-
-
Save mcdamo/da06f2f622497660a6aefaa12bb7ea4c to your computer and use it in GitHub Desktop.
| #!/usr/bin/env python3 | |
| # vim: autoindent tabstop=4 shiftwidth=4 expandtab softtabstop=4 filetype=python | |
| # This file is part of Supermicro IPMI certificate updater. | |
| # Supermicro IPMI certificate updater is free software: you can | |
| # redistribute it and/or modify it under the terms of the GNU General Public | |
| # License as published by the Free Software Foundation, version 2. | |
| # | |
| # This program is distributed in the hope that it will be useful, but WITHOUT | |
| # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS | |
| # FOR A PARTICULAR PURPOSE. See the GNU General Public License for more | |
| # details. | |
| # | |
| # You should have received a copy of the GNU General Public License along with | |
| # this program; if not, write to the Free Software Foundation, Inc., 51 | |
| # Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
| # | |
| # Copyright (c) Jari Turkia | |
| import os | |
| import argparse | |
| import re | |
| import requests | |
| import logging | |
| from base64 import b64encode | |
| from datetime import datetime | |
| from lxml import etree | |
| from urllib.parse import urlparse | |
| from requests.auth import HTTPBasicAuth | |
| REQUEST_TIMEOUT = 5.0 | |
| class IPMIUpdater: | |
| def __init__(self, session, ipmi_url): | |
| self.session = session | |
| self.ipmi_url = ipmi_url | |
| self.login_url = f'{ipmi_url}/cgi/login.cgi' | |
| self.cert_info_url = f'{ipmi_url}/cgi/ipmi.cgi' | |
| self.upload_cert_url = f'{ipmi_url}/cgi/upload_ssl.cgi' | |
| self.url_redirect_template = f'{ipmi_url}/cgi/url_redirect.cgi?url_name=%s' | |
| self.use_b64encoded_login = True | |
| self._csrf_token = None | |
| error_log = logging.getLogger("IPMIUpdater") | |
| error_log.setLevel(logging.ERROR) | |
| self.setLogger(error_log) | |
| def setLogger(self, logger): | |
| self.logger = logger | |
| def get_csrf_token(self, url_name): | |
| if self._csrf_token is not None: | |
| return self._csrf_token | |
| page_url = self.url_redirect_template % url_name | |
| result = self.session.get(page_url) | |
| result.raise_for_status() | |
| match = re.search(r'SmcCsrfInsert\s*\("CSRF_TOKEN",\s*"([^"]*)"\);', result.text) | |
| if match: | |
| return match.group(1) | |
| def get_csrf_headers(self, url_name): | |
| page_url = self.url_redirect_template % url_name | |
| headers = { | |
| "Origin": self.ipmi_url, | |
| "Referer": page_url, | |
| } | |
| csrf_token = self.get_csrf_token(url_name) | |
| if csrf_token is not None: | |
| headers["CSRF_TOKEN"] = csrf_token | |
| self.logger.debug("HEADERS:%s" % headers) | |
| return headers | |
| def get_xhr_headers(self, url_name): | |
| headers = self.get_csrf_headers(url_name) | |
| headers["X-Requested-With"] = "XMLHttpRequest" | |
| return headers | |
| def login(self, username, password): | |
| """ | |
| Log into IPMI interface | |
| :param username: username to use for logging in | |
| :param password: password to use for logging in | |
| :return: bool | |
| """ | |
| if self.use_b64encoded_login: | |
| login_data = { | |
| 'name': b64encode(username.encode("UTF-8")), | |
| 'pwd': b64encode(password.encode("UTF-8")), | |
| 'check': '00' | |
| } | |
| else: | |
| login_data = { | |
| 'name': username, | |
| 'pwd': password | |
| } | |
| try: | |
| result = self.session.post(self.login_url, login_data, timeout=REQUEST_TIMEOUT, verify=False) | |
| except ConnectionError: | |
| return False | |
| if not result.ok: | |
| return False | |
| if '/cgi/url_redirect.cgi?url_name=mainmenu' not in result.text: | |
