HPE OneView
1747984 Members
4762 Online
108756 Solutions
New Discussion юеВ

Re: Unable to establish trusted communication with servers after installing certificate in HPOneView

 
Marc_BE
Occasional Advisor

Unable to establish trusted communication with servers after installing certificate in HPOneView 5.0

Hi all,,

I recently installed a public certificate on our OneView applicance and I can now view it over ssl without any issue except that the certificates on the blades sem to have disappeared and the appliance now seems unable to communicate xithe blades correcty as you should be able to see in the atached screen shot :

HP One View issue.jpg

Do I have to create a CSR on each blade and have it signed via the same public CA for thing to come back to normal ?

Thanks in advance for any advice,

8 REPLIES 8
ronissac
Trusted Contributor

Re: Unable to establish trusted communication with servers after installing certificate in HPOneView

Hi Marc , 

 

Yes you may have to generate CSRs from the server ILOs if they are missing in Oneview appliance trust store.

Alternativley you may also remove the affected enclosure from the appliance and import it 

 

Regards

Ronny


I am an HPE employee
Accept or Kudo
ChrisLynch
HPE Pro

Re: Unable to establish trusted communication with servers after installing certificate in HPOneView

I would not suggest removing and then adding back the enclosure, as it is Managed.  Removing then adding a managed enclosure would require downtime, if HPE Virtual Connect fabric modules were present within the enclosure.

The certificates are likely expired.  One way you can validate the iLO cert is to view it the same way you did with your HPE OneView appliance.  Alternatively, you can use the openssl client to retreive the peer certificates:

 

openssel s_client -connect ilo-ip-address-or-fqdn -port 443

# Example using IP Address
openssl s_client -connect 10.4.3.2 -port 443

# Example using FQDN
openssl s_client -connect server-ilo.domain.local -port 443

# Save the base64 string of the peer certificate (the text that starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----" to a local file, then use openssl x509 to show cert validitiy
openssl x509 -in C:\path\to\file -noout -dates

 


I am an HPE employee

Accept or Kudo

Marc_BE
Occasional Advisor

Re: Unable to establish trusted communication with servers after installing certificate in HPOneView

Indeed there are Virtual Connects fabric modules present.

When checking via openssl it looks as if there are no certificates installed in the iLO:

CONNECTED(00000003)
140231902615360:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 299 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

and yet when looking via the web administration console I see this :
iLO SSL issue.jpg

The issue I have is that when I create a CSR via the web administration and paste the CSR in our CA Web site (DigiCert) to get the certificate I get an error message saying ""Domain Name has an invalid value" but it maybe something to check up with them rather than here since you seem to confirm this should be the way to go about it ?

BhaskarV
Trusted Contributor

Re: Unable to establish trusted communication with servers after installing certificate in HPOneView

Hi @Marc_BE 

The CN=ILOGB8050BS97 is probably what DigiCert is complaining about.
Most CAs expect a FQDN there such as CN=ILOGB8050BS97.ilo.ulb.be
So you may need to set the hostname on the iLO with the FQDN like that and generate the CSR after that.

One thing I want to point out is that when you apply a CA signed certificate for the OV appliance, you need not necessarily have to have CA signed certificates for the iLOs at all.
The two are not related.

It is ok for the iLOs to have self-signed certificate (or whatever comes with them by default).

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo

BhaskarV
Trusted Contributor

Re: Unable to establish trusted communication with servers after installing certificate in HPOneView

Hi @Marc_BE 

On the error you have shown in the screen shot, what is the text beyond
Unable to establish trusted communication.

Can you share?
What has most probably happened is a "Do not trust" CA certificate that belongs to an iLO has got accidentally trusted in the OV trust store. See below from the OneView User Guide.

Trusting a root CA certificate - тАЬiLO/iLO 3/iLO 4/iLO 5 Default Issuer (do not trust)тАЭcertificate

When you trust an iLO self-signed certificate using the Settings > Security > Manage Certificates > Add Certificate screen and select Fetch from IP address or hostname, always enable the Force trust leaf certificate option, that ensures only the iLO leaf certificate is added to the trust store. If you forget to use this option, the iLO Default Issuer (do not trust) certificate is sometimes added to the trust store. In that case, delete the Default Issuer (do not trust) certificate. Never place these certificates into the trust store as they can cause errors when present.

 

Regards
Bhaskar


I am an HPE employee

Accept or Kudo

Marc_BE
Occasional Advisor

Re: Unable to establish trusted communication with servers after installing certificate in HPOneView

Hi BhaskarV,

Here is the full error message :

Unable to establish trusted communication with the server. The iLO certificate does not have any IP address or host name specified.

 Locked  
1/21/20  2:58:38 pm
Resolution Ensure that the iLO is set up with a certificate that has a valid ip address or host name specified. After setting up iLO with the certificate as specified, in case of a CA signed certificate, ensure that the root certificate and the appropriate intermediate certificates are present in OneView's trust store. In case a new iLO self-signed certificate was generated to correct the issue, add the same into OneView's trust store. Refresh the server and retry the operation. Use the link provided below to add certificate(s) to OneView's trust store.

Trying to solve the issue I think I did a factory reset on the blade for which this message shows up. Can it be related ?

How should I go about removing the iLO Defaukt Issuer certificate ? From the HPOneView via the CLI openssl ?

Thanks in advance,

BhaskarV
Trusted Contributor

Re: Unable to establish trusted communication with servers after installing certificate in HPOneView

Hi @Marc_BE 

Navigate to Settings -> Security -> Manage Certificates and search for "Do not trust".
See if you are able to find a certificate such as this.
If yes, you can delete it.

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo

BhaskarV
Trusted Contributor

Re: Unable to establish trusted communication with servers after installing certificate in HPOneView

And yes, factory reset of the blade will cause a new certificate to be regenerated on the iLO.
Once the certificate on the iLO changes, the server hardware status for this blade will be red.
You will need to navigate to Settings -> Security -> Manage Certificates -> Add Certificate -> Fetch from IP address and hostname, type in the IP address of the server.
This time, make sure to select the Force trust leaf certificate check box. Then validate and Trust the certificate. This ensures the leaf level certificate is fetched and trusted but skips the "iLO Default Issuer (Do not trust)" CA certificate.
Once you do this right, the server hadware status will turn green.
Try this out and let me know.
Do not hesitate to ask questions if this is unclear.

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo