sync
This commit is contained in:
Zack Meier
@@ -0,0 +1,227 @@
|
||||
Import-Module HPEiLOCmdlets
|
||||
$iLOCred = $PrvCred
|
||||
|
||||
# Connect to OneView, Get list of servers
|
||||
Connect-OVMgmt -Hostname itdmdnsyncompt1.nd.gov -Credential $PrvCred -AuthLoginDomain nd.gov -LoginAcknowledge
|
||||
$AllOVServers = Get-OVServer
|
||||
|
||||
$iLOToRenew = @()
|
||||
|
||||
ForEach ($OVServer in $AllOVServers) {
|
||||
Write-Warning -Message ($OVServer.ServerName)
|
||||
$iLODnsName = $null
|
||||
|
||||
$iLODnsName = $OVServer.ServerName.split('.')[0] + "lo.nd.gov"
|
||||
|
||||
# is iLO cert about to expire?
|
||||
$tcp = New-Object Net.Sockets.TcpClient($iLODnsName, 443)
|
||||
$ssl = New-Object Net.Security.SslStream(
|
||||
$tcp.GetStream(),
|
||||
$false,
|
||||
({ $true }) # accept any cert
|
||||
)
|
||||
|
||||
$ssl.AuthenticateAsClient($iLODnsName)
|
||||
|
||||
$cert = New-Object Security.Cryptography.X509Certificates.X509Certificate2 $ssl.RemoteCertificate
|
||||
|
||||
$ssl.Dispose()
|
||||
$tcp.Dispose()
|
||||
|
||||
If ( $cert.NotAfter.AddDays(-30) -le (Get-Date) ) {
|
||||
Write-Warning -Message "Certificate for $iLODnsName expires on $($cert.NotAfter), add to renewal list."
|
||||
$iLOToRenew += $iLODnsName
|
||||
}
|
||||
|
||||
If ( $cert.subject -notlike "*.nd.gov*") {
|
||||
Write-Warning -Message "Certificate for $iLODnsName is not a ND.gov cert, add to renewal list."
|
||||
$iLOToRenew += $iLODnsName
|
||||
}
|
||||
}
|
||||
|
||||
$iloToRenew = $iLOToRenew | Select-Object -Unique
|
||||
|
||||
Write-Verbose -Message "Loop through iLOs to generate CSRs and request certs"
|
||||
|
||||
$iLOConnections = ForEach ($iLOFqdn in $iLOToRenew) {
|
||||
Connect-HPEiLO -Address $iLOFqdn -Credential $iLOCred -DisableCertificateAuthentication
|
||||
}
|
||||
|
||||
# Get-HPEiLOSSLCertificateInfo -Connection $iLOConnections -ov x
|
||||
Write-Verbose -Message ([string]$iLOConnections.count + " iLO Connections established.") -Verbose
|
||||
|
||||
ForEach ($iLOConnection in $iLOConnections) {
|
||||
Start-HPEiLOCertificateSigningRequest -Connection $iLOConnection `
|
||||
-CommonName $iloConnection.Hostname `
|
||||
-Organization "State of North Dakota" `
|
||||
-Country US `
|
||||
-City Bismarck `
|
||||
-State "North Dakota" `
|
||||
-OrganizationalUnit NDIT
|
||||
}
|
||||
|
||||
Start-Sleep -Seconds 30 ## for some reason iLO needs time to generate a CSR
|
||||
|
||||
# set static values while we wait
|
||||
$RequesterEmail = 'vmware@nd.gov'
|
||||
$ServerType = "Linux"
|
||||
$Format = "x509CO"
|
||||
$OrgId = 8133
|
||||
|
||||
$OrderIds = @()
|
||||
|
||||
ForEach ($iloConnection in $iLOConnections) {
|
||||
Write-Verbose -Message "Getting CSR for $($iLOConnection.Hostname)"
|
||||
$CsrData = $null
|
||||
|
||||
While ($CsrData.CertificateSigningRequest -eq $null) {
|
||||
try {
|
||||
$CsrData = Get-HPEiLOCertificateSigningRequest -Connection $iLOConnection
|
||||
}
|
||||
catch {
|
||||
Write-Warning -Message "CSR not ready yet for $($iLOConnection.Hostname), waiting 10 seconds."
