HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

 
MarioE
Frequent Advisor

Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Hello

I upgraded HPE OneView from Verion 4.00.07 to 4.00.07.02.
Since I have installed this update .02, I receive about 20 messages every day:

Bild1.jpg

Unable to establish trusted communication with the server. The iLO certificate does not have any IP address or host name specified.

Some of these alarms are "Locked".
When I do a refresh of the server, the alarm is mostly cleared again. Sometimes I have to do the refresh 2 or 3 times.

However, most alarms will be cleared right away:

Bild2.jpg

I only have ProLiant DL Server in the HPE OneView. This error I have over all servers (G7, Gen8, Gen9) with all iLO FW versions and over again. Only with the Gen10 servers I do not have this problem.

Does anyone else have this problem?

 

 

17 REPLIES 17
peyrache
Respected Contributor

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Only update ? nor Ilo Ip address change ?
MarioE
Frequent Advisor

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

I only did the updates of the HPE OneView. Before the update, I had never seen this error. I did not make any changes to the iLOs.

peyrache
Respected Contributor

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Shall you post exact error message (complete screen)
Thanks
MarioE
Frequent Advisor

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Unable to establish trusted communication with the server. The iLO certificate does not have any IP address or host name specified.

Resolution Ensure that the iLO is set up with a certificate that has a valid ip address or host name specified. After setting up iLO with the certificate as specified, in case of a CA signed certificate, ensure that the root certificate and the appropriate intermediate certificates are present in OneView's trust store. In case a new iLO self-signed certificate was generated to correct the issue, add the same into OneView's trust store. Refresh the server and retry the operation. Use the link provided below to add certificate(s) to OneView's trust store.

Event details
certificateMismatch true
clearPriorEvents true
correctiveAction Ensure that the iLO is set up with a certificate that has a valid ip address or host name specified. After setting up iLO with the certificate as specified, in case of a CA signed certificate, ensure that the root certificate and the appropriate intermediate certificates are present in OneView's trust store. In case a new iLO self-signed certificate was generated to correct the issue, add the same into OneView's trust store. Refresh the server and retry the operation. Use the link provided below to add certificate(s) to OneView's trust store.
locked     true
resourceUri   /rest/server-hardware/32333536-3030-5A43-3234-323730484452

peyrache
Respected Contributor

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Should be related to:
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00042194en_us&docLocale=en_US
or
Certificate expiration alerts reported during HPE OneView 4.0 upgrade

HPE OneView has a new certificate-related security setting: "Check for expiration of self-signed certificates". The setting is disabled by default. When disabled, a warning alert is displayed for any device with an expired certificate on the device's resource screen. For example, server hardware screen. Additionally, separate alerts for expired certificates are displayed on the Settings > Activity screen.

After HPE OneView 4.0 upgrade, under certain circumstances, warning alerts for expired iLO certificates are not displayed on the corresponding server hardware screen. Note that any server hardware warning alerts will be displayed on the Settings > Activity screen.

The certificate expiration alerts displayed on the Settings > Activity screen are created incorrectly as critical, locked alerts (red alerts) instead of warning alerts.

Suggested action

Communications with devices is not impacted by these specific critical alerts. Both warning and critical alerts are cleared automatically when the corresponding expired certificates are fixed. The certificate alert can be fixed by either generating a new self-signed certificate for the device and placing that in the HPE OneView certificate trust store or by performing a certificate signing request and using a certificate authority-issued certificate for the device. For more information on regenerating iLO certificates, see Correcting expired certificates for an iLO.
MarioE
Frequent Advisor

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

I have no self-signed certificates. All iLO certificate are Trusted SSL Certificate signed by our Certification Authority (CA).
All certificates are valid and have not expired.

peyrache
Respected Contributor

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

So the best is to open a case to HPE support
For Oneview dump analysis
ChrisLynchHPE
Neighborhood Moderator

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

If you have not already, please add your Issuing and all chain CA certs to your appliance.  Please see this help link about this topic and to navigate other supporting documentation.


Accept or Kudo

ChrisLynchHPE
Neighborhood Moderator

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Just as a quick follow up, 4.00.07.02 was only released to address an SNMPv3 issue with Gen10 and the recently released iLO 1.20 firmware.


Accept or Kudo

Rextor
Occasional Visitor

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Did you find a solution for this one? We are facing the same problem when using certificates from our own certificate authority and not the self signed certificates

MarioE
Frequent Advisor

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Yes, I could solve the problem.
We are in the process of replacing our internal CA.
That means I have to enter both CA servers under Settings - Manage certificates (Trust Store).
I had to recreate all iLO Trusted SSL Certificate signed by our old CA, with the new CA.

In the Trust Store, I have changed nothing more, just recreated the certificates with the new CA. That is, there are still both CA (old and new) registered in the Trust Store.

I had both CA registered in the Trust Store for some time, but I only had problems after the update to Version 4.00.07.02.

Ralph1969
Advisor

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Hi,

I have the same issue, after all my G7 ILO 3 expired all at the same time, I reset the ILO to generate a new cert.
And when I tried to refresh or add in OneVew I get the error "The iLO certificate does not have any IP address or host name specified."

I placed a call to HP to show them the problem, got transfert to a L2 and worked 2hr in a My Room session trying to fix it.
2 weeks later when I ask for an update I get: 
Still working on lab server, will contact you at the earliest once have an update regarding the same.

HP obvioulsy aware of the problem but dont have any solution yet.

 I will update once we figure it out

Save the cheerleader save the world....
BhaskarV
HPE Pro

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Hi  @Ralph1969

This works, i.e. regenerating the cerificate on the iLO followed by fetching and trusting the new certificate in OneView.
Can you ask for an elevation of the support case?

Regards,
Bhaskar

 



I am a HPE Employee
craigpennock
Frequent Visitor

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Hello.

Did anyone manage to resolved this for the G7's?

Gen 8 & 9 allow me to create a cert request with the IP address, but G7's do not have this option

Thanks

Craig

BhaskarV
HPE Pro

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Hi @craigpennock 

Given Gen 7 / iLO3, did you generate a CSR from the iLO and get a CA signed certificate?
Does the certificate you generated for the iLO have the DNS name for the iLO in the SAN / Subject field?
The CSR I generated on my test iLO looks like the attached.

iLO4_Gen7_CSR.PNGiLO4 Gen7 CSR

The CN "myilo.pe.com" in the CSR should have made its way through the certifcate signing process.
Let me know. 

Regards,
Bhaskar



I am a HPE Employee
craigpennock
Frequent Visitor

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

I do not have the option for Common Name so had to add the below on the CA when requesting the cert.

san:dns=IPADDRESS&dns=ILONAME

 

thanks for the advise though

BhaskarV
HPE Pro

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Thanks @craigpennock  
Glad you worked around the problem by specifying the IP address and FQDN in the SAN when submitting the CSR to the CA.

What version of iLO3 firmware are the Gen7s you have at?
Anything close to 1.88, 1.89 or 1.91 (the latest available firmware for iO3)
If you take a look at the screen shot above where Common Name (CN) = myilo.hpe.com, that field gets carried forward as the Subject field at the very least in the CSR if not the SAN.

Even if the IP address is included in the SAN field, some CAs (Certificate Authorities) do no accept IP addresses.
They do accept FQDNs and allow a provision for you to specify the FQDN in the SAN at the time of submitting the CSR for getting signed, like you just did.

Regards,
Bhaskar



I am a HPE Employee