HPE Community
HPE OneView
1819684 Members
3393 Online
109605 Solutions
New Discussion юеВ

Problems with directory sertificate

 
Tropisk
Occasional Advisor

тАО12-14-2017 01:01 AM

тАО12-14-2017 01:01 AM

Problems with directory sertificate

I'm having issues with using directory authentication with OneView and I cant understand the problem:

OneViewServer A - Using directory server 10.0.0.1 - certificate is valid
OneViewServer B - Using directory server 10.0.0.1 - certificate is invalid

I have tried 10-20 times and it gives the same error every time . 
"The certificate entered for server 10.0.0.1:636 does not appear to be a valid certificate.
For assistance, contact your administrator."

It is the same sertificate, the servers is on the same subnet, configured the same way and at the same time, the only difference is the oneview servername. 

If I dont specify any certificate, i get a screen with the current certificate. from the CA server -> Domain controller. And I press "Yes, accept" and still: "The certificate entered for server 10.0.0.1:636 does not appear to be a valid certificate.
For assistance, contact your administrator"

Dont matter if I use:
Domain FQDN
DomainController FQDN
DomainController IP

I got it working for about one month ago, with both our OneView installation but not OneView Global Dashboard. Today when it expired yet again, I only got it working on one of the oneview installations, but not the others..

What can I do to fix this? Certificates are not my strongest side..

This is how I get the certificate when specifying:
1. Log on to the domain controller
2. Open MMC -> Certificates -> Computer Account
3. Browse to personal store and export the domaincontroller certificate as Base-64 endoded X.509
4. Open the export file in notepad and Copy/Paste the certificate

0 Kudos
Reply
4 REPLIES 4
ChrisLynch
HPE Pro

тАО12-14-2017 01:10 PM

тАО12-14-2017 01:10 PM

Re: Problems with directory sertificate

Check to make sure your appliance that is reporting the invalid certificate has the correct date and time.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Tropisk
Occasional Advisor

тАО12-15-2017 01:33 AM

тАО12-15-2017 01:33 AM

Re: Problems with directory sertificate

Date & Time is 100% correct and the same for both of them.

Both settings are "Synchronize with VM host" and they are on the same host.

 

0 Kudos
Reply
ChrisLynch
HPE Pro

тАО12-15-2017 09:33 AM - last edited on тАО06-29-2021 04:58 AM by

тАО12-15-2017 09:33 AM - last edited on тАО06-29-2021 04:58 AM by

Re: Problems with directory sertificate

Can you provide the following:

  1. Screenshots of your appliance versions (Top level menu -> Settings -> Appliance panel).
  2. Download (if you do not have a PC with openssl client avaiable), and run the following openssl command from your PC to your domain controller, and provide the output (you can obvescate the Base64 output of the certificate that will be displayed):   
.\openssl.exe s_client -connect 10.0.0.1:636

You will see something like the following output: 

