HPE OneView
1827707 Members
2854 Online
109967 Solutions
New Discussion

Re: Self-signed certificate Error after Upgrade OneView 4.0

 
MarioE
Trusted Contributor

Self-signed certificate Error after Upgrade OneView 4.0

Hello

I upgraded HPE OneView from Verion 3.10.07 to 4.00.05 today.
I had to reinstall the root CA Certificate and the WebServer Certificate.
Now I have one more mistake:

Self-signed certificate with alias name HP Infrastructure Management Certificate Authority-internal root Basic Constraint is not valid

Resolution Provide Certificate with Basic Constraint set to SubjectType = CA. Try again.
 
However, I do not have a self-signed certificate.
How can I clear the error?

The alert is locked.

29 REPLIES 29
ChrisLynch
HPE Pro

Re: Self-signed certificate Error after Upgrade OneView 4.0

Is this an HPE Synergy system?  Have you updated the Frame Link Module firmware yet?

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Bart_Heungens
Honored Contributor

Re: Self-signed certificate Error after Upgrade OneView 4.0

In my case it is a OV VM with a C7000 behind it... So ny Synergy (yet)...

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
ChrisLynch
HPE Pro

Re: Self-signed certificate Error after Upgrade OneView 4.0

Thank you, Bart.  I'm looking into this.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Bart_Heungens
Honored Contributor

Re: Self-signed certificate Error after Upgrade OneView 4.0

Hi Chris, if you need more information or want access to my OV Instance, you know where to find me...

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !
MarioE
Trusted Contributor

Re: Self-signed certificate Error after Upgrade OneView 4.0

Hi Chris

I have an HPE OneView on a VM, only with HPE Proliant Server Monitored. No Synergy, no enclosure with blades available.

ChrisLynch
HPE Pro

Re: Self-signed certificate Error after Upgrade OneView 4.0

Following up on this discussion.  This appears to be an issue with the State Change Message Bus (SCMB) certificate when the appliance was upgraded from older versions to 4.00.  It will need to be recreated.  The easiest way is to use the PowerShell Cmdlets:

# Remove the SCMB certificate from the connected appliance
Remove-HPOVScmbCertificate

# Recreate and retrieve the certs
Get-HPOVScmbCertificate

Please let me know if that does resolve the message.

Also, anyone using HPE OneView Global Dashboard, you will likely need to refresh or reconnect the appliances after performing this operation.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
MarioE
Trusted Contributor

Re: Self-signed certificate Error after Upgrade OneView 4.0

Hi Chris


What is the syntax for these commands? I could not find anything helpful in the help.
Here is the output of the commands (without syntax):

PS > Remove-HPOVScmbCertificate
Remove-HPOVScmbCertificate : The SCMB certificate key pair has not bee generated on the appliance "<FQDN>".  Please use Get-HPOVScmbCertificates to generate a new certificate key pair.
At line:1 char:1
+ Remove-HPOVScmbCertificate
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (ScmbCertifcateKeyPait:String) [Remove-HPOVScmbCertificate], ResourceNotFoundException
    + FullyQualifiedErrorId : ResourceNotFound,Remove-HPOVScmbCertificate

 

and

 

PS > Get-HPOVScmbCertificates
Get-HPOVScmbCertificates : The requested resource '/rest/certificates/client/rabbitmq/keypair/default' could not be found. Please supply a valid and unique common name and try again.
At line:1 char:1
+ Get-HPOVScmbCertificates
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (URI:String) [Get-HPOVScmbCertificates], ResourceNotFoundException
    + FullyQualifiedErrorId : ResourceNotFound,Get-HPOVScmbCertificates

ComputerUser
New Member

Re: Self-signed certificate Error after Upgrade OneView 4.0

Did anyone solve this problem? I have the exact same issue after upgrading to version 4.0.  Here is my alert: "

Self-signed certificate with alias name HP Infrastructure Management Certificate Authority-internalroot Basic Constraint is not valid Security"

"Resolution Provide a certificate with Basic Constraint set to SubjectType=CA. Try again."

ChrisLynch
HPE Pro

Re: Self-signed certificate Error after Upgrade OneView 4.0

@MarioE, the appliance exception to the self-signed certificate is the State Change Message Bus (SCMB).  Are you using the HPE OneView for vCenter plugin?  If so, what version? 

As for the Cmdlets, it appears that someone may have created the SCMB using a different name, and that is why the Cmdlets are failing.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
MarioE
Trusted Contributor

Re: Self-signed certificate Error after Upgrade OneView 4.0

Hi Chris

we do not use vCenter plugin.
No one has ever created an SCMB certificate. For me, this certificate is new.

fluke
Established Member

Re: Self-signed certificate Error after Upgrade OneView 4.0

Installed OneView Powershell from GitHub 
https://github.com/HewlettPackard/POSH-HPOneView/releases/tag/v4.0.1554.2229

Ran 

# Remove the SCMB certificate from the connected appliance
Remove-HPOVScmbCertificate

# Recreate and retrieve the certs
Get-HPOVScmbCertificate

and nothing happened. Checked OneView GUI Activity and it showed Certificates have been regenerated. It has been 1 hour and the "Self-signed certificate with alias name HP Infrastructure Management ..." error has not showed up.  It usually reprompts every hourly.

