Skip to content

Instantly share code, notes, and snippets.

@starcraft66
Last active October 20, 2024 12:36
Show Gist options
  • Save starcraft66/efa44f1d5f11695ea68a5a7e57f9aa01 to your computer and use it in GitHub Desktop.
Save starcraft66/efa44f1d5f11695ea68a5a7e57f9aa01 to your computer and use it in GitHub Desktop.
Automatically deploy TLS certificates to HP iLO4 management controllers using the dehydrated ACME client.
#!/bin/bash
fqdn=ilo.example.com
username=Administrator
password=Password
#Check if the certificate is expiring soon
echo | openssl s_client -servername $fqdn -connect $fqdn:443 2>/dev/null | openssl x509 -noout -checkend 2592000
if [ "$?" == "1" ]; then
#Expiring in less than one month. We need to renew
#Tell the iLO to start generating a private key and certificate signing request
curl -sS -k -X POST -H "Content-Type: application/json" -d '{ "Action": "GenerateCSR", "Country": "x", "State": "x", "City": "x", "OrgName": "x", "OrgUnit": "x", "CommonName": "'$fqdn'"}' -u $username:$password https://$fqdn/redfish/v1/Managers/1/SecurityService/HttpsCert/
#Attempt to grab the request
resp=$(curl -sS -k -u $username:$password https://$fqdn/redfish/v1/Managers/1/SecurityService/HttpsCert/ | grep -o \"CertificateSigningRequest\":\"[^\"]*\" | head -1 |cut -d : -f 2 | tr -d \")
while [ "$resp" == "0" -o "$resp" == "" ]; do
#The private key has not yet been generated
sleep 10
#get the req
resp=$(curl -sS -k -u $username:$password https://$fqdn/redfish/v1/Managers/1/SecurityService/HttpsCert/ | grep -o \"CertificateSigningRequest\":\"[^\"]*\" | head -1 |cut -d : -f 2 | tr -d \")
done
#Save the request to disk
echo $resp | awk '{gsub("\\\\n","\n")};1' | head -n -1 > req.csr
#Sign the request and obtain a certificate
/home/letsencrypt/dehydrated/dehydrated -f /usr/local/etc/dehydrated/config --signcsr req.csr 2>&1 | sed -n '/----BEGIN CERTIFICATE-----/,/----END CERTIFICATE-----/ p' > chain.pem
#Split the chain into two certificates, the first one is the one we care about!
csplit -z -f cert- chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
#Load the individual certificate back into $ilo_cert
ilo_cert=$(cat cert-00)
#Parse the cert back into something HPiLO will understand
ilo_cert=$(echo $ilo_cert| awk '{gsub(" ","\\n")};1'|sed 's/\(.*\)\\n/\1 /'|sed '0,/\\n/s/\\n/ /')
#Clean up temp files
rm chain.pem
rm cert-00
rm cert-01
#Install the certificate and reset iLO4
curl -sS -k -X POST -H "Content-Type: application/json" -d "{ \"Action\": \"ImportCertificate\", \"Certificate\": \"$(echo $ilo_cert)\" }" -u $username:$password https://$fqdn/redfish/v1/Managers/1/SecurityService/HttpsCert/
if [[ -f req.csr ]]; then
#Clean up
rm req.csr
fi
fi
@starcraft66
Copy link
Author

Updated for the Let's Encrypt ACME V2 api which returns the full certificate chain instead of just the leaf certificate in the signing response.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment