HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

OneView 4.0 and expired leaf certificates

Steve_Tippett
Occasional Advisor

OneView 4.0 and expired leaf certificates

OV-4.00-Security.jpgAfter upgrading a OneView 3.10 appliance to OneView 4.00.07, I have several Security errors, which are in Locked status.  The resolution says to delete the expired certificate, but I can't find any way in the OneView GUI to do that.  I also tried using the OneView.400 PS cmdlet library and the cmdlet Remove-HPOVApplianceTrustedCertificate, providing the certificate alias name as the input object to the cmdlet, but with no success.

 

5 REPLIES
ChrisLynchHPE
Neighborhood Moderator

Re: OneView 4.0 and expired leaf certificates

You can manage certificates in the UI under Settings.Manage certificates.png

 

 

In that section of the UI, you can then search for the alias of the certificate.  From the name of the alias, it looks like an Onboard Administrator certificate of one of your enclosures.  I would suggest you regenerate the certificate on the OA.  If the certificate is no longer in the appliance trust store (by using the Manage Certificates link above, or the Get-HPOVApplianceTrustedCertificate Cmdlet), the alert above is a bug.  You can try to use the "Get-HPOVAlerts -State Locked | Remove-HPOVAlert" call.  However, I don't have this state on any of my appliances so I cannot verify if this call will be allowed.

 

Steve_Tippett
Occasional Advisor

Re: OneView 4.0 and expired leaf certificates

Hi Chris,

I have already installed a current certificatge from my CA at the Onboard Administrator, so the Search method in the OneView GUI just shows me the good (green status) certificate.  Next week, I'll re-try the PS cmdlet method you suggested.  I've tried that earlier, but got stumped on providing an acceptable alias name/URI to the cmdlet.   It deserves another attempt!    Thanks for your guidance.

Mainecoon
Occasional Advisor

Re: OneView 4.0 and expired leaf certificates

When i try to remove them i get the following:

remove-hpovalert : [Send-HPOVRequest]: Only trusted Resource Managers can make this request..  Request was 'DELETE' at '/rest/alerts/937659'.
At line:1 char:31
+ get-hpovalert -state locked | remove-hpovalert
+                               ~~~~~~~~~~~~~~~~
    + CategoryInfo          : AuthenticationError: (Send-HPOVRequest:String) [Remove-HPOVAlert], AuthPrivilegeException
    + FullyQualifiedErrorId : AlertAuthorizationException,Remove-HPOVAlert

 

Any idea how i can filter this alert from the email alerts as i get spammed by the appliance constantly (leave cert only).

Kerry Quillen
Frequent Advisor

Re: OneView 4.0 and expired leaf certificates

I had the same issue.  Tried multiple things to ge it to clear up.  I was able to clear a few by adding certs via Settings->Security->Manage Certificate.  Finally gave up and opened case shich got escalated to L2 support.  Via SSH session to Oneview they logged in as user "maintenance" and performed some witchery and the alerts were cleared.  She did tell me that this is a known issue that will be fixed in a future Oneview release and if I get any future leaf cert alerts to just ignore them.

Steve_Tippett
Occasional Advisor

Re: OneView 4.0 and expired leaf certificates

Kerry, thanks for sharing your experience with resolving this new wrinkle that popped up in OneView 4.0.

Certificate issues, including on iLO's and Onboard Administrators, are taking a portion of my time that I'd rather devote to other things.

[Nationwide is on your side.]

Steve Tippett
Distributed Platform Sustaining Team
NSC Infrastructure & Operations