| return False | |
| # Set mandatory cookies: | |
| url_parts = urlparse(self.ipmi_url) | |
| # Cookie: langSetFlag=0; language=English; SID=<dynamic session ID here!>; mainpage=configuration; subpage=config_ssl | |
| mandatory_cookies = { | |
| 'langSetFlag': '0', | |
| 'language': 'English' | |
| } | |
| for cookie_name, cookie_value in mandatory_cookies.items(): | |
| self.session.cookies.set(cookie_name, cookie_value, domain=url_parts.hostname) | |
| return True | |
| def get_ipmi_cert_info(self): | |
| """ | |
| Verify existing certificate information | |
| :return: dict | |
| """ | |
| headers = self.get_xhr_headers("config_ssl") | |
| cert_info_data = self._get_op_data('SSL_STATUS.XML', '(0,0)') | |
| try: | |
| result = self.session.post(self.cert_info_url, cert_info_data, headers=headers, timeout=REQUEST_TIMEOUT, verify=False) | |
| except ConnectionError: | |
| return False | |
| if not result.ok: | |
| return False | |
| self.logger.debug(result.text) | |
| root = etree.fromstring(result.text) | |
| # <?xml> <IPMI> <SSL_INFO> <STATUS> | |
| status = root.xpath('//IPMI/SSL_INFO/STATUS') | |
| if not status: | |
| return False | |
| # Since xpath will return a list, just pick the first one from it. | |
| status = status[0] | |
| has_cert = bool(int(status.get('CERT_EXIST'))) | |
| if has_cert: | |
| valid_from = status.get('VALID_FROM') | |
| valid_until = status.get('VALID_UNTIL') | |
| return { | |
| 'has_cert': has_cert, | |
| 'valid_from': valid_from, | |
| 'valid_until': valid_until | |
| } | |
| def get_ipmi_cert_valid(self): | |
| """ | |
| Verify existing certificate information | |
| :return: bool | |
| """ | |
| headers = self.get_xhr_headers("config_ssl") | |
| cert_info_data = self._get_op_data('SSL_VALIDATE.XML', '(0,0)') | |
| try: | |
| result = self.session.post(self.cert_info_url, cert_info_data, headers=headers, timeout=REQUEST_TIMEOUT, verify=False) | |
| except ConnectionError: | |
| return False | |
| if not result.ok: | |
| return False | |
| self.logger.debug(result.text) | |
| root = etree.fromstring(result.text) | |
| # <?xml> <IPMI> <SSL_INFO> | |
| status = root.xpath('//IPMI/SSL_INFO') | |
| if not status: | |
| return False | |
| # Since xpath will return a list, just pick the first one from it. | |
| status = status[0] | |
| return bool(int(status.get('VALIDATE'))) | |
| def upload_cert(self, key_file, cert_file): | |
| """ | |
| Send X.509 certificate and private key to server | |
| :param session: Current session object | |
| :type session requests.session | |
| :param url: base-URL to IPMI | |
| :param key_file: filename to X.509 certificate private key | |
| :param cert_file: filename to X.509 certificate PEM | |
| :return: | |
| """ | |
| with open(key_file, 'rb') as filehandle: | |
| key_data = filehandle.read() | |
| with open(cert_file, 'rb') as filehandle: | |
| cert_data = filehandle.read() | |
| # extract certificates only (IMPI doesn't like DH PARAMS) | |
| cert_data = b'\n'.join(re.findall(b'-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----', cert_data, re.DOTALL)) + b'\n' | |
| files_to_upload = self._get_upload_data(cert_data, key_data) | |
| headers = self.get_csrf_headers("config_ssl") | |
| csrf_token = self.get_csrf_token("config_ssl") | |
| csrf_data = {} | |
| if csrf_token is not None: | |
| csrf_data["CSRF_TOKEN"] = csrf_token | |
| try: | |
| result = self.session.post(self.upload_cert_url, csrf_data, files=files_to_upload, headers=headers, timeout=REQUEST_TIMEOUT, verify=False) | |
| except ConnectionError: | |
| return False | |
| if not result.ok: | |
| return False | |
