Re: Self-signed certificate Error after Upgrade OneView 4.0

MarioE · ‎01-10-2018

Hello

I upgraded HPE OneView from Verion 3.10.07 to 4.00.05 today.
I had to reinstall the root CA Certificate and the WebServer Certificate.
Now I have one more mistake:

Self-signed certificate with alias name HP Infrastructure Management Certificate Authority-internal root Basic Constraint is not valid

Resolution Provide Certificate with Basic Constraint set to SubjectType = CA. Try again.

However, I do not have a self-signed certificate.
How can I clear the error?

The alert is locked.

ChrisLynch · ‎01-12-2018

Is this an HPE Synergy system? Have you updated the Frame Link Module firmware yet?

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Bart_Heungens · ‎01-12-2018

In my case it is a OV VM with a C7000 behind it... So ny Synergy (yet)...

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !

ChrisLynch · ‎01-12-2018

Thank you, Bart. I'm looking into this.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Bart_Heungens · ‎01-12-2018

Hi Chris, if you need more information or want access to my OV Instance, you know where to find me...

--------------------------------------------------------------------------------
If my post was useful, clik on my KUDOS! "White Star" !

MarioE · ‎01-13-2018

Hi Chris

I have an HPE OneView on a VM, only with HPE Proliant Server Monitored. No Synergy, no enclosure with blades available.

ChrisLynch · ‎01-18-2018

Following up on this discussion. This appears to be an issue with the State Change Message Bus (SCMB) certificate when the appliance was upgraded from older versions to 4.00. It will need to be recreated. The easiest way is to use the PowerShell Cmdlets:

# Remove the SCMB certificate from the connected appliance
Remove-HPOVScmbCertificate

# Recreate and retrieve the certs
Get-HPOVScmbCertificate

Please let me know if that does resolve the message.

Also, anyone using HPE OneView Global Dashboard, you will likely need to refresh or reconnect the appliances after performing this operation.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

MarioE · ‎01-22-2018

Hi Chris

What is the syntax for these commands? I could not find anything helpful in the help.
Here is the output of the commands (without syntax):

PS > Remove-HPOVScmbCertificate
Remove-HPOVScmbCertificate : The SCMB certificate key pair has not bee generated on the appliance "<FQDN>". Please use Get-HPOVScmbCertificates to generate a new certificate key pair.
At line:1 char:1
+ Remove-HPOVScmbCertificate
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (ScmbCertifcateKeyPait:String) [Remove-HPOVScmbCertificate], ResourceNotFoundException
+ FullyQualifiedErrorId : ResourceNotFound,Remove-HPOVScmbCertificate

and

PS > Get-HPOVScmbCertificates
Get-HPOVScmbCertificates : The requested resource '/rest/certificates/client/rabbitmq/keypair/default' could not be found. Please supply a valid and unique common name and try again.
At line:1 char:1
+ Get-HPOVScmbCertificates
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (URI:String) [Get-HPOVScmbCertificates], ResourceNotFoundException
+ FullyQualifiedErrorId : ResourceNotFound,Get-HPOVScmbCertificates

ComputerUser · ‎01-24-2018

Did anyone solve this problem? I have the exact same issue after upgrading to version 4.0. Here is my alert: "

Self-signed certificate with alias name HP Infrastructure Management Certificate Authority-internalroot Basic Constraint is not valid Security"

"Resolution Provide a certificate with Basic Constraint set to SubjectType=CA. Try again."

ChrisLynch · ‎01-24-2018

@MarioE, the appliance exception to the self-signed certificate is the State Change Message Bus (SCMB). Are you using the HPE OneView for vCenter plugin? If so, what version?

As for the Cmdlets, it appears that someone may have created the SCMB using a different name, and that is why the Cmdlets are failing.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

MarioE · ‎01-25-2018

Hi Chris

we do not use vCenter plugin.
No one has ever created an SCMB certificate. For me, this certificate is new.

fluke · ‎02-01-2018

Installed OneView Powershell from GitHub
https://github.com/HewlettPackard/POSH-HPOneView/releases/tag/v4.0.1554.2229

Ran

# Remove the SCMB certificate from the connected appliance
Remove-HPOVScmbCertificate

# Recreate and retrieve the certs
Get-HPOVScmbCertificate

and nothing happened. Checked OneView GUI Activity and it showed Certificates have been regenerated. It has been 1 hour and the "Self-signed certificate with alias name HP Infrastructure Management ..." error has not showed up. It usually reprompts every hourly.

