HPE Community
HPE OneView
1753592 Members
6477 Online
108796 Solutions
New Discussion

Re: HP-Oneview 4.0 upgrade Issues

 
Jkersten1982
Advisor

‎05-18-2018 03:08 AM

‎05-18-2018 03:08 AM

Re: HP-Oneview 4.0 upgrade Issues

Kick of this topic., as I'm facing 3 issues with another Oneview environment (on another location) from 3.x to 4.00.07.02. Had a lot of expired ILO certificates (15), this issue is resolved by reset the ilo to factory defaults, re-add the ip-address etc again and update the certificates in the store in OV.

1.  a lot of 'leaf certificate with alias name 'xxx' is expired. I can't remove these alerts myself, they are locked in 'Active Alerts'

2. CA certificate with alias name xx is expired. Can i see somewhere if this CA Certificate is still being used by some device?

3. Alert 'The appliance certificate does not have 'Client Authentication' in its Enhanced Key Usage field which is required for OneView to communicate to an iLO that has two-factor authentication mode enabled.' Where can I change this or resolve this behavior?

0 Kudos
Reply
KSM1
Advisor

‎05-18-2018 06:11 AM

‎05-18-2018 06:11 AM

Re: HP-Oneview 4.0 upgrade Issues

I just installed version 4.00.09 and after thast the certificate problem was gone.

Now i just have to figure out how to get a leaf certificate, but the critical error is gone.

Best Regards
Kenneth
0 Kudos
Reply
ChrisLynch
HPE Pro

‎05-18-2018 07:07 AM

‎05-18-2018 07:07 AM

Re: HP-Oneview 4.0 upgrade Issues

Glad to hear the 4.00.09 patch helped fix the critical error.  The leaf certificate is the iLO cert.  As long as it is being managed, and no further errors about the certificate have been reported, the cert should already be trusted within the appliance certificate store.


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
ChrisLynch
HPE Pro

‎05-18-2018 07:13 AM

‎05-18-2018 07:13 AM

Re: HP-Oneview 4.0 upgrade Issues

@Jkersten1982 wrote:

Kick of this topic., as I'm facing 3 issues with another Oneview environment (on another location) from 3.x to 4.00.07.02. Had a lot of expired ILO certificates (15), this issue is resolved by reset the ilo to factory defaults, re-add the ip-address etc again and update the certificates in the store in OV.

1.  a lot of 'leaf certificate with alias name 'xxx' is expired. I can't remove these alerts myself, they are locked in 'Active Alerts'

2. CA certificate with alias name xx is expired. Can i see somewhere if this CA Certificate is still being used by some device?

3. Alert 'The appliance certificate does not have 'Client Authentication' in its Enhanced Key Usage field which is required for OneView to communicate to an iLO that has two-factor authentication mode enabled.' Where can I change this or resolve this behavior?

  1. The 4.00.09 update will help fix this issue.
  2. Unfortunately, not today.
  3. You need to validate in your Cert Authority template that it will  create a certificate with both "Server Authentication" and "Client Authentication" Ehanced Key Usage proerties when issuing the certificate.  If you are using Microsoft Certificate Authority, these ehance key usage properties are standard in the Web Server template.

I am an HPE employee

Accept or Kudo

0 Kudos
Reply
Jkersten1982
Advisor

‎05-18-2018 07:15 AM

‎05-18-2018 07:15 AM

Re: HP-Oneview 4.0 upgrade Issues

Hmm didn't notice .09 was released; will try to upgrade the OV to this version this weekend or next week, and let's see what happends than. Still working to fix the issue(s), out of the blue, there are some servers complaining now about; the following. Strange thing is, the certificate is valid, so I don't expect these messages at all.

Unable to establish trusted communication with the server. The iLO certificate does not have any IP address or host name specified.

The certificate has a hostname, so i have to figure out why this error is happening and howto resolve this.

 

0 Kudos
Reply
Jkersten1982
Advisor

‎05-18-2018 07:18 AM

‎05-18-2018 07:18 AM

Re: HP-Oneview 4.0 upgrade Issues

@ChrisLynch wrote:

 

  1. The 4.00.09 update will help fix this issue.
  2. Unfortunately, not today.
  3. You need to validate in your Cert Authority template that it will  create a certificate with both "Server Authentication" and "Client Authentication" Ehanced Key Usage proerties when issuing the certificate.  If you are using Microsoft Certificate Authority, these ehance key usage properties are standard in the Web Server template.

Thanks! Will give it a try later. Maybe my issues what I'm facing now is also resolved when upgrading to 4.00.09. Will let you know.

0 Kudos
Reply
Jkersten1982
Advisor

‎05-22-2018 02:37 AM

‎05-22-2018 02:37 AM

Re: HP-Oneview 4.0 upgrade Issues

This morning, I have deployed update 4.00.09 to resolve 2 issues.

After the upgrade the 2 errors are still displayed in Oneview:

1. 'Leaf certificate' with alias name <hash> is expired

2. 'Unable to establish trusted communication with the server. ILO certificate does not have any IP address or host specified'

Is there something what we can do to remove the alerts?

Thanks!

0 Kudos
Reply
KSM1
Advisor

‎05-22-2018 06:30 AM

‎05-22-2018 06:30 AM

Re: HP-Oneview 4.0 upgrade Issues

I found this interiesting document here https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00041655en_us&docLocale=en_US, my issue is that the date validation from to is reversed.

I tried to follow a link in the file, but it took me to an HPE site where this file does not exist.

this is the link https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03743622

is there a solution to this?

Best Regards
Kenneth
0 Kudos
Reply
John Bigg
Esteemed Contributor

‎05-23-2018 03:11 AM

‎05-23-2018 03:11 AM

Re: HP-Oneview 4.0 upgrade Issues

That document was superseded by https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00042194en_us

Reply
KSM1
Advisor

‎05-23-2018 10:49 PM

‎05-23-2018 10:49 PM

Re: HP-Oneview 4.0 upgrade Issues

@Jkersten1982 I was able to fix the Certificate problem, all it took was to reset the ILO to default and then set it up again with the correct ip and so on, then the certificate was renewed with correct from - to date and all went green again :)

hope this will help you to solve your issue.

Best Regards
Kenneth
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.