[Lessons Learned] vCloud Usage Meter SSL Certificate ChangeDario Dörflinger
When you install vCloud Usage Meter in an enterprise environment, you want to secure it with your own CA-signed certificates. Our engineers always ensure that these security requirements are met when we undertake a project.
With so many VMware products to choose from, it’s not always easy to keep track of the methods used for each tool, so we rely heavily on vendor documentation on how to do this. However, sometimes the documentation is not as complete as we would like.The latest version of the vCloud usage meter (4.5.x) is missing essential information in the documentation.
Thanks to the dedicated efforts of our Matthias Grasmück, we have uncovered additional necessary steps that are missing from the official documentation.
How to replace the SSL certificate on vCloud usage meter
The problem we’re facing is, that when you followed the documentation to replace the nginx ssl certificate, the VAMI interface would still use the self-signed certificate which ends up in the VAMI being inaccessible.
Create a new PEM based certificate
This needs to contain at least the FQDN and Hostname as SAN. You could create a “usagemeter.cfg” files for this:
[req] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [req_distinguished_name] countryName = 2-digit Country-Code stateOrProvinceName = State or Province localityName = City Name organizationName = Company Name organizationalUnitName = Department Name commonName = hostname-of-vcloud-usagemeter.domain.tld [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = hostname-of-vcloud-usagemeter.domain.tld DNS.2 = hostname-of-vcloud-usagemeter
Afterwards you then would create a new certificate sign request (CSR) based on the config file:
openssl req -out usagemeter.csr -newkey rsa:2048 -nodes -keyout usagemeter.key -config -usagemeter.cfg -sha256
Use the generated CSR file with your enterprise CA, which is usually the Microsoft-based CA server. As in most cases with VMware software, the built-in template for “Web Server” is sufficient.
In order for the new certificate to be accepted some additional steps are required. Your certificate needs to contain the full chain in the following order:
-----BEGIN CERTIFICATE----- Machine Certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Intermediate Certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Root Certificate -----END CERTIFICATE-----
Rename the “usagemeter.cer” to “usagemeter.crt” then make a copy of the generated certificate and name it something like “server.pem”. Open the newly created .pem file in a texteditor of your choosing and add the private key that was generated along with the CSR file to the top of the file. It should now look somewhat like this:
-----BEGIN PRIVATE KEY----- Private Key -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- Machine Certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Intermediate Certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Root Certificate -----END CERTIFICATE-----
Enable SSH on the vCloud Usage meter appliance
In order to comfortably complete the process we recommend to enable SSH on the appliance. This will allow you to easily upload the certificate and complete the configuration.
Login to the vCloud usage meter appliance using the VMRC (VMware Remote Console) with the user “usagemeter” and issue the following commands:
su root -c "systemctl enabled sshd" su root -c "systemctl start sshd"
Upload new certificate and configure the appliance
Upload all the certificate and config files (.crt, .key, .pem, .cfg) to the /tmp folder using the SCP client of your choosing and then log in to the appliance using the SSH client of your choosing. Next we’ll create some new directories in “/opt/vmware/cloudusagemetering/conf”, move some of the files from “/tmp” there and make a copy of the existing config:
cd /opt/vmware/cloudusagemetering/conf mkdir -p nginx/ssl mv /tmp/usagemeter.cfg nginx/ssl mv /tmp/usagemeter.key nginx/ssl cp nginx.conf nginx.conf.orig
Next we’ll need to edit the config file to point to our new certificate and private key. For this open the config file in VI and edit the two lines accordingly:
vi nginx.conf ssl_certificate nginx/ssl/usagemeter.crt ssl_certificate_key nginx/ssl/usagemeter.key
Exit and save VI by pressing ESC followed by “:wq”
The final steps require direct root access. Switch to the superuser:
and change direcories to /opt/vmware/etc/lighthttpd
Rename the current VAMI certificate
mv server.pem server.pem.original
Move the server.pem file from /tmp and make sure root user and root group own the file and only the owner can read it:
mv /tmp/server.pem /opt/vmware/etc/lighthttpd/ chown root:root ./server.pem chmod 600 server.pem
Reboot the appliance and enjoy trusted ssl connections on the frontend and the VAMI.
VMware has just published a KB Article for this issue and will assumably update the documentation in the next release accordingly.