Last active
December 28, 2022 05:09
-
-
Save starcraft66/efa44f1d5f11695ea68a5a7e57f9aa01 to your computer and use it in GitHub Desktop.
Automatically deploy TLS certificates to HP iLO4 management controllers using the dehydrated ACME client.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| fqdn=ilo.example.com | |
| username=Administrator | |
| password=Password | |
| #Check if the certificate is expiring soon | |
| echo | openssl s_client -servername $fqdn -connect $fqdn:443 2>/dev/null | openssl x509 -noout -checkend 2592000 | |
| if [ "$?" == "1" ]; then | |
| #Expiring in less than one month. We need to renew | |
| #Tell the iLO to start generating a private key and certificate signing request | |
| curl -sS -k -X POST -H "Content-Type: application/json" -d '{ "Action": "GenerateCSR", "Country": "x", "State": "x", "City": "x", "OrgName": "x", "OrgUnit": "x", "CommonName": "'$fqdn'"}' -u $username:$password https://$fqdn/redfish/v1/Managers/1/SecurityService/HttpsCert/ | |
| #Attempt to grab the request | |
| resp=$(curl -sS -k -u $username:$password https://$fqdn/redfish/v1/Managers/1/SecurityService/HttpsCert/ | grep -o \"CertificateSigningRequest\":\"[^\"]*\" | head -1 |cut -d : -f 2 | tr -d \") | |
| while [ "$resp" == "0" -o "$resp" == "" ]; do | |
| #The private key has not yet been generated | |
| sleep 10 | |
| #get the req | |
| resp=$(curl -sS -k -u $username:$password https://$fqdn/redfish/v1/Managers/1/SecurityService/HttpsCert/ | grep -o \"CertificateSigningRequest\":\"[^\"]*\" | head -1 |cut -d : -f 2 | tr -d \") | |
| done | |
| #Save the request to disk | |
| echo $resp | awk '{gsub("\\\\n","\n")};1' | head -n -1 > req.csr | |
| #Sign the request and obtain a certificate | |
| /home/letsencrypt/dehydrated/dehydrated -f /usr/local/etc/dehydrated/config --signcsr req.csr 2>&1 | sed -n '/----BEGIN CERTIFICATE-----/,/----END CERTIFICATE-----/ p' > chain.pem | |
| #Split the chain into two certificates, the first one is the one we care about! | |
| csplit -z -f cert- chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}' | |
| #Load the individual certificate back into $ilo_cert | |
| ilo_cert=$(cat cert-00) | |
| #Parse the cert back into something HPiLO will understand | |
| ilo_cert=$(echo $ilo_cert| awk '{gsub(" ","\\n")};1'|sed 's/\(.*\)\\n/\1 /'|sed '0,/\\n/s/\\n/ /') | |
| #Clean up temp files | |
| rm chain.pem | |
| rm cert-00 | |
| rm cert-01 | |
| #Install the certificate and reset iLO4 | |
| curl -sS -k -X POST -H "Content-Type: application/json" -d "{ \"Action\": \"ImportCertificate\", \"Certificate\": \"$(echo $ilo_cert)\" }" -u $username:$password https://$fqdn/redfish/v1/Managers/1/SecurityService/HttpsCert/ | |
| if [[ -f req.csr ]]; then | |
| #Clean up | |
| rm req.csr | |
| fi | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Updated for the Let's Encrypt ACME V2 api which returns the full certificate chain instead of just the leaf certificate in the signing response.