Let's Encrypt - DNS Validation for NSX Advanced Load Balancer

Replacing self-signed certificates on appliances is a lot easier these days. This is to remind myself how I did it for NSX Advanced Load Balancer using Let’s Encrypt with DNS validation.

In the lab here I am using NSX Advanced Load Balancer 21.1.1.

Install & Run Certbot

My NSX Advanced Load Balancer controller in the lab isn’t internet accesible, so I need to use Let’s Encrypt’s DNS validation.

If you don’t already have certbot install, install it with:

sudo snap install certbot  # version 1.23.0, or
sudo apt  install certbot  # version 0.40.0-1ubuntu0.1

Note the version difference. Initially I went with the older version, but later realised only the newer version does ECDSA (Eliptic Curve) certs.

sudo snap install certbot --classic

Using DNS validation, you’ll need to control the DNS entry of a domain. When creating a cert, certbot will ask you to create a TXT record, which it will then validate.

Run certbot:

sudo certbot certonly --manual --preferred-challenges dns -d "avi2.vmw.one"

Running certbot

This created an RSA certificate, but we should do ECDSA as well.

sudo certbot certonly --manual --key-type ecdsa --preferred-challenges dns -d "avi2.vmw.one" --cert-name avi2.vmw.one-ECDSA

Running certbot

For whatever reason, it needs sudo, so list and cat fullchain.pem & privkey.pem

daunce@ubuntu:~$ sudo ls -1 /etc/letsencrypt/live/avi2.vmw.one
cert.pem
chain.pem
fullchain.pem
privkey.pem
README

daunce@ubuntu:~$ sudo cat /etc/letsencrypt/live/avi2.vmw.one/fullchain.pem
-----BEGIN CERTIFICATE-----
[ output omitted ]
-----END CERTIFICATE-----
daunce@ubuntu:~$ sudo cat /etc/letsencrypt/live/avi2.vmw.one/privkey.pem
-----BEGIN CERTIFICATE-----
[ output omitted ]
-----END CERTIFICATE-----

Import Certificates

Now login to the NSX Advanced Load Balancer UI, and go to Templates / Security / SSL/TLS Certificates. Click Create - Controller.

Import Certificates

Type in a name, change the Type to Import, and copy / paste the contents of the fullchain.pem file. Then paste the contents of the privkey.pem file.

Finally, click Validate, and that will enable the Save button.

Import Certificates

Run through the same thing again for the ECDSA certificate. Just add “EC” to the previous certificate name that you entered.

Enable the certificates

Now we need to tell the controller to use these new certificates. Go to Administration / Settings / Access Settings, and click the pencil icon.

Under SSL/TLS Certificate, you can only have a maximum of 2 certificates, so remove both certificates, then you can use the drop down menu to select the new certificates you just created. Click Save.

Enable Certificates

Logout, and back in again, and you’ll hopefully see the verified icon in your browser.

Verified icon

Just remember Let’s Encrypt certificates expire after 3 months.

Andrew Dauncey
Andrew Dauncey
Senior Consultant at VMware PSO

Every day I’m shuffling

Previous

Related