| if 'Content-Type' not in result.headers.keys() or result.headers['Content-Type'] != 'text/html': | |
| # On failure, Content-Type will be 'text/plain' and 'Transfer-Encoding' is 'chunked' | |
| return False | |
| if 'CONFPAGE_RESET' not in result.text: | |
| return False | |
| return True | |
| def _check_reboot_result(self, result): | |
| return True | |
| def reboot_ipmi(self): | |
| # do we need a different Referer here? | |
| headers = self.get_xhr_headers("config_ssl") | |
| reboot_data = self._get_op_data('main_bmcreset', None) | |
| try: | |
| result = self.session.post(self.reboot_url, reboot_data, headers=headers, timeout=REQUEST_TIMEOUT, verify=False) | |
| except ConnectionError: | |
| return False | |
| if not result.ok: | |
| return False | |
| if not self._check_reboot_result(result): | |
| return False | |
| return True | |
| class IPMIX10Updater(IPMIUpdater): | |
| def __init__(self, session, ipmi_url): | |
| super().__init__(session, ipmi_url) | |
| self.reboot_url = f'{ipmi_url}/cgi/BMCReset.cgi' | |
| self.use_b64encoded_login = False | |
| def _get_op_data(self, op, r): | |
| timestamp = datetime.utcnow().strftime('%a %d %b %Y %H:%M:%S GMT') | |
| data = { | |
| 'time_stamp': timestamp # 'Thu Jul 12 2018 19:52:48 GMT+0300 (FLE Daylight Time)' | |
| } | |
| if r is not None: | |
| data[op] = r | |
| return data | |
| def _get_upload_data(self, cert_data, key_data): | |
| return [ | |
| ('cert_file', ('cert.pem', cert_data, 'application/octet-stream')), | |
| ('key_file', ('privkey.pem', key_data, 'application/octet-stream')) | |
| ] | |
| def _check_reboot_result(self, result): | |
| self.logger.debug(result.text) | |
| root = etree.fromstring(result.text) | |
| # <?xml> <IPMI> <SSL_INFO> | |
| status = root.xpath('//IPMI/BMC_RESET/STATE') | |
| if not status: | |
| return False | |
| if status[0].get('CODE') == 'OK': | |
| return True | |
| return False | |
| #if '<STATE CODE="OK"/>' not in result.text: | |
| # return False | |
| class IPMIX11Updater(IPMIUpdater): | |
| def __init__(self, session, ipmi_url): | |
| super().__init__(session, ipmi_url) | |
| self.reboot_url = f'{ipmi_url}/cgi/op.cgi' | |
| self.use_b64encoded_login = True | |
| def _get_op_data(self, op, r): | |
| data = { | |
| 'op': op | |
| } | |
| if r is not None: | |
| data['r'] = r | |
| data['_'] = '' | |
| return data | |
| def _get_upload_data(self, cert_data, key_data): | |
| return [ | |
| ('cert_file', ('fullchain.pem', cert_data, 'application/octet-stream')), | |
| ('key_file', ('privkey.pem', key_data, 'application/octet-stream')) | |
| ] | |
| def create_updater(args): | |
| session = requests.session() | |
| if args.model is None: | |
| model = determine_model(session, args.ipmi_url, args.debug) | |
| else: | |
| model = args.model | |
| if not args.quiet: | |
| print("Board model is " + model) | |
| if model == "X10": | |
| return IPMIX10Updater(session, args.ipmi_url) | |
| elif model == "X11": | |
| return IPMIX11Updater(session, args.ipmi_url) | |
| else: | |
| raise Exception(f"Unknown model: {model}") | |
| def determine_model(session, ipmi_url, debug): | |
| redfish_url = f'{ipmi_url}/redfish/v1/' | |
| try: | |
| r = session.get(redfish_url, timeout=REQUEST_TIMEOUT, verify=False) | |
| except (ConnectionError, requests.exceptions.SSLError) as err: | |
| print("Failed to determine model: connection error") | |
| if debug: | |
| print(err) | |
| exit(2) | |
| if not r.ok: | |
| print(f"Failed to determine model (try --model): {r.status_code} {r.reason}") | |
| exit(2) | |
| data = r.json() | |
| # The UpdateService methods are only available on newer X11 based boards | |
