Last Updated on August 7, 2022 by Thiago Crepaldi
Recently I have added a Supermicro X10DRi-T4+ to my homelab and a natural idea was to install a Let’s Encrypt SSL certificate and replace the original self-signed one. For such, I had to adapt a couple python scripts [1] [2] first published by Jari Turkia. None of them worked for Supermicro X10DRi-T4+, but it wasn’t that hard to fix it, so here we go!
Homelab Utility Belt to the rescue
As this post relies on reasonably complex scripts, I’ve added them to my Homelab Utility Belt Github repo, which is public! The repo has two scripts we are going to use in this post:
- A Python script that does the heavy lifting of installing a given SSL certificate on the Supermicro IPMI UI
- A bash script that I use on my Synology to trigger the replacement process on a schedule
The latter uses the former, of course!
Testing the IPMI updater script
Although we really want to use Bash script for automation, we need to check whether the Python script is compatible with your Supermicro. This script was only tested on a X10DRi-T4+, but maybe you are lucky and it might work on a different model. The original versions had code to support X11 based boards, but I’ve deleted from my version as I couldn’t test and vouch for it!
To get started, clone Homelab Utility Belt (aka HUB) and install its dependencies:
$ git clone https://github.com/thiagocrepaldi/homelab-utility-belt
$ cd homelab-utility-belt/supermicro/ipmi-update
$ pip install -r requirements.txt
Next, run python3 ipmi-updater.py --help
to get the usage help for the script. You should se something like:
usage: ipmi-updater.py [-h] --ipmi-url IPMI_URL --key-file KEY_FILE --cert-file CERT_FILE --username USERNAME --password PASSWORD [--no-reboot] [--log-level {0,1,2}] Update Supermicro IPMI SSL certificate optional arguments: -h, --help show this help message and exit --ipmi-url IPMI_URL Supermicro IPMI 2.0 URL --key-file KEY_FILE X.509 Private key filename --cert-file CERT_FILE X.509 Certificate filename --username USERNAME IPMI username with admin access --password PASSWORD IPMI user password --no-reboot The default is to reboot the IPMI after upload for the change to take effect. --log-level {0,1,2} Log level (0: quiet, 1: info, 2: debug)
An example on how to use it follows:
$ python3 supermicro/ipmi-updater/ipmi-updater.py --ipmi-url https://mysupermicro --username ADMIN --password ADMIN --key-file /path/to/private_key.pem --cert-file /path/to/cert_file.cert --log-level=1
Assuming you entered all arguments correctly, log level is set to 1, the output for a compatible IPMI should be:
************************************************************ Authenticating on Supermicro IPMI! ************************************************************ Login succeeded. ************************************************************ Fetching current IPMI certificate! ************************************************************ There exists a certificate, which is valid until: ... ************************************************************ Uploading new IPMI certificate! ************************************************************ New IPMI certificate was uploaded. ************************************************************ Checking new IPMI certificate was properly uploaded! ************************************************************ New IPMI certificate is valid. ************************************************************ Fetching new IPMI certificate! ************************************************************ After upload, there exists a certificate, which is valid until: YYY ************************************************************ Rebooting IPMI to apply changes! ************************************************************ ************************************************************ All done! ************************************************************
It is possible your X10 board is not compatible, which would then return an error in one of the REST APIs this script invokes. I suggest you run each one of them individually and debug your way through. If that is your case, you can drop me a message and I will try to help, but as I don’t have your hardware, no guarantees there!
Automating certificate update on a schedule using Synology NAS
If everything went smooth from previous step, your Supermicro will reboot. Once it returns, it will start using the new SSL certificate. However, as you know, Let’s Encrypt certificates expires every 3 months, so you need to keep replacing them. For this task, I use my Synology NAS which copies the certificates from my pfSense, which issues the certificates for my homelab.
From this point on, I am assuming you own a Synology NAS, issue your Let’s Encrypt certificates on your pSense, and ultimately copy them to your NAS. It should be easy to adapt this workflow for your own use, though.
Installing Let’s Encrypt certificates at Supermicro on a schedule
Go back to the Control Panel >> Task Scheduler >> Create >> Scheduled task >> User-defined script one more time and do as follows:
General
- Task: Install certificate on Supermicro
- User: root
Schedule
- Run on the following days: Pick the same day as the task that copies the certificates to your NAS
- First run time: Pick a time after that task
- Frequency: Every day
Task settings
User-defined script: use the following template to override existing certificates with the new ones
# Your environment variables
PYTHON=python3
IPMI_UPDATER_DIR="/tmp/ipmi-updater/"
IPMI_UPDATER_SH="${IPMI_UPDATER_DIR}/supermicro-ipmi-updater.sh"
SUPERMICRO_CERT="/volume1/Supermicro/Supermicro.crt"
SUPERMICRO_KEY="/volume1/Supermicro/Supermicro.key"
SUPERMICRO_ADMIN="ADMIN"
SUPERMICRO_PASS="ADMIN"
SUPERMICRO_URL="https://mysupermicro.lan.example.com"
# Preparing temporary folder for IPMI updater
rm -r ${IPMI_UPDATER_DIR}/* || mkdir -p ${IPMI_UPDATER_DIR}
# Downloading IPMI updater script
wget https://raw.githubusercontent.com/thiagocrepaldi/homelab-utility-belt/main/synology/supermicro-ipmi-updater.sh -O ${IPMI_UPDATER_SH}
# Update IPMI certificate
bash ${IPMI_UPDATER_SH} -p ${PYTHON} -i ${IPMI_UPDATER_DIR} -c ${SUPERMICRO_CERT} -k ${SUPERMICRO_KEY} -a ${SUPERMICRO_ADMIN} -s ${SUPERMICRO_PASS} -u ${SUPERMICRO_URL}
Click OK to create the scheduled task. Finally click on Run to install certificates. That is it!