|
||||
Start-Sleep -Seconds 10
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
$AuthBody = @{
|
||||
grant_type = 'client_credentials'
|
||||
client_id = $SectigoAPIKey.UserName
|
||||
client_secret = $SectigoAPIKey.GetNetworkCredential().Password
|
||||
}
|
||||
|
||||
$AuthBaseAPIUrl = 'https://auth.sso.sectigo.com'
|
||||
$BaseAPIUrl = 'https://admin.hard.sectigo.com'
|
||||
|
||||
$tokenEndpoint = $AuthBaseAPIUrl + '/auth/realms/apiclients/protocol/openid-connect/token'
|
||||
$tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType 'application/x-www-form-urlencoded' -Body $AuthBody
|
||||
$env:SectigoToken = $tokenResponse.access_token
|
||||
|
||||
$headers = @{
|
||||
"Authorization" = "Bearer $env:SectigoToken"
|
||||
"Content-Type" = "application/json"
|
||||
}
|
||||
|
||||
If ($env:SectigoToken) { Write-Warning -Message ("Sectigo Token Set " + $env:SectigoToken) }
|
||||
|
||||
[string]$RequestUrl = $BaseAPIUrl + "/api/ssl/v1/enroll"
|
||||
|
||||
$CertType = 2375
|
||||
$ServerTypeCode = 'Linux'
|
||||
|
||||
$EnrollBody = @{
|
||||
orgId = $OrgId;
|
||||
certType = $CertType
|
||||
term = 365;
|
||||
comments = "iLO Certificate Renewal for $($iloConnection.Hostname)"
|
||||
serverType = $ServerTypeCode
|
||||
csr = $CsrData.CertificateSigningRequest
|
||||
externalRequester = "vmware@nd.gov"
|
||||
customFields = @(
|
||||
@{
|
||||
name = 'ApplicationName'
|
||||
value = 'Infra-VMware'
|
||||
}
|
||||
)
|
||||
}
|
||||
|
||||
$InvokeRestMethodParams = @{
|
||||
Uri = $RequestUrl
|
||||
Method = 'Post'
|
||||
Headers = $headers
|
||||
Body = ($EnrollBody | ConvertTo-Json -Depth 10)
|
||||
ContentType = 'application/json'
|
||||
}
|
||||
|
||||
$Response = Invoke-RestMethod @InvokeRestMethodParams #actual enrollment/request
|
||||
$OrderIds += $Response.sslId
|
||||
}
|
||||
|
||||
|
||||
<## approval step -- can't approve own requests, need alternate method... auto-approval of some kind?
|
||||
$ApproveUrl = $BaseAPIUrl + "/api/ssl/v1/approve/${OrderId}"
|
||||
$ApproveBody = @{
|
||||
message = 'Approved VMware Auto'
|
||||
}
|
||||
$ApproveSplat = @{
|
||||
Uri = $ApproveUrl
|
||||
Method = 'Post'
|
||||
Headers = $headers
|
||||
Body = ($ApproveBody) | ConvertTo-Json
|
||||
ContentType = 'application/json'
|
||||
}
|
||||
|
||||
Invoke-RestMethod @ApproveSplat
|
||||
#>
|
||||
|
||||
|
||||
|
||||
## download the certificate - the first link email / "Certificate only, PEM encoded"
|
||||
|
||||
### re-establish token with Sectigo
|
||||
$tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -ContentType 'application/x-www-form-urlencoded' -Body $AuthBody
|
||||
$env:SectigoToken = $tokenResponse.access_token
|
||||
|
||||
$headers = @{
|
||||
"Authorization" = "Bearer $env:SectigoToken"
|
||||
"Content-Type" = "application/json"
|
||||
}
|
||||
|
||||
$Format = 'x509CO'
|
||||
|
||||
ForEach ($OrderId in $OrderIds) {
|
||||
$Certificate = $null
|
||||
While ($Certificate.status -ne "Issued") {
|
||||
$ValidateUrl = "${BaseAPIUrl}/api/ssl/v1/${OrderId}"
|
||||
$ValidateSplat = @{
|
||||
Uri = $ValidateUrl
|
||||
Method = 'Get'
|
||||
Headers = $headers
|
||||
}
|
||||
|
||||
$Certificate = Invoke-RestMethod @ValidateSplat
|
||||
}
|
||||
|
||||
$CollectUrl = $BaseAPIUrl + "/api/ssl/v1/collect/${OrderId}?format=${Format}"
|
||||
|
||||
$CommonName = $Certificate.commonName
|
||||
|
||||
$DownloadSplat = @{
|
||||
Uri = $CollectUrl
|
||||
Method = 'Get'
|
||||
Headers = $headers
|
||||
UseBasicParsing = $true
|
||||
}
|
||||
|
||||
Invoke-WebRequest @DownloadSplat -OutFile "C:\certs\$CommonName-$OrderId.pem"
|
||||
}
|
||||
|
||||
## set new certs on iLOs
|
||||
$Certs = Get-ChildItem -Path "C:\certs\" -Filter "*.pem"
|
||||
ForEach ($iLOConnection in $iLOConnections) {
|
||||
Write-Verbose -Message "Uploading certificate to $($iLOConnection.Hostname)" -Verbose
|
||||
$CertFileToUse = $Certs | Where-Object { $_.Name -like "$($iLOConnection.Hostname)*" }
|
||||
$Cert = Get-Content -Path $CertFileToUse.FullName
|
||||
|
||||
Import-HPEiLOCertificate -Certificate ($Cert | Out-String) -Connection $iLOConnection -Force
|
||||
}
|
||||
|
||||
ForEach ($iLODnsName in $iLOToRenew) {
|
||||
# is iLO cert about to expire?
|
||||
$tcp = New-Object Net.Sockets.TcpClient($iLODnsName, 443)
|
||||
$ssl = New-Object Net.Security.SslStream(
|
||||
$tcp.GetStream(),
|
||||
$false,
|
||||
({ $true }) # accept any cert
|
||||
)
|
||||
|
||||
$ssl.AuthenticateAsClient($iLODnsName)
|
||||
|
||||
$newcert = New-Object Security.Cryptography.X509Certificates.X509Certificate2 $ssl.RemoteCertificate
|
||||
|
||||
$ssl.Dispose()
|
||||
$tcp.Dispose()
|
||||
|
||||
$NewCert | select @{n='zSubject'; e={$NewCert.Subject.split(',')[0]}}, NotBefore, NotAfter
|
||||
}
|
||||
Reference in New Issue
Block a user