[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Glad to hear the 4.00.09 patch helped fix the critical error. The leaf certificate is the iLO cert. As long as it is being managed, and no further errors about the certificate have been reported, the cert should already be trusted within the appliance certificate store.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
@Jkersten1982 wrote:Kick of this topic., as I'm facing 3 issues with another Oneview environment (on another location) from 3.x to 4.00.07.02. Had a lot of expired ILO certificates (15), this issue is resolved by reset the ilo to factory defaults, re-add the ip-address etc again and update the certificates in the store in OV.
1. a lot of 'leaf certificate with alias name 'xxx' is expired. I can't remove these alerts myself, they are locked in 'Active Alerts'
2. CA certificate with alias name xx is expired. Can i see somewhere if this CA Certificate is still being used by some device?
3. Alert 'The appliance certificate does not have 'Client Authentication' in its Enhanced Key Usage field which is required for OneView to communicate to an iLO that has two-factor authentication mode enabled.' Where can I change this or resolve this behavior?
- The 4.00.09 update will help fix this issue.
- Unfortunately, not today.
- You need to validate in your Cert Authority template that it will create a certificate with both "Server Authentication" and "Client Authentication" Ehanced Key Usage proerties when issuing the certificate. If you are using Microsoft Certificate Authority, these ehance key usage properties are standard in the Web Server template.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hi @YYCSysAdmin
I work for HPE.
Can you help us with any further information you can share on this?
The incorrect valid from / valid until dates in certificates on some of the iLOs - are you having trouble in fixing the firmware and certificates on the 3 iLOs?
Or, are you stating that
1. the locked alerts are still there in OneView 4.10 and not getting cleared even though the certificates got fixed?
2. OneView 4.10 is alerting about the specific bad certificates (whereas it should not be)
Regards,
Bhaskar
I am an HPE employee
A power cycle of the server is never required just to change or update the iLO SSL Cert, let alone the iLO configuration. If you want to automate this process, or do multiple iLOs without needing to go to their respective web management UI's, you can use this PowerShell script.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Replace Line 166:
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
with
[System.Net.ServicePointManager]::CertificatePolicy = { $true }
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Line 170 is where you would change to something like:
$servers = Get-HPOVServer -Name ServerName
or for wildcard search
$servers = Get-HPOVServer -Name ServerName*
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]