| if "UpdateService" in data: | |
| return "X11" | |
| else: | |
| return "X10" | |
| def main(): | |
| parser = argparse.ArgumentParser(description='Update Supermicro IPMI SSL certificate') | |
| parser.add_argument('--ipmi-url', required=True, | |
| help='Supermicro IPMI 2.0 URL') | |
| parser.add_argument('--model', required=False, | |
| help='Board model, eg. X10 or X11') | |
| parser.add_argument('--key-file', required=True, | |
| help='X.509 Private key filename') | |
| parser.add_argument('--cert-file', required=True, | |
| help='X.509 Certificate filename') | |
| parser.add_argument('--username', required=True, | |
| help='IPMI username with admin access') | |
| parser.add_argument('--password', required=True, | |
| help='IPMI user password') | |
| parser.add_argument('--no-reboot', action='store_true', | |
| help='The default is to reboot the IPMI after upload for the change to take effect.') | |
| parser.add_argument('--quiet', action='store_true', | |
| help='Do not output anything if successful') | |
| parser.add_argument('--debug', action='store_true', | |
| help='Output additional debugging') | |
| args = parser.parse_args() | |
| # Confirm args | |
| if not os.path.isfile(args.key_file): | |
| print("--key-file '%s' doesn't exist!" % args.key_file) | |
| exit(2) | |
| if not os.path.isfile(args.cert_file): | |
| print("--cert-file '%s' doesn't exist!" % args.cert_file) | |
| exit(2) | |
| if args.ipmi_url[-1] == '/': | |
| args.ipmi_url = args.ipmi_url[0:-1] | |
| if args.debug: | |
| import http.client as http_client | |
| http_client.HTTPConnection.debuglevel = 1 | |
| # Enable request logging | |
| logging.basicConfig() | |
| logging.getLogger().setLevel(logging.DEBUG) | |
| requests_log = logging.getLogger("requests.packages.urllib3") | |
| requests_log.setLevel(logging.DEBUG) | |
| requests_log.propagate = True | |
| # Start the operation | |
| requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) | |
| updater = create_updater(args) | |
| if args.debug: | |
| debug_log = logging.getLogger("IPMIUpdater") | |
| debug_log.setLevel(logging.DEBUG) | |
| updater.setLogger(debug_log) | |
| if not updater.login(args.username, args.password): | |
| print("Login failed. Cannot continue!") | |
| exit(2) | |
| cert_info = updater.get_ipmi_cert_info() | |
| if not cert_info: | |
| print("Failed to extract certificate information from IPMI!") | |
| exit(2) | |
| if not args.quiet and cert_info['has_cert']: | |
| print("There exists a certificate, which is valid until: %s" % cert_info['valid_until']) | |
| # Go upload! | |
| if not updater.upload_cert(args.key_file, args.cert_file): | |
| print("Failed to upload X.509 files to IPMI!") | |
| exit(2) | |
| cert_valid = updater.get_ipmi_cert_valid() | |
| if not cert_valid: | |
| print("Uploads failed validation") | |
| exit(2) | |
| if not args.quiet: | |
| print("Uploaded files ok.") | |
| cert_info = updater.get_ipmi_cert_info() | |
| if not cert_info: | |
| print("Failed to extract certificate information from IPMI!") | |
| exit(2) | |
| if not args.quiet and cert_info['has_cert']: | |
| print("After upload, there exists a certificate, which is valid until: %s" % cert_info['valid_until']) | |
| if not args.no_reboot: | |
| if not args.quiet: | |
| print("Rebooting IPMI to apply changes.") | |
| if not updater.reboot_ipmi(): | |
| print("Rebooting failed! Go reboot it manually?") | |
| if not args.quiet: | |
| print("All done!") | |
| if __name__ == "__main__": | |
| main() | |
Reading password from command line is considered bad practice. It should be rather stored in a file readable only by the owner.
