HPE Community
HPE OneView
1752719 Members
5782 Online
108789 Solutions
New Discussion юеВ

Re: SHA-1 certificates must be replaced by new certificates.

 
Ruster007
Advisor

тАО07-21-2020 08:06 PM

тАО07-21-2020 08:06 PM

SHA-1 certificates must be replaced by new certificates.

Hi All

We have recently upgraded our OneView from an old 4.x version to   5.20.01-0420365 (appliance).

Under Appliance Alerts, Im seeing the following: 

The appliance is using an SCMB (State-Change Message Bus) or MSMB (Metric Streaming Message Bus) certificate created using SHA-1. SHA-1 certificates are insecure and will not be supported by most modern browsers in 2017 or by future versions of the appliance. SHA-1 certificates must be replaced by new certificates.

I've found the following thread: https://community.hpe.com/t5/hpe-oneview/self-signed-certificate-error-after-upgrade-oneview-4-0/td-p/6993311/page/2

This suggests that I try:

# Remove the SCMB certificate from the connected appliance
Remove-HPOVScmbCertificate

# Recreate and retrieve the certs
Get-HPOVScmbCertificates

 However, the first command gives me:

PS C:\WINDOWS\system32> Remove-HPOVScmbCertificate

Confirm
Are you sure you want to perform this action?
Performing the operation "Remove SCMB (RabbitMQ) rabbit_readonly user certificates" on target "10.33.1.28".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
Remove-HPOVScmbCertificate : The Method requested was DELETE but the required 'If-Match' HTTP header is not found.
At line:1 char:1
+ Remove-HPOVScmbCertificate
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Remove-HPOVScmbCertificate], Exception
+ FullyQualifiedErrorId : The Method requested was DELETE but the required 'If-Match' HTTP header is not found.,Re
move-HPOVScmbCertificate

 

I saw another suggestion in the above thread that said using the REST API command to:

DELETE https://xx.xx.xx.xxx/rest/certificates/ca/rabbitmq_readonly

I used a tool called Postman to submit the above (successfully passing an auth session token in the header. When sending that command I recieved "204 No Content"

I've rebooted the OneView appliance, and still the "The appliance is using an SCMB ...." alert shows up.

Any ideas would be much appreciated!

Cheers

 

 
0 Kudos
Reply
23 REPLIES 23
ChrisLynch
HPE Pro

тАО07-23-2020 02:23 PM

тАО07-23-2020 02:23 PM

Re: SHA-1 certificates must be replaced by new certificates.

You can use the following instead via PowerShell:

Send-HPOVRequest -Uri /rest/certificates/ca/default -Method DELETE -AddHeaders @{тАЬeTagтАЭ = тАЬ*тАЭ}

The API call is documented in this CA.  Do know that if your appliance uses the default Self-Signed Certificate, it will be deleted and recreated.


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
Ruster007
Advisor

тАО07-23-2020 04:31 PM - edited тАО07-23-2020 04:33 PM

тАО07-23-2020 04:31 PM - edited тАО07-23-2020 04:33 PM

Re: SHA-1 certificates must be replaced by new certificates.

Thanks for yuor reply there Chris - very much appreciated!

I've just reconnected to the oneview instance via Connect-HPOVMgmt.

I've tried your command and this is the output:

PS C:\WINDOWS\system32> Send-HPOVRequest -Uri /rest/certificates/ca/default -Method DELETE -AddHeaders @{"eTag" = "*"}
Send-HPOVRequest : A parameter cannot be found that matches parameter name 'AddHeaders'.
At line:1 char:68
+ ... -Uri /rest/certificates/ca/default -Method DELETE -AddHeaders @{тАЬeTag ...
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Send-HPOVRequest], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Send-HPOVRequest

Any ideas? 

To answer your other question, how can I tell if my appliance is using the default self-signed cert?

Steve

0 Kudos
Reply
Ruster007
Advisor

тАО07-23-2020 04:51 PM - edited тАО07-23-2020 04:56 PM

тАО07-23-2020 04:51 PM - edited тАО07-23-2020 04:56 PM

Re: SHA-1 certificates must be replaced by new certificates.