MarioE · ‎02-01-2018

Here is the output of the commands:

PS C:\> Remove-HPOVScmbCertificate
Remove-HPOVScmbCertificate : The SCMB certificate key pair has not bee generated on the appliance "svpas00012.ads.ktag.ch". Please use Get-HPOVScmbCertificates to generate a new certificate key pair.
At line:1 char:1
+ Remove-HPOVScmbCertificate
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (ScmbCertifcateKeyPait:String) [Remove-HPOVScmbCertificate], ResourceNotFoundException
+ FullyQualifiedErrorId : ResourceNotFound,Remove-HPOVScmbCertificate

and the command "Get-HPOVScmbCertificate" is not right. The correct command is "Get-HPOVScmbCertificates"

PS C:\> Get-HPOVScmbCertificates
Get-HPOVScmbCertificates : The requested resource '/rest/certificates/client/rabbitmq/keypair/default' could not be found. Please supply a valid and unique common name and try again.
At line:1 char:1
+ Get-HPOVScmbCertificates
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (URI:String) [Get-HPOVScmbCertificates], ResourceNotFoundException
+ FullyQualifiedErrorId : ResourceNotFound,Get-HPOVScmbCertificates

After I run the command, I see the following entry on the HPE OneVeiw GUI under Activity (see attachment):

Client Certificate Generation.

Issue

Error occurred while generating RabbitMq client certificate.
Error occurred while creating Key pairs for RabbitMq.

Resolution

Please retry the operation.

IvoT · ‎02-05-2018

Hi , I had the same problem, just want to share what I did. Maybe I am stupid, but I did what the error says.
There was sayed that State is not CA, so I was courious what will happen when I Will put in the field State (ST) leters CA.
And .... It worked !!

State or province (ST) CA

Looks that is all what the applience wants
So I encourage all to test it : Security >> Actions >> Create appliance self signed Cert
Then fill as you need probably just Keep ST=CA ( even if you are not from US ) :-)

MarioE · ‎02-12-2018

@IvoT

Hi
the error says: Resolution Provide a certificate with Basic Constraint set to SubjectType=CA
I have no mistake which says, "State" has to be CA.

MarGro · ‎02-28-2018

Same Issue here, after upgrading oneView (Synergy Composer) from 3.10.x to 4.00.07 the same CA error. Changed the ST=CA doesn't fix the error. Any other toughts?

MarioE · ‎03-08-2018

The problem was fixed today after 2 months.
After I opened a case at HPE 2 months ago, I was able to do a WebEx session today.
Using REST API, support was able to delete the certificate.
Then, a new certificate was created in the HPE OneView.

The parameter for REST API was:

DELETE https://<HOSTNAME>/rest/certificates/ca/rabbitmq_readonly

This was done with support from HPE.
As already mentioned, I had the support of HPE through an opened case.

ChrisLynch · ‎03-12-2018

@MarioE, glad to see your issue was resolved. But you could have also used the PowerShell library to perform that step (Remove-HPOVScmbCertificate).

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

MarioE · ‎03-12-2018

@ChrisLynch, I tried that too. I got an error with the command in the PowerShell, as described above. It worked with REST API.

ChrisLynch · ‎03-12-2018

The Cmdlet uses the exact same REST API call. Not sure why it failed for you and the raw REST API call worked.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Mainecoon · ‎03-21-2018

Hi Chris,

When try the remove command, i will get the yes/no question and after that it fails with "The operation has timed out"

any idea why that happens?

Derek_S56 · ‎03-21-2018

# Remove the SCMB certificate from the connected appliance
Remove-HPOVScmbCertificate

# Recreate and retrieve the certs
Get-HPOVScmbCertificate

There was a spelling mistake

Get-HPOVScmbCertificates is correct (Forgot the S) for syntax

and the original Remove Commandlet is correct

Derek_S56 · ‎03-21-2018

@Mainecoon you need to reply with "Y"

Mainecoon · ‎03-21-2018

Eh yeah that is clear, it happens afterwards so during the removal process after the y

Mainecoon · ‎03-22-2018

Please see attachement to make it more clear

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Self-signed certificate Error after Upgrade OneView 4.0

Self-signed certificate Error after Upgrade OneView 4.0