How to get a valid cert on a cisco cimc?

So in order to get a valid cert on my cisco cimc (think of a hp proliant ilo), I have to generate a CSR from the cimc (which I have done). Im trying to get the certbot-auto to use this CSR to generate a cert for it.

Please fill out the fields below so we can help you better.

My domain/host is:

I ran this command: ./certbot-auto certonly --csr csr.txt

It produced this output: Domain:
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
from Received certificate containing ‘’

My operating system is (include version): linux

My web server is (include version): NA

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don’t know): not on cimc

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): nope

any ideas on how to properly do this?

I’m guessing you’re not running certbot on the Cisco? Because the Let’s Encrypt validator is connecting to your Cisco, probably not the host you’re running certbot on.

no, I cannot run the certbot on the cimc… I have to run it on some other linux computer.

What kind of webserver does the Cisco run? Can you redirect certain directories to other hosts?

Or can you put files on a certain directory on the Cisco which is accessible by Let’s Encrypt?

Another alternative is to use the DNS-01 challenge, which may be better for your scenario.

1 Like

well, actually I forgot to mention that I was able to get the DNS-01 challenge to work, and I was able to get the private key and certs generated, but there is no way for me to put the private key on the CIMC. It has its own private key that it stores somewhere that I cannot change.
So the cert i generated is pretty much useless. :frowning:

OK, seems like you need to merge the two things you tried. Use DNS challenges, because you can pass those, but with CSR mode so the certificates work with your Cisco’s private key.

That should get you where you want to go

well if you look at my original post… I think thats what I was trying to do… Im just not sure of the voodoo needed to do it correctly.

I’m a little confused …

If you got the private key / CSR of the CIMC, then used that CSR with the DNS-01 challenge to obtain the certificate … that certificate should match the CSR / private key and hence work fine on the CIMC.

Which part of the above didn’t you do ? or which part did it give an error with ?

I cant get the private key off the cimc… I can only get a CSR from the cimc.

Why would you need the private key?

I think the idea is that the Cisco already has the private key and generates a CSR with it. And with the CSR, you’ve generated a certificate.

The only thing now, is getting this certificate to the Cisco and you’re done.

Maybe a terminological explanation helps here a tiny bit. In asymmetric cryptography keys come in pairs. Let’s Encrypt needs one half of the pair, the public key because that is baked into the certificate they’ll sign. They don’t need (indeed nobody but you/ the device should ever see) the private key, but as a high quality CA they demand proof that you do have control of it. A CSR embodies such proof. Like the certificate it is a signed document, but in this case signed by the key holder, proving they requested this certificate.

In CSR mode Certbot doesn’t make any keys, it will just arrange (once you have passed ownership challenges for the FQDNs requested) for the CSR to go to Let’s Encrypt and get you the corresponding certificate.

hi dirtbag

there may be a little confusion here

have a read of this

this is similar to your situation where in microsoft stores the private key and just produces a CSR.

Once you have a CSR you need to use a client such as cerbot and a Private Key for LetsEncrypt. Unlike the private key that CIMC generates the purpose of the LetsEncrypt private key is to identify you as a user and to sign validation requests.

You can use the CSR that CIMC gave you with Certbot by using the --csr Command

–csr CSR Path to a Certificate Signing Request (CSR) in DER or
PEM format. Currently --csr only works with the
’certonly’ subcommand. (default: None)

As suggested previously DNS validation is your best option as you may not be able to put custom files needed for the HTTP authentication.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.