One of the things I'm working on at work right now is updating all our iDRACs after Meltdown/Spectre. We had never had the SSL set up, we had just always clicked through the security warning. I got tired of this and decided to setup proper SSL from our enterprise CA,
At first I went to do a manual signing for a multi-year period with a wildcard issued from my enterprise CA, but I decided that automating it with PowerShell would be better, since it would be more dynamic, and scale to more servers.
In this post, I will be talking about setting
- generating a Certificate Signing Request (CSR) from the iDRAC,
- sign it with an enterprise CA,
- uploads the signed cert to the iDRAC, and
- reloads the iDRAC to apply the new cert
To interface with the iDRAC from the script, I'm using Dell Remote Access Controller Administration (RACADM) CLI, which supports remote access.
First, you will want to make sure that your iDRAC has Remote RACADM enabled in make sure it is enabled under Network, Services, Remote RACADM in the iDRAC Web UI.
Next, we're going to want to run a few test commands with racadm in a fresh powershell prompt and run
& racadm.exe -r 192.168.100.215 -u root -p calvin getsvctagThis will complain if the SSL certificate is invalid, which is kind of the point of why we are updating it in the first place. So you will probably see output like below
That first line after the certificate warning, is the service tag. I am using -r IP but -r DNS.Host.Name is equally valid, if there is an entry set up, which I would highly recommend.
The script is divided into a few sections
- The Requirements Region - to make sure that we're running with a current version of PowerShell, that we have racadm.exe, and that we have certreq.exe
- Settings to connect to the iDRAC - the IP/hostname, and the credentials to connect to it
- CSR Fields
- Applying DNS and CSR settings to iDRAC
- Generating CSR
- Signing CSR
- Uploading signed certificate to iDRAC and reloading to apply
At first, I was applying the settings with 8+ separate racadm calls, but this was quite time consuming to wait for each to finish. Instead I switched to building a config file and applying that for all the CSR settings at once.
You can pull a cfg or config file of what settings an iDRAC has with
& racadm.exe -r 192.168.100.215 -u root -p calvin get -f $ENV:Temp\file.cfgand there are some interesting line-endings.
This line ending pattern is interesting, but in my testing it was a red-herring and it was perfectly happy if I just made my config file with CR-LF Line endings.
However, I did find that I needed to have my config file I created ANSI encoded. I did this by specifying -Encoding ASCII when I wrote my string with Out-File.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -Version 5 | |
| #region Requirements | |
| #Make sure you have DRAC tools installed, including racadm https://www.dell.com/support/home/us/en/4/Drivers/DriversDetails?driverId=K7F2N | |
| If (!$(get-command racadm.exe -ErrorAction SilentlyContinue)) {Write-Host "Exiting, racadm does not exist"; Exit } | |
| If (!$(get-command certreq.exe -ErrorAction SilentlyContinue)) {Write-Host "Exiting, certreq does not exist. Please install Certificate services tools."; Exit } | |
| #endregion | |
| $IP = '192.168.100.215' #Hostname also works if DNS is already setup | |
| $idraccred = Get-Credential -Message "Please provide iDrac Login for $IP" | |
| $idracuser = $idraccred.GetNetworkCredential().UserName | |
| $idracpass = $idraccred.GetNetworkCredential().Password | |
| $svcTag = $(& racadm.exe -r $IP -u $idracuser -p $idracpass getsvctag ).trim() -replace '[^a-zA-Z0-9]', '' #Get output, remove all spaces and smash together all letters and numbers | |
| $svcTag = ($svcTag -match "^([A-Z0-9]{7})$")[-1] #Match each grouping of seven letters and numbers (like a service tag) and take the last one from the end, which should always be the service tag | |
| $idracName = "idrac-$svcTag" | |
| $domName = 'domain.local' | |
| $CAname = 'CA.domain.local\CA1-CA' | |
| $CSRContactEmail = 'IT@contoso.one' | |
| $CSROrgname = 'Consoto One' | |
| $CsrCountryCode = 'US' | |
| $csrLocality = 'Asheville' | |
| $csrState = 'NC' | |
| #Not really needed, but I'll set them to keep everything neat | |
| & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.NIC.DNSRacName $idracName | |
| & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.NIC.DNSDomainName $domName | |
| #Setup CSR Fields | |
| $idracoptions = @" | |
| [iDRAC.Security] | |
| CsrCommonName=$idracName.$domName | |
| CsrCountryCode=$CsrCountryCode | |
| CsrEmailAddr=$CSRContactEmail | |
| CsrKeySize=2048 | |
| CsrOrganizationName=$CSROrgname | |
| CsrOrganizationUnit=IT | |
| CsrLocalityName=$csrLocality | |
| CsrStateName=$csrState | |
| "@ | |
| Out-File "$env:temp\$idracName.cfg" -InputObject $idracoptions -Encoding ascii | |
| & racadm.exe -r $IP -u $idracuser -p $idracpass set -f "$env:temp\$idracName.cfg" | |
| #region separate racadm commands to apply this config file's settings individually | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrCommonName $idracName.$domName | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrCountryCode US | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrEmailAddr $CSRContactEmail | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrKeySize 2048 | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrOrganizationName $CSROrgname | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrOrganizationUnit IT | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrLocalityName $csrLocality | |
| # # & racadm.exe -r $IP -u $idracuser -p $idracpass set iDRAC.Security.CsrStateName $csrState | |
| #endregion | |
| #Make sure we have our scratch directory to work in | |
| If ( (Test-Path "$env:TEMP\Powershellssl\") -eq $false ) { New-Item -ItemType Directory -Path "$env:TEMP\Powershellssl\"} | |
| #Build Filenames and have the idrac Generate the Cert | |
| $csrPath = Join-Path "$Env:TEMP\PowerShellSSL\" -ChildPath ("$idracName-" + $( Get-Date -f "yyyyMMdd") + ".csr" ) | |
| $outCert = Join-Path "$Env:TEMP\PowerShellSSL\" -ChildPath ("$idracName-" + $( Get-Date -f "yyyyMMdd") + ".cer" ) | |
| & racadm -r $IP -u $idracuser -p $idracpass sslcsrgen -g -f $csrPath | |
| #Sign the cert signing request with certreq | |
| & certreq.exe -config $CAname -attrib ""CertificateTemplate:WebServer"" $csrPath $outCert | |
| #Upload Signed cert to iDRAC | |
| & racadm.exe -r $IP -u $idracuser -p $idracpass sslcertupload -t 1 -f $outCert | |
| #Reload the idrac to have the fresh SSL cert show. | |
| & racadm.exe -r $IP -u $idracuser -p $idracpass racreset #Reset as in Reload, not reset settings. racresetcfg will reset the settings too | |
Thanks for this guide, great work.
ReplyDeleteHow can I do multiple servers from the script?
Thanks!
Another thing; getting this error;
ReplyDeleteERROR: The Common Name (CN) field of the CSR Security group must
be configured before a CSR can be generated.
IS this script compatible with v6 of IDRAC?
Thanks
This script saved me a lot of time!!!! Very easy to read. Thank you. Wasn't hard to automate about 100 certs from a CSV.
ReplyDeleteBummer, as of iDRAC Version 4.40, this no longer works, as the "racadm.exe -r $IP -u $idracuser -p $idracpass set -f "$env:temp\$idracName.cfg" function was removed.
ReplyDeleteI had to convert the $idracoptions = @" section to match the XML and then upload the cfg as a xml file to get it to work on the newer version.
I know this a few years old, but do you happen to have a sample of your script?
Delete