I did just upgrade latest IPMI version R 3.88 and try to update my cert and get this error MSG
DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): XXX.XXX.XXX:443 DEBUG:requests.packages.urllib3.connectionpool:https://XXX.XXX.XXX:443 "POST /cgi/login.cgi HTTP/1.1" 200 582 DEBUG:requests.packages.urllib3.connectionpool:https://XXX.XXX.XXX:443 "POST /cgi/ipmi.cgi HTTP/1.1" 200 381 Traceback (most recent call last): File "./ipmi-updater.py", line 299, in <module> main() File "./ipmi-updater.py", line 261, in main cert_info = get_ipmi_cert_info(session, args.ipmi_url) File "./ipmi-updater.py", line 92, in get_ipmi_cert_info root = etree.fromstring(result.text) File "src/lxml/etree.pyx", line 3213, in lxml.etree.fromstring File "src/lxml/parser.pxi", line 1877, in lxml.etree._parseMemoryDocument File "src/lxml/parser.pxi", line 1758, in lxml.etree._parseDoc File "src/lxml/parser.pxi", line 1068, in lxml.etree._BaseParser._parseUnicodeDoc File "src/lxml/parser.pxi", line 601, in lxml.etree._ParserContext._handleParseResultDoc File "src/lxml/parser.pxi", line 711, in lxml.etree._handleParseResult File "src/lxml/parser.pxi", line 640, in lxml.etree._raiseParseError File "<string>", line 10 lxml.etree.XMLSyntaxError: Opening and ending tag mismatch: META line 5 and head, line 10, column 8
Any solution on this?
I've adjusted your fork to use the web interface also on X11 boards, since I only have OOB license which doesn't allow me to update the certs through Redfish.
https://gist.github.com/oxc/9638d69b1a6c953dd9d2d38a43f3220a
I've taken your fork and tweaked it to work on my X10 board. The model detection was not working so I added a cli parameter to override as in: --model X10.
I've adjusted your fork to use the web interface also on X11 boards, since I only have OOB license which doesn't allow me to update the certs through Redfish.
https://gist.github.com/oxc/9638d69b1a6c953dd9d2d38a43f3220aI've taken your fork and tweaked it to work on my X10 board. The model detection was not working so I added a cli parameter to override as in:
--model X10.
Thanks. That solved my issue with this script 👍
Nice script, just what I've been looking for. However, it doesn't appear to be working for me. But neither does manually updating via the BMC web interface. They both accept the certificates and appear to work (no errors), but the certificate always reverts back to the previous one. I am using Let's Encrypt certificates, if that matters. Is there anything special I need to do? Here's what I'm doing:
My certificate files:
server-main-ipmi.dc1.domain.com_pfSense_ACME.all.pem
server-main-ipmi.dc1.domain.com_pfSense_ACME.ca
server-main-ipmi.dc1.domain.com_pfSense_ACME.cert
server-main-ipmi.dc1.domain.com_pfSense_ACME.crt
server-main-ipmi.dc1.domain.com_pfSense_ACME.crt.pem -> server-main-ipmi.dc1.domain.com_pfSense_ACME.crt
server-main-ipmi.dc1.domain.com_pfSense_ACME.fullchain
server-main-ipmi.dc1.domain.com_pfSense_ACME.fullchain.pem -> server-main-ipmi.dc1.domain.com_pfSense_ACME.fullchain
server-main-ipmi.dc1.domain.com_pfSense_ACME.key
server-main-ipmi.dc1.domain.com_pfSense_ACME.pem
First, I tried using the crt file (via symlink to make the portal happy with a .pem file extension):
./ipmi-updater.py --model X10 --ipmi-url 'https://server-main-ipmi.dc1.domain.com/' --key-file server-main-ipmi.dc1.domain.com_pfSense_ACME.pem --cert-file server-main-ipmi.dc1.domain.com_pfSense_ACME.crt.pem --username myuser --password 'MySecretPassword123' --debug
... some output removed for brevity ...