In addition to my last reply, here is a verbose output of your powershell command:

PS C:\WINDOWS\system32> Set-PSDebug -Trace 2
PS C:\WINDOWS\system32> Send-HPOVRequest -Uri /rest/certificates/ca/default -Method DELETE -AddHeaders @{"eTag" = "*"}
DEBUG: 1+ >>>> Send-HPOVRequest -Uri /rest/certificates/ca/default -Method DELETE -AddHeaders @{тАЬeTagтАЭ = тАЬ*тАЭ}
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 5138+ [ValidateScript ( >>>> {if ($_.StartsWith('/')) {$true} else {throw "-URI must being with a '/'
(eg. /rest/server-hardware) in its value. Please correct the value and try again."}})]
DEBUG: ! CALL function '<ScriptBlock>' (defined in file 'C:\Program
Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1')
DEBUG: 5138+ [ValidateScript ({if ( >>>> $_.StartsWith('/')) {$true} else {throw "-URI must being with a '/'
(eg. /rest/server-hardware) in its value. Please correct the value and try again."}})]
DEBUG: 5138+ [ValidateScript ({if ($_.StartsWith('/')) { >>>> $true} else {throw "-URI must being with a '/'
(eg. /rest/server-hardware) in its value. Please correct the value and try again."}})]
DEBUG: 5138+ [ValidateScript ({if ($_.StartsWith('/')) {$true} else {throw "-URI must being with a '/' (eg.
/rest/server-hardware) in its value. Please correct the value and try again."} >>>> })]
DEBUG: 5142+ [ValidateScript ( >>>> {if ("GET","POST","DELETE","PATCH","PUT" -match $_) {$true} else { Throw
"'$_' is not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." }})]
DEBUG: ! CALL function '<ScriptBlock>' (defined in file 'C:\Program
Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1')
DEBUG: 5142+ [ValidateScript ({if ( >>>> "GET","POST","DELETE","PATCH","PUT" -match $_) {$true} else { Throw
"'$_' is not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." }})]
DEBUG: 5142+ [ValidateScript ({if ("GET","POST","DELETE","PATCH","PUT" -match $_) { >>>> $true} else { Throw
"'$_' is not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." }})]
DEBUG: 5142+ [ValidateScript ({if ("GET","POST","DELETE","PATCH","PUT" -match $_) {$true} else { Throw "'$_' is
not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." } >>>> })]
DEBUG: 19+ if ( & >>>> { Set-StrictMode -Version 1; $_.PSMessageDetails } )
{
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 19+ if ( & { >>>> Set-StrictMode -Version 1; $_.PSMessageDetails } )
{
DEBUG: 19+ if ( & { Set-StrictMode -Version 1; >>>> $_.PSMessageDetails } )
{
DEBUG: 1+ & >>>> { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 1+ & { >>>> Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }
DEBUG: 1+ & { Set-StrictMode -Version 1; >>>> $this.Exception.InnerException.PSMessageDetails }
DEBUG: 1+ & { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails >>>> }
DEBUG: 19+ if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails >>>> } )
{
DEBUG: 26+ $errorCategoryMsg = & >>>> { Set-StrictMode -Version 1;
$_.ErrorCategory_Message }
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 26+ $errorCategoryMsg = & { >>>> Set-StrictMode -Version 1;
$_.ErrorCategory_Message }
DEBUG: 26+ $errorCategoryMsg = & { Set-StrictMode -Version 1; >>>>
$_.ErrorCategory_Message }
DEBUG: 26+ $errorCategoryMsg = & { Set-StrictMode -Version 1;
$_.ErrorCategory_Message >>>> }
DEBUG: 42+ $originInfo = & >>>> { Set-StrictMode -Version 1; $_.OriginInfo
}
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 42+ $originInfo = & { >>>> Set-StrictMode -Version 1; $_.OriginInfo
}
DEBUG: 42+ $originInfo = & { Set-StