[Lessons Learned] vCloud Usage Meter SSL Certificate Change

Back to Blog

[Lessons Learned] vCloud Usage Meter SSL Certificate Change

When you install vCloud Usage Meter in an enterprise environment, you want to secure it with your own CA-signed certificates. Our engineers always ensure that these security requirements are met when we undertake a project.

With so many VMware products to choose from, it’s not always easy to keep track of the methods used for each tool, so we rely heavily on vendor documentation on how to do this. However, sometimes the documentation is not as complete as we would like.The latest version of the vCloud usage meter (4.5.x) is missing essential information in the documentation.

Thanks to the dedicated efforts of our Matthias Grasmück, we have uncovered additional necessary steps that are missing from the official documentation.

How to replace the SSL certificate on vCloud usage meter

The problem we’re facing is, that when you followed the documentation to replace the nginx ssl certificate, the VAMI interface would still use the self-signed certificate which ends up in the VAMI being inaccessible.

Create a new PEM based certificate

This needs to contain at least the FQDN and Hostname as SAN. You could create a “usagemeter.cfg” files for this:

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
countryName = 2-digit Country-Code
stateOrProvinceName = State or Province
localityName = City Name
organizationName = Company Name
organizationalUnitName = Department Name
commonName = hostname-of-vcloud-usagemeter.domain.tld

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = hostname-of-vcloud-usagemeter.domain.tld
DNS.2 = hostname-of-vcloud-usagemeter

Afterwards you then would create a new certificate sign request (CSR) based on the config file:

openssl req -out usagemeter.csr -newkey rsa:2048 -nodes -keyout usagemeter.key -config -usagemeter.cfg -sha256

Use the generated CSR file with your enterprise CA, which is usually the Microsoft-based CA server. As in most cases with VMware software, the built-in template for “Web Server” is sufficient.

In order for the new certificate to be accepted some additional steps are required. Your certificate needs to contain the full chain in the following order:

-----BEGIN CERTIFICATE-----
Machine Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root Certificate
-----END CERTIFICATE-----

Rename the “usagemeter.cer” to “usagemeter.crt” then make a copy of the generated certificate and name it something like “server.pem”. Open the newly created .pem file in a texteditor of your choosing and add the private key that was generated along with the CSR file to the top of the file. It should now look somewhat like this:

-----BEGIN PRIVATE KEY-----
Private Key
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Machine Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root Certificate
-----END CERTIFICATE-----

Enable SSH on the vCloud Usage meter appliance

In order to comfortably complete the process we recommend to enable SSH on the appliance. This will allow you to easily upload the certificate and complete the configuration.

Login to the vCloud usage meter appliance using the VMRC (VMware Remote Console) with the user “usagemeter” and issue the following commands:

su root -c "systemctl enabled sshd"
su root -c "systemctl start sshd"

Now you are able to use a UI based SCP tool like WinSCP (Windows) or Cyberduck (macOS) and connect to the appliance using putty (Windows) or iTerm2 (macOS).

Upload new certificate and configure the appliance

Upload all the certificate and config files (.crt, .key, .pem, .cfg) to the /tmp folder using the SCP client of your choosing and then log in to the appliance using the SSH client of your choosing. Next we’ll create some new directories in “/opt/vmware/cloudusagemetering/conf”, move some of the files from “/tmp” there and make a copy of the existing config:

cd /opt/vmware/cloudusagemetering/conf
mkdir -p nginx/ssl
mv /tmp/usagemeter.cfg nginx/ssl
mv /tmp/usagemeter.key nginx/ssl
cp nginx.conf nginx.conf.orig

Next we’ll need to edit the config file to point to our new certificate and private key. For this open the config file in VI and edit the two lines accordingly:

vi nginx.conf
ssl_certificate nginx/ssl/usagemeter.crt
ssl_certificate_key nginx/ssl/usagemeter.key

Exit and save VI by pressing ESC followed by “:wq”

The final steps require direct root access. Switch to the superuser:

su root

and change direcories to /opt/vmware/etc/lighthttpd

cd /opt/vmware/etc/lighthttpd

Rename the current VAMI certificate

mv server.pem server.pem.original

Move the server.pem file from /tmp and make sure root user and root group own the file and only the owner can read it:

mv /tmp/server.pem /opt/vmware/etc/lighthttpd/
chown root:root ./server.pem
chmod 600 server.pem

Reboot the appliance and enjoy trusted ssl connections on the frontend and the VAMI.

Next Steps

To hear more from our passionate engineers, contact us or follow us on social media for updates on our blogposts and other engineering activities.

Update 22.03.2022

VMware has just published a KB Article for this issue and will assumably update the documentation in the next release accordingly.

Share this post

Leave a Reply

Your email address will not be published.

Back to Blog