{"id":19096526,"url":"https://github.com/sapcc/redfish-certrobot","last_synced_at":"2025-09-08T02:31:13.578Z","repository":{"id":69182873,"uuid":"582683377","full_name":"sapcc/redfish-certrobot","owner":"sapcc","description":"A ACME DNS-01 robot using Redfish to maintain certificates on BMCs","archived":false,"fork":false,"pushed_at":"2025-07-21T21:27:58.000Z","size":101,"stargazers_count":2,"open_issues_count":4,"forks_count":0,"subscribers_count":41,"default_branch":"main","last_synced_at":"2025-07-21T23:22:36.072Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sapcc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-12-27T15:14:17.000Z","updated_at":"2025-04-22T14:39:42.000Z","dependencies_parsed_at":"2024-06-03T11:52:20.455Z","dependency_job_id":"f1a4e37e-40cd-4b78-8033-6b5f1132a8ea","html_url":"https://github.com/sapcc/redfish-certrobot","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/sapcc/redfish-certrobot","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fredfish-certrobot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fredfish-certrobot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fredfish-certrobot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fredfish-certrobot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sapcc","download_url":"https://codeload.github.com/sapcc/redfish-certrobot/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fredfish-certrobot/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274123001,"owners_count":25226032,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-08T02:00:09.813Z","response_time":121,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T03:36:59.120Z","updated_at":"2025-09-08T02:31:13.300Z","avatar_url":"https://github.com/sapcc.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Redfish Certrobot\n\nManage certificates on BMCs via Redfish / ACME DNS-01\n\nThis is a small-ish python script, which uses\n- [Lego](https://go-acme.github.io/lego/) for ACME DNS-01 challenge\n- [Sushy](https://pypi.org/project/sushy/) for Redfish api access to\n - generate a CSR for the BMC using its key\n - Replace the certificate by a signed one\n- [Ironic](https://wiki.openstack.org/wiki/Ironic) storing all servers and their credentials\n\nAs it is supposed to run as a cronjob in kubernetes, the configration\nis happening via environment variables.\n\n## Steps\n\n1. The script fetches all nodes stored in Ironic\n3. For each node, check the active certificate on the BMC (port 443) (mismatching name or issuer CN, missing SAN, expiring soon)\n4. If not okay, requests a new CSR with the correct values via Redfish\n5. Using Lego (ACME DNS-01 ), get the CSR signed\n6. Install the Cert in the BMC\n\n## Configuration\n\nAll configuration happens via environment variables\n\n| Variable | Description |\n|-------------------------|-------------------------------------------------------------------------------------|\n| ISSUER | Common-Name of the expected issuer |\n| DNS_RESOLVERS | Comma-separated list of the dns-resolvers to check the propagation |\n| ACME_SERVER | URL to the ACME server (presumably you want a private one here, not Let's Encrypt) |\n| CSR_COUNTRY | Country in the CSR |\n| CSR_STATE | State |\n| CSR_CITY | City |\n| CSR_ORGANIZATIONAL_UNIT | Organizational Unit |\n| CSR_ORGANIZATION | Organization |\n\n\nThe CSR values are all required to be set by some BMCs.\n\nTechnically, we are not bound by Designate,configuration for [Lego Dns Providers](https://go-acme.github.io/lego/dns/),\nit has only been tested with Designate through.\n\n| Variable | Description |\n|-------------------------|-------------------------------------------------------------------------------------|\n| OS_AUTH_URL | Identity endpoint URL |\n| OS_REGION_NAME | Region name |\n| OS_DOMAIN_NAME | Name of the domain |\n| OS_PROJECT_NAME | Project name |\n| OS_USERNAME | Username |\n| OS_PASSWORD | Password |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsapcc%2Fredfish-certrobot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsapcc%2Fredfish-certrobot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsapcc%2Fredfish-certrobot/lists"}