E1:A3:32:6D:D5:00:E5:1C:82:8B:92:5D:56:17:7C:2E
  SHA-1 Thumbprint:          28:7A:DC:16:55:D7:DF:BF:08:63:99:FE:91:2A:76:F1:40:C7:DE:FF

To verify, this is the output from openSSL on my vCenter:

❯ ssh root@cube-vcsa-01
VMware vCenter Server 7.0.3.00600

Type: vCenter Server with an embedded Platform Services Controller

root@cube-vcsa-01 [ ~ ]# openssl x509 -in /etc/vmware-vpx/ssl/rui.crt -fingerprint -sha1 -noout
SHA1 Fingerprint=28:7A:DC:16:55:D7:DF:BF:08:63:99:FE:91:2A:76:F1:40:C7:DE:FF
@dominikzorgnotti dominikzorgnotti added kind/docs A change in documentation triage/needs-triage Needs triage by TCE maintainers labels Jul 1, 2022
@dominikzorgnotti dominikzorgnotti changed the title Add GOVC example to retrieve SHA1 thumbprint for vCenter [Docs](docs/site/content/docs/edge/ref-vsphere.md) Add GOVC example to retrieve SHA1 thumbprint for vCenter Jul 1, 2022
dominikzorgnotti added a commit to dominikzorgnotti/community-edition that referenced this issue Jul 3, 2022
@dominikzorgnotti
docs: Add GOVC/PowerCLI examples to ref-vsphere.md
590558a 
To provide the required CLI examples from vmware-tanzu#4950 vmware-tanzu#4951 and vmware-tanzu#4840
we need to restructure the permission section.
Each creation step for RBAC (role, user, permissions) is now a section.
Each section shows one of three options: UI, govc, PowerCLI

Fixes vmware-tanzu#4950 vmware-tanzu#4951 vmware-tanzu#4840

Signed-off-by: Dominik Zorgnotti <dzorgnotti@vmware.com>
This was referenced Jul 4, 2022
Closed
Closed
Merged
stmcginnis pushed a commit that referenced this issue Jul 6, 2022
@dominikzorgnotti
docs: Add GOVC/PowerCLI examples to ref-vsphere.md (#4971)
ec91929 
To provide the required CLI examples from #4950 #4951 and #4840
we need to restructure the permission section.
Each creation step for RBAC (role, user, permissions) is now a section.
Each section shows one of three options: UI, govc, PowerCLI

Signed-off-by: Dominik Zorgnotti <dzorgnotti@vmware.com>
@stmcginnis
Copy link
Contributor

Addressed by #4971

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/docs A change in documentation triage/needs-triage Needs triage by TCE maintainers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stmcginnis @dominikzorgnotti