<IPMI>
<BMC_RESET>
<STATE CODE="OK"/>
</BMC_RESET>
</IPMI>
All done!
Then, I tried using the full chain pem file (via symlink to make the portal happy with a .pem file extension):
./ipmi-updater.py --model X10 --ipmi-url 'https://server-main-ipmi.dc1.domain.com/' --key-file server-main-ipmi.dc1.domain.com_pfSense_ACME.pem --cert-file server-main-ipmi.dc1.domain.com_pfSense_ACME.fullchain.pem --username myuser --password 'MySecretPassword123' --debug
... some output removed for brevity ...
<IPMI>
<BMC_RESET>
<STATE CODE="OK"/>
</BMC_RESET>
</IPMI>
All done!
BMC Info:
Firmware Revision : 03.90
Firmware Build Time: 07/17/2020
BIOS Version : 3.1
BIOS Build Time : 06/11/2018
Redfish Version : 1.0.1
CPLD Version : 02.a1.01
System Board:
Vendor: SuperMicro
Model : X10DRH-CLN4
Anyone else experiencing this problem and/or have a solution?
I'm using the fullchain of my letsencrypt certificate. For reference, my crt and key file contain the following parts:
# grep ^-- ipmi.key
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
# grep ^-- ipmi.crt
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Nice suggestion... turns out I've got ECDSA keys, which might be the problem:
jeremy@latitude /tmp/xxx $ grep ^-- server-main-ipmi.dc1.domain.com_pfSense_ACME.key
-----BEGIN EC PARAMETERS-----
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
-----END EC PRIVATE KEY-----
jeremy@latitude /tmp/xxx $ grep ^-- server-main-ipmi.dc1.domain.com_pfSense_ACME.crt
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
The strange thing is, I'm using the ACME plug-in on pfSense for generating and updating certificates and I have the certificate type set to RSA, but it still generates ECDSA keys. I think I originally had it set to ECDSA but changed it back to RSA.
So it might be a bug with that plug-in using the original key type option rather than the current setting.
I will upgrade the ACME plug-in from version 0.6.4 to 0.6.9_3 and see if that resolves the issue...
That plug-in upgrade fixed the problem. It created RSA keys and the ./ipmi-updater.py was successful. Too bad the BMC doesn't support ECDSA keys though.
I was excited when I found this, but it doesn't seem to support X9-series boards--how hard would it be to add this?
@danb35 I forked it and added X9 support. The messy part was overriding the SSL configuration so that it would work. Feel free to check my copy, it has a few more features such as idempotency, environment variable passing of the password, and dropping the lxml library since Python has a native xml library.
$ export IPMI_UPDATER_PASSWORD=...
$ ./ipmi-updater.py --ipmi-url https://example.com --key-file ./ipmi.key.pem --cert-file ./ipmi.pem --username gateway--model X9
Board model is X9
There exists a certificate, which is valid until: 2021-11-21 01:34:06
New cert validity period matches existing cert, nothing to do
Using this script for a while now, however something seems to reset my FAN speed to default, making them go to a 100%, which is quite loud since they're 5K RPM :).
Any idea what could be causing this?