MarioE
Trusted Contributor

Re: Self-signed certificate Error after Upgrade OneView 4.0

Here is the output of the commands:

PS C:\> Remove-HPOVScmbCertificate
Remove-HPOVScmbCertificate : The SCMB certificate key pair has not bee generated on the appliance "svpas00012.ads.ktag.ch".  Please use Get-HPOVScmbCertificates to generate a new certificate key pair.
At line:1 char:1
+ Remove-HPOVScmbCertificate
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (ScmbCertifcateKeyPait:String) [Remove-HPOVScmbCertificate], ResourceNotFoundException
    + FullyQualifiedErrorId : ResourceNotFound,Remove-HPOVScmbCertificate

 

and the command "Get-HPOVScmbCertificate" is not right. The correct command is "Get-HPOVScmbCertificates"

PS C:\> Get-HPOVScmbCertificates
Get-HPOVScmbCertificates : The requested resource '/rest/certificates/client/rabbitmq/keypair/default' could not be found. Please supply a valid and unique common name and try again.
At line:1 char:1
+ Get-HPOVScmbCertificates
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (URI:String) [Get-HPOVScmbCertificates], ResourceNotFoundException
    + FullyQualifiedErrorId : ResourceNotFound,Get-HPOVScmbCertificates

 

After I run the command, I see the following entry on the HPE OneVeiw GUI under Activity (see attachment):

Client Certificate Generation.

Issue

 

Error occurred while generating RabbitMq client certificate.
Error occurred while creating Key pairs for RabbitMq.

Resolution

Please retry the operation.

 

IvoT
Member

Re: Self-signed certificate Error after Upgrade OneView 4.0

Hi , I had the same problem, just want to share what I did. Maybe I am stupid, but I did what the error says.
There was sayed that State is not CA, so I was courious what will happen when I Will put in the field State (ST) leters CA.
And ....   It worked !!

  • State or province (ST)    CA

Looks that is all what the applience wants
So I encourage all to test it :  Security >> Actions >> Create appliance self signed Cert
Then fill as you need probably just Keep ST=CA ( even if you are not from US )   :-)

 

MarioE
Trusted Contributor

Re: Self-signed certificate Error after Upgrade OneView 4.0

@IvoT

Hi
the error says: Resolution Provide a certificate with Basic Constraint set to SubjectType=CA
I have no mistake which says, "State" has to be CA.

 

 

MarGro
Occasional Collector

Re: Self-signed certificate Error after Upgrade OneView 4.0

Same Issue here, after upgrading oneView (Synergy Composer) from 3.10.x to 4.00.07 the same CA error. Changed the ST=CA doesn't fix the error. Any other toughts?

MarioE
Trusted Contributor

Re: Self-signed certificate Error after Upgrade OneView 4.0

The problem was fixed today after 2 months.
After I opened a case at HPE 2 months ago, I was able to do a WebEx session today.
Using REST API, support was able to delete the certificate.
Then, a new certificate was created in the HPE OneView.

Certificates_regenerated.jpg

The parameter for REST API was:

DELETE https://<HOSTNAME>/rest/certificates/ca/rabbitmq_readonly

This was done with support from HPE.
As already mentioned, I had the support of HPE through an opened case.

ChrisLynch
HPE Pro

Re: Self-signed certificate Error after Upgrade OneView 4.0

@MarioE, glad to see your issue was resolved.  But you could have also used the PowerShell library to perform that step (Remove-HPOVScmbCertificate).

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
MarioE
Trusted Contributor

Re: Self-signed certificate Error after Upgrade OneView 4.0

@ChrisLynch, I tried that too. I got an error with the command in the PowerShell, as described above. It worked with REST API.

ChrisLynch
HPE Pro

Re: Self-signed certificate Error after Upgrade OneView 4.0

The Cmdlet uses the exact same REST API call.  Not sure why it failed for you and the raw REST API call worked.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Mainecoon
Advisor

Re: Self-signed certificate Error after Upgrade OneView 4.0

Hi Chris,

When try the remove command, i will get the yes/no question and after that it fails with "The operation has timed out"

any idea why that happens?

 

Derek_S56
New Member

Re: Self-signed certificate Error after Upgrade OneView 4.0

# Remove the SCMB certificate from the connected appliance
Remove-HPOVScmbCertificate

# Recreate and retrieve the certs
Get-HPOVScmbCertificate

 There was a spelling mistake

Get-HPOVScmbCertificates     is correct (Forgot the S) for syntax 

and the original Remove Commandlet is correct 

Derek_S56
New Member

Re: Self-signed certificate Error after Upgrade OneView 4.0

@Mainecoon  you need to reply with  "Y" 

Mainecoon
Advisor

Re: Self-signed certificate Error after Upgrade OneView 4.0

Eh yeah that is clear, it happens afterwards so during the removal process after the y
Mainecoon
Advisor

Re: Self-signed certificate Error after Upgrade OneView 4.0

Please see attachement to make it more clear