Automation

 View Only
  • 1.  PowerCLI: Force ESXi-Configuration download to HTTPS

    Posted Aug 18, 2023 10:16 AM

    I usually bulk backup ESXi host configurations with PowerCLI.

    Get-Cluster -name myCluster | Get-VMHost | Get-VMHostFirmware -BackupConfiguration -DestinationPath 'c:\tmp'

    Today a backup effort failed with download issues:

    Together with the network team we figured out that PowerCLI seems to try downloading the TGZ-Backup via HTTP instead of HTTPS.

    HTTPS access to the host is possible, HTTP is blocked.

    Get-VMHostFirmware : 18.08.2023 12:05:49 Get-VMHostFirmware An error occurred while sending the request.
    At line:1 char:28
    + ... et-VMHost | Get-VMHostFirmware -BackupConfiguration -DestinationPath ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Get-VMHostFirmware], ViError
    + FullyQualifiedErrorId : Client20_SystemManagementServiceImpl_BackupVmHostFirmware_DownloadError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Host.GetVMHostFirmware

     

    Is there an option to force the download to use HTTPS?

    TIA

    Michael



  • 2.  RE: PowerCLI: Force ESXi-Configuration download to HTTPS

    Posted Aug 18, 2023 12:24 PM

    The Get-VMHostFirmware cmdlet has, afaik, no option to use HTTPS.

    But you can simulate the same via the

    vim-cmd hostsvc/firmware/backup_config

    command (see KB2042141) and the Invoke-SSHCommand (from the Posh-SSH module).
    And then download the resulting file via for example Invoke-WebRequest, using HTTPS. 



  • 3.  RE: PowerCLI: Force ESXi-Configuration download to HTTPS

    Posted Aug 18, 2023 12:57 PM

    Thanks Luc

    Deep in the past we used to make it host-by-host with vicfg-cfgbackup and downloaded the file with SCP afterwards. That's fine when you only need to backup a few hosts. The point is that we're firing one-liners against multiple VC instances with many hosts. It's a convenient way to get all configurations with just a single direct command.

    Well, I think we'll need to add another firewall rule in order to allow HTTP connections from certain workstations.