Yes, updating the cert requires a restart which will reset the fan control to full power, iirc. If I'm not mistaken, you will have to set the fan mode/speed manually afterwards.
Anyone else's system not serving the full certificate chain?
This is a seeeerious necro-post... wanted to try this out on my X11 board... and I'm getting Login Failed... digging deeper... it apparently doesn't like the url_redirect... which is odd... because I can do it manually on my system. Any thoughts?
I did a firmware update recently, and apparently the new firmware returns a ContentType of text/html; charset=utf8 which is not detected by the script. See my fork for a trivial fix, if you get a Failed to upload X.509 files to IPMI! after firmware update.
Interestingly my X11SSM-F worked after I altered oxc's fork to not base64 encode the login details.
Otherwise I get a Login Error.
I checked what the login page was doing and it was submitting the login and password in plain.
@oxc Would it be a good idea to have another argument to disable the base64 on X11?
I just checked, an my board still uses base64 encoded login (what a strange thing to do :D). It should be quite easy to make the behavior configurable though, since there is already a parameter for it.
Sounds like a good idea to me. That would allow the script to work for me.
Maybe as part of the X11 login failure message mention to check the L/P and/or try swapping the use of base64 (on/off)?
Maybe a try|catch block to attempt both...
I don't think auto-detection is the right way here. Just add a switch if your board needs it.
After a recent firmware upgrade on my X11,, I was receiving the following error. Judging by the output, everything seemed right. It appears that the HTTP server on the IPMI has been updated to be more compliant with newer standards.
...
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Length: 8131
header: Content-Type: text/html; charset=utf-8
...
Failed to upload X.509 files to IPMI!
I applied this change to correct the intended action with success:
diff --git a/ipmi-updater.py b/ipmi-updater.py
index 836828a..83fe5b5 100644
--- a/ipmi-updater.py
+++ b/ipmi-updater.py
@@ -223,7 +223,7 @@ class IPMIUpdater:
return False
- if 'Content-Type' not in result.headers.keys() or result.headers['Content-Type'] != 'text/html':
+ if 'Content-Type' not in result.headers.keys() or not result.headers['Content-Type'].startswith('text/html'):
# On failure, Content-Type will be 'text/plain' and 'Transfer-Encoding' is 'chunked'
return False
if 'CONFPAGE_RESET' not in result.text:
That's exactly how I fixed this in https://gist.github.com/oxc/9638d69b1a6c953dd9d2d38a43f3220a
Maybe it's time to create a repository for this project 😄
I was looking for a way to automate deployment of certificates to SuperMicro server BMCs via command-line (actually driven by Ansible) and initially found this gist. I wanted something a bit more standardized/stable though, and after some poking around I found a better way that is properly supported by SuperMicro: you can use their utility called SuperServer Automation Assistant (SAA) which is freely downloadable.
The SAA utility seems to be the modern replacement for their older Supermicro Update Manager (SUM) utility. I didn't test the older SUM utility, but it is highly similar to SAA so I believe it would also work like SAA.
SAA and SUM support multiple ways to connect to your BMC:
- In-Band (meaning from your server OS such that no BMC login is required).
- Remote In-Band (which I presume means SSHing into your server's OS and then using In-Band).
- Out-Of-Band/OOB (meaning via the BMC's IP/hostname with a BMC user/pass login required).
- It also support running against multiple systems in parallel, though I didn't try that feature since I'm using Ansible for that instead.
I used the In-Band method which was very simple to use and worked on an X10 server I tested, so I'll show how to do it with that method, but you could use OOB method if you want that and your hardware is supported. If SAA doesn't support your hardware, perhaps try SUM instead which appears like it would work for X9 platform.
