HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

OneView 4.0 and expired leaf certificates

Steve_Tippett
Occasional Advisor

OneView 4.0 and expired leaf certificates

OV-4.00-Security.jpgAfter upgrading a OneView 3.10 appliance to OneView 4.00.07, I have several Security errors, which are in Locked status.  The resolution says to delete the expired certificate, but I can't find any way in the OneView GUI to do that.  I also tried using the OneView.400 PS cmdlet library and the cmdlet Remove-HPOVApplianceTrustedCertificate, providing the certificate alias name as the input object to the cmdlet, but with no success.

 

12 REPLIES
ChrisLynchHPE
Neighborhood Moderator

Re: OneView 4.0 and expired leaf certificates

You can manage certificates in the UI under Settings.Manage certificates.png

 

 

In that section of the UI, you can then search for the alias of the certificate.  From the name of the alias, it looks like an Onboard Administrator certificate of one of your enclosures.  I would suggest you regenerate the certificate on the OA.  If the certificate is no longer in the appliance trust store (by using the Manage Certificates link above, or the Get-HPOVApplianceTrustedCertificate Cmdlet), the alert above is a bug.  You can try to use the "Get-HPOVAlerts -State Locked | Remove-HPOVAlert" call.  However, I don't have this state on any of my appliances so I cannot verify if this call will be allowed.

 

Steve_Tippett
Occasional Advisor

Re: OneView 4.0 and expired leaf certificates

Hi Chris,

I have already installed a current certificatge from my CA at the Onboard Administrator, so the Search method in the OneView GUI just shows me the good (green status) certificate.  Next week, I'll re-try the PS cmdlet method you suggested.  I've tried that earlier, but got stumped on providing an acceptable alias name/URI to the cmdlet.   It deserves another attempt!    Thanks for your guidance.

Mainecoon
Occasional Advisor

Re: OneView 4.0 and expired leaf certificates

When i try to remove them i get the following:

remove-hpovalert : [Send-HPOVRequest]: Only trusted Resource Managers can make this request..  Request was 'DELETE' at '/rest/alerts/937659'.
At line:1 char:31
+ get-hpovalert -state locked | remove-hpovalert
+                               ~~~~~~~~~~~~~~~~
    + CategoryInfo          : AuthenticationError: (Send-HPOVRequest:String) [Remove-HPOVAlert], AuthPrivilegeException
    + FullyQualifiedErrorId : AlertAuthorizationException,Remove-HPOVAlert

 

Any idea how i can filter this alert from the email alerts as i get spammed by the appliance constantly (leave cert only).

Kerry Quillen
Frequent Advisor

Re: OneView 4.0 and expired leaf certificates

I had the same issue.  Tried multiple things to ge it to clear up.  I was able to clear a few by adding certs via Settings->Security->Manage Certificate.  Finally gave up and opened case shich got escalated to L2 support.  Via SSH session to Oneview they logged in as user "maintenance" and performed some witchery and the alerts were cleared.  She did tell me that this is a known issue that will be fixed in a future Oneview release and if I get any future leaf cert alerts to just ignore them.

Steve_Tippett
Occasional Advisor

Re: OneView 4.0 and expired leaf certificates

Kerry, thanks for sharing your experience with resolving this new wrinkle that popped up in OneView 4.0.

Certificate issues, including on iLO's and Onboard Administrators, are taking a portion of my time that I'd rather devote to other things.

[Nationwide is on your side.]

Steve Tippett
Distributed Platform Sustaining Team
NSC Infrastructure & Operations

Mainecoon
Occasional Advisor

Re: OneView 4.0 and expired leaf certificates

Don't care to much about the alert itself the problem is that it will fill-up my mailbox every hours with 30+ messages.

anyone has an idea how i can filter these at OV level (not in my mailbox).

Re: OneView 4.0 and expired leaf certificates

I have had this issue for now around 9 months. 

Spoke to a OneView Technical Advisor the other day.

Expired certificate alerts will be fixed in the next release of OneView (Frankfurt release), which apparently is in around 1 months time. 

You'd think HPE employees on the OneView forum would just tell you this instead of copy and pasting the process of replacing certs....

Matthew Ingram
Regular Advisor

Re: OneView 4.0 and expired leaf certificates

I don't see anything in the release notes for the new 4.00.09 release about addressing this.

Zaanstad
Occasional Visitor

Re: OneView 4.0 and expired leaf certificates

We still having the same issue as well.

Re: OneView 4.0 and expired leaf certificates

Updated to 4.00.09 the other day in hope this would finally solve the issue as told by a HPE rep. 

This has not resolved the issue.

I'd just love to know why admins can't clear locked alerts and it takes a remote session from HPE to do this.

 

Paul91
Occasional Advisor

Re: OneView 4.0 and expired leaf certificates

Manually delete the locked alerts using the REST API :

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00048315en_us

Paul91
Occasional Advisor

Re: OneView 4.0 and expired leaf certificates

Sorry, just to be clear :

- Delete expired cert from OneView

- Renew the SSL cert on your device ilo, VC, OA .....

- Refresh/import cert/device

- Delete expired alert from OneView using the RESTAPI as per link above