Generating certificate for iLO

Question

I want to generate a proper certificate for iLO web console (iLO is a management engine for HP servers) using letsencrypt. AFAIK there's no way to install private key into iLO, so I've generated CSR from iLO. It contains the following field:

Requested Extensions:
    X509v3 Subject Alternative Name: 
        DNS:ilo.example.com, IP Address:192.168.1.11

I've found no way to exclude IP Address part from CSR. I don't need it, I'll use only ilo.example.com. Now I issued

certbot certonly --manual --staging --preferred-challenges=dns --csr csr 

command, completed DNS verification, but got error:

An unexpected error occurred:
The request message was malformed :: Error creating new cert :: CSR contains one or more IP address fields
Please see the logfiles in /var/log/letsencrypt for more details.

AFAIK CSR is signed by private key, so I can't edit it. Can I ask letsencrypt to ignore IP address and issue certificate only for ilo.example.com? Or is there other way?

Answer 1

Please use my utility that deals with CSR generation and DNS challenge (only with GoDaddy here).

The utility requires Powershell and is made by three scripts, of which one is Certbot itself.

1. A script that will request iLO to generate a CSR and download
2. Certbot will request the certificate upon CSR
3. A utility updates GoDaddy DNS to acknowledge DNS challenge

Please note that with HPE iLO it is only possible to perform DNS challenge.

The script I have made leverages the HPE iLO APIs to request the generation of a CSR without the IP address. It worked on two of my servers.

Disclosure. I made the tool and released under MIT License on GitHub

Answer 2

Here you go: https://community.letsencrypt.org/t/how-to-automatic-certificate-install-on-an-hp-ilo4-management-processor/31038

1. Generate CSR
2. Submit CSR to LE
3. Install resulting cert