Steps:
- Download SuperServer Automation Assistant (SAA) from: https://www.supermicro.com/en/support/resources/downloadcenter/smsdownload?category=SAA or perhaps the older Supermicro Update Manager (SUM) from: https://www.supermicro.com/en/support/resources/downloadcenter/smsdownload?category=SUM
- Extract the downloaded archive:
tar -xzf saa_1.1.0_Linux_x86_64_20240814.tar.gzand then cd into the extracted directory. - Run the saa (or sum) executable to fetch your current BMC settings:
sudo ./saa -c GetBmcCfg --file bmc-config-before.xml - Make a copy to edit: cp bmc-config-before.xml bmc-config.xml
- Edit
bmc-config.xml. You can either delete entire sections or individual items that you don't want to change, or you can disable sections by toggling theirAction="Change"property toAction="None". I took the opportunity to configure multiple BMC settings, but if you only want to configure certs I show a minimal configuration for that below. - Apply your configuration file (this will involve a reboot of the BMC, so it took over 2 minutes to run, be patient):
sudo ./saa -c ChangeBmcCfg --file bmc-config.xml - Fetch your new BMC settings:
sudo ./saa -c GetBmcCfg --file bmc-config-after.xml - Show what changed:
diff bmc-config-before.xml bmc-config-after.xml
You should see that the CertStartDate and CertEndDate timestamps changed if you loaded a different certificate.
Minimal configuration that only changes the certificates:
<?xml version="1.0"?>
<BmcCfg>
<!--SuperServer Automation Assistant 1.1.0 (2024/08/14)-->
<!--File generated at 2025-01-04_13:42:15-->
<!--Usage notes:-->
<!--You can remove unnecessary elements so that-->
<!--their values will not be changed after update-->
<!--Please refer to SAA User's guide 'Format of the BMC Configuration Text File' for more details.-->
<?BMC_CONFIG_SOURCE BMC configuration for In-Band Usage?>
<OemCfg Action="Change">
<Certification Action="Change">
<!--Supported Action:None/Change-->
<Configuration>
<!--Configurations for BMC certifications-->
<CertFile>/path/to/your/bmc-hostname.cert</CertFile>
<!--string value; path to file-->
<PrivKeyFile>/path/to/your/bmc-hostname.pem</PrivKeyFile>
<!--string value; path to file-->
<!--BMC will be reset after uploading this file-->
</Configuration>
</Certification>
</OemCfg>
</BmcCfg>
@patrickjmccarty
Sorry I missed this but thanks for an official way. I'll take a look at this. My only issue with this "official" method is how did you end up automating this with ansible since the cert will need to be replaced every 60-90 days. Do you use ansible coupled with and acme updater coupled with a jinja template along with some raw commands run locally to accomplish this?
In my case I use a systemd path unit watching the cert folder which triggers a service for the update:
cert-watcher.path
[Path]
PathModified=/path/to/your/certificates
[Install]
WantedBy=multi-user.target
cert-watcher.service
[Unit]
Description=cert watcher service
[Service]
Type=oneshot
WorkingDirectory=/path/to/saa/binaries
ExecStart=./saa -c ChangeBmcCfg --file bmc.xml
[Install]
WantedBy=multi-user.target
@bin101
Pretty slick way. I'll have to try this to see is things work. My only problem right now is I'm working on a MAC and the client tool is supported for linux/windows.
Just use it on your supermicro server?
FYI I use a letsencrypt cert for my BMC and recently switched to lego from certbot. lego by default asks for ec256 encrypted private keys which my BMC doesn't support and doesn't report as an error. After the BMC reset it just had the old cert.
How do I determine what type of license my IPMI has?
Actually however I'm not sure if the license is the issue at all. I've tried with scripts posted by @oxc @devonmerner @BtbN and still get the following:
lxml.etree.XMLSyntaxError: Opening and ending tag mismatch: META line 5 and head, line 10, column 8Details of my X11 Supermicro board:
Just wondering if I have to update BIOS since it seems this BIOS is rather old.
Addendum: I wanted to see what the program was choking on but I don't see what the opening and ending tab mismatch is: