HPE Community
HPE OneView
1819683 Members
3521 Online
109605 Solutions
New Discussion

OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is expired

 
SOLVED
Go to solution
David Claussen
Regular Advisor

‎05-02-2018 08:06 AM - edited ‎05-02-2018 08:08 AM

‎05-02-2018 08:06 AM - edited ‎05-02-2018 08:08 AM

OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is expired


OneView Appliance for vSphere, version 4.00.07.02-0334467.

 

Why is OneView so incredibly difficult to work with?

My latest problem is the following error:

screenshot.25.jpg

So I copied the URL for the cert and it downloaded fine. 

Now, I tried to get this new cert into my HPOneView appliance. Security/Manager Certificates/Add Certificates

screenshot.26.jpg

After an hour of searching, I can find no way to open the CRL files and get the base64 cert text and there is no option to inport a local file.

So I try Add certificate from an IP address or hostname:

screenshot.27.jpg

Entering the url provided by the initial alert FROM ONEVIEW yeilds the error:

screenshot.28.jpg

I tried multiple ports as well with no success.

Now I have been fighting with OneView for months now - configuration issues, update issues, alerting issues (IE - seven alerts for a server reboot - this is a total nightmare and there is no documentation anywhere for help) and now this cert thing.

Any help is appreciated, but this is strike 27 for this software and if I can't get this cert thing cleared up - OneView is gone and I'll go back to SIM.

 

 

2 people had this problem.
0 Kudos
Reply
14 REPLIES 14
Nikolape
Occasional Advisor

‎05-04-2018 03:06 AM

‎05-04-2018 03:06 AM

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

I have the same problem with our Synergy frame, and could not agree more with previous post. Please, any help would be appreciated! 

The question is simple, how to import missing .crl file?

Thank you.

0 Kudos
Reply
frenchy94
Regular Advisor

‎05-04-2018 11:56 PM

‎05-04-2018 11:56 PM

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

this issue is well documented in release notes i think


---
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
https://www.avast.com/antivirus
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎05-05-2018 06:13 PM - edited ‎05-06-2018 09:13 PM

‎05-05-2018 06:13 PM - edited ‎05-06-2018 09:13 PM

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

I'm not sure why you want to get a CRL?  The Certificate Revocation List contains a list of certs that have been revoked.

I only see a Last Update and Next Update fields.

You need to create new certs to replace the expired ones.

 

> I tried to get this new cert into my HPOneView appliance. Security/Manager Certificates/Add Certificates

 

I'm not sure why it would need you to add a CRL?

 

>  I can find no way to open the CRL files and get the base64 cert text and there is no option to import a local file.

 

You can open the .CRL in Windows.  Or use:

openssl crl -inform der -in pca3-g5.crl -text -noout

So I would suggest you look for expiration dates for your certs and CA certs.

Unless it's related to you can't access the CRL?

https://github.com/HewlettPackard/POSH-HPOneView/issues/97

0 Kudos
Reply
David Claussen
Regular Advisor

‎05-07-2018 05:24 AM

‎05-07-2018 05:24 AM

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

It is not. There are references to CRL files in both the release douments and the user manual, but nowhere does it show how to istall/import a CRL file.

0 Kudos
Reply
David Claussen
Regular Advisor

‎05-07-2018 05:25 AM

‎05-07-2018 05:25 AM

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

As you can see in my inital post, the CRL file is what my OneView shows as expired - that is why I would assume that I need to replace it. 

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎05-07-2018 11:08 AM

‎05-07-2018 11:08 AM

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

> the CRL file is what my OneView shows as expired

 

Hmm, except the date fields in a CRL don't have "expired" in them, just "next update".

0 Kudos
Reply
David Claussen
Regular Advisor

‎05-07-2018 11:28 AM

‎05-07-2018 11:28 AM

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

I don't know how much clearer I can get than this screen shot directly from my HPOneView appliance:

screenshot.47.jpg

0 Kudos
Reply
David Claussen
Regular Advisor

‎05-08-2018 10:00 AM

‎05-08-2018 10:00 AM

Solution

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

Well I give up. No help for the CRL issue, no help for the impossible alerting configuration and no help for the LDAP cert issues. Six months wasted on the software. It is too bad really, the appliance is good, but no support is a deal breaker. I will go back to HP SIM.  OV appliance powered off and deleted.

Funny, I'm sure that if I was using the paid version of OneView, help would be in abundance.

Thanks HP.

PS: HP SIM will be in production for a quite a while. I spoke to an HP tech about SIM's EOL and he said that because there are so many customers still using servers below G7 - they have to keep is going. True or false, who know this is HP.

0 Kudos
Reply
John Bigg
Esteemed Contributor

‎05-09-2018 01:18 AM

‎05-09-2018 01:18 AM

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

To upload a CRL file, go to Settings -> Manage certificates and then click on the little green pen icon on the certificate where the CRL is expired. You can then either drag and drop the CRL file you downloaded or browse to it in order to upload it.

Note that the CRL file takes effect immediately, although it can take up to an hour for the manage certificates page to show an OK state rather than CRL Expired.

Reply
Todd_Bowden
Occasional Advisor

‎05-09-2018 07:41 AM

‎05-09-2018 07:41 AM

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

John,

Im in total agreement with the person who started this thread.  OneView is so quirky, getting these obscure error messages.

I have tried to upload this .CRL file and stupid OneView says, I need a .CRL file2018-05-09_09-29-55.jpg

0 Kudos
Reply
Todd_Bowden
Occasional Advisor

‎05-09-2018 08:08 AM

‎05-09-2018 08:08 AM

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

Here is the fix, delete the CRL that it is complaining about, in this case "VeriSign Class 3 Public Primary Certification Authority - G5"

I found a Symantec website that you can copy and paste the key to put it back in.

https://knowledge.symantec.com/support/mpki-for-ssl-support/index?page=content&id=SO5624&actp=LIST&viewlocale=en_US

Just copy and paste the key, and BOOM, all is well.

 

Hope it helps

 

 

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎05-10-2018 01:07 AM

‎05-10-2018 01:07 AM

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

> I don't know how much clearer I can get

 

The problem isn't you, it's in the message.  :-)

CRLs don't "expire".  And the message doesn't say how to fix it, AFTER you get the CRL from the web.

Is your appliance connected to the Internet?

0 Kudos
Reply
John Bigg
Esteemed Contributor

‎05-16-2018 12:45 AM

‎05-16-2018 12:45 AM

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

Todd, I believe that the issue you saw with OneView reporting that a .crl file is needed even when a .crl file was selected is a known issue with certain versons of Firefox. Try using a different browser and you shouldn't see this and the crl file should work.

0 Kudos
Reply
Lionel_Jullien
HPE Pro

‎07-12-2018 02:52 AM

‎07-12-2018 02:52 AM

Re: OneView Alert: CRL issued by VeriSign Class 3 Public Primary Certification Authority - G5 is exp

The best is to use a PowerShell script using the OneView library so that you can automate all the process.

See https://github.com/jullienl/HPE-Synergy-OneView-demos/blob/master/Powershell/OneView/Update%20all%20existing%20OneView%20CRLs.ps1

This script updates all existing CRLs present in Oneview identified as expired.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.