[PS] ...\openssl-0.9.8r-x64_86-win64-rev2> .\openssl.exe s_client -connect dc1.doctors-lab.local:636
Loading 'screen' into random state - done
CONNECTED(00000200)
depth=0 /CN=dc1.doctors-lab.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=dc1.doctors-lab.local
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=dc1.doctors-lab.local
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=dc1.doctors-lab.local
   i:/DC=local/DC=Doctors-Lab/CN=Doctors-Lab-DC1-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG5jCCBM6gAwIBAgITGQAAAFYbv21LXshKZQAAAAAAVjANBgkqhkiG9w0BAQsF
ADBRMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGzAZBgoJkiaJk/IsZAEZFgtEb2N0
b3JzLUxhYjEbMBkGA1UEAxMSRG9jdG9ycy1MYWItREMxLUNBMB4XDTE3MTAyNTIw
NDgxNFoXDTE4MTAyNTIwNDgxNFowIDEeMBwGA1UEAxMVZGMxLmRvY3RvcnMtbGFi
LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp3uQG0dDa4Zs
H+fs7iKD8aT7vZFVej1OY4JBqMCT06CpTqDSKjH7bJV0JVSU2Vw1Gmj4a6p/hPKY
Vvzwy+HpE44ChTbRdEo5w/nkmnbtj5KmYN4K2/D2lgLjJH0eDZxLG2+x4+ynEVk7
f69qPacg2PYNFbXL1N+OrF5Pa6y1pIyGCKEX43LkMJC76tLIyO/0kbE+c5zafvrd
gh3w6InnAk9N+4ifYBhMmz5WlFIjXLbp9Hm4pfKWu2DPU2gVS/5g5G8NJbzjcbAm
2xbCVTnuG0Kp3hq+ODrjZ7O1XQ2JZcLr91sHhy2iiDG9qBNu9xGARQpUa2lQHzkX
cwJIMh3dgQIDAQABo4IC5jCCAuIwNgYJKwYBBAGCNxUHBCkwJwYfKwYBBAGCNxUI
hpm4MoPcxWOEkY0BgraAJvaOdnoBHAIBbgIBCDApBgNVHSUEIjAgBggrBgEFBQcD
AgYIKwYBBQUHAwEGCisGAQQBgjcUAgIwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQB
gjcVCgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwDAYKKwYBBAGCNxQCAjAd
BgNVHQ4EFgQUDooLOmFUaIq8shGFhxuTOXGTNsMwVAYDVR0RBE0wS4IVZGMxLmRv
Y3RvcnMtbGFiLmxvY2FsghpkYzEtaXB2Ni5kb2N0b3JzLWxhYi5sb2NhbIcEwKgT
C4cQ/YkmmeSjf8eUrThttGEGHDAfBgNVHSMEGDAWgBRdWWjUMsqWEzuL5vIKZ5ms
5PNnXjCB0gYDVR0fBIHKMIHHMIHEoIHBoIG+hoG7bGRhcDovLy9DTj1Eb2N0b3Jz
LUxhYi1EQzEtQ0EsQ049REMxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPURvY3RvcnMtTGFi
LERDPWxvY2FsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RD
bGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBygYIKwYBBQUHAQEEgb0wgbowgbcG
CCsGAQUFBzAChoGqbGRhcDovLy9DTj1Eb2N0b3JzLUxhYi1EQzEtQ0EsQ049QUlB
LENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp
Z3VyYXRpb24sREM9RG9jdG9ycy1MYWIsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9i
YXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwDQYJKoZIhvcN
AQELBQADggIBAJeO14HFNu68GnH9Zv+eHLydkyvRds/xz79fTbqLlbf83CR2BPdv
HTNG5deE5vYVfgRJOW8BIgFYPveBl823aEGY26/VAuZvkQlBlZXXPJpgyMVL7rjT
dxyKIhxPF4tyVuxniJ9ClVc62yOAdUXFodlgILybrSCYIa7sLneaX+YDtTjCqGis
CbOLFGsWPrfLAdCdn0TM5EQcmdOtZv/LNRVkEg6aMIzKI33hytwrDjuzP4iD4Ola
6b6vNCkdZxAk5UG0QSD4aW0jmdj9CpLAscT3R2eKUiJU23mhZZpjjSdLOT9nI8mk
R5F0eOtyneRIG6hFkATIGh5w0r9MN6owO53J3SsFK4gsMdZCwuPvqxqSYqopr2SF
N15i1V1KmCzHDx5wOzBbu38LmM3UAWBlwT24TFfxAEQyPmFZlGVpYn0nTv2G3jrs
NcZX+mW6aPun7zftF2qHCCCTdX+l/PCx2F04IKyX+V3xH7LMJgEXzfx+0QjA4i1r
RBH9/7gns75gDwzLSLcNHYNQGNaEywUEu32Xd2kxksfauOadW8k0X4v1ATrA2KU0
X1TxW2IPoGIEs+RHlZiFmVLi07zOuavm6O9lkeGm4sQSFw8Xr8bgKzSEpnYuHNMz
e09CFHV0ABOUFrz3Dnksi2ZlnazD9nTYzANbCurkAJrtKK9dp2ipedL7
-----END CERTIFICATE-----
subject=/CN=dc1.doctors-lab.local
issuer=/DC=local/DC=Doctors-Lab/CN=Doctors-Lab-DC1-CA
---
No client certificate CA names sent
---
SSL handshake has read 2975 bytes and written 465 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 8E30000082F2064B769699C65258C5617E3E14F6E2301579342D3707A252421E
    Session-ID-ctx:
    Master-Key: B0F499F3F34A7497C4D8B4F0BA4B93E559FB245EE294ED7E674338CA3ACE7E569806FFD36CE0B6E82A9A3C8CC4992A5A
    Key-Arg   : None
    Start Time: 1513358939
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

The Certification Chain and SSLSession are important to look at. 

 

Note, when you execute the openssl command, you will need to press the Enter key in order to get your command prompt back.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Christian87
Occasional Visitor

тАО06-01-2018 04:44 AM

тАО06-01-2018 04:44 AM

Re: Problems with directory sertificate

Hello Chris,

i have a simlar problerm by installed a new HPE Oneview 4.0.9 Solution. I have a Root and Sub CA that will be based on Windows Server 2016. Also I have a Windows 2016 Domain Controller who get the certificate from the sub ca. 

The Test with Openssl reports me that no issues are found everything is fine. Also i see at oneview that the server protected by a ca certifcate. When i want finshed the settings for active directory and i want save it. I get an error:

Server certificate presented by directory is invalid.

For assistance, contact your administrator.

I read some other forums and i check that all certificates are RSA SHA256 Certificates. The Time of HPE Oneview Appliance, CA and Domaincontroller are 100% the same. 

Thanks for your help.

 

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.