Deploying certs to HPE iLO

I don't think this really fits into any of the existing categories here, but since I've posted in the past asking for help deploying certs to some kind of unique pieces of equipment (e.g., APC UPSs, Dell IPMI), I thought I'd share another such tool I've found, this one for the iLO remote management controller used by HPE in their servers.

python-hpilo provides a command-line tool to manage just about anything in iLO:
https://seveas.github.io/python-hpilo/index.html

Using that tool, another user on the old TrueNAS forum put together a few scripts to be used in a TrueNAS CORE jail to deploy certs to a few different targets, including to iLO:

Those scripts had some hard-coded paths that didn't generalize very well, so I made a few edits to the iLO script to make it more generally useful:

This uses python-hpilo to get a CSR from the iLO controller (that is sadly the only way it can accept an uploaded cert, if it matches a CSR it created), acme.sh to get a cert from that CSR, and then python-hpilo to upload that cert to iLO. One more internal system automated.

This is quite common, right? As it means the private key cannot be leaked in any way, as it's only known to the device.

Sure, and in the abstract at least it's a good security measure. But it doesn't fit that well with a Let's Encrypt-style "automate all the things"--at least until you find a tool to do it.

That's why we've got you

Sometimes I find them; it seems that more often they find me. This is another application I'd pretty much given up on until I caught a mention of python-hpilo in an old forum post. Figured it'd be worth sharing here in case someone else needs it in the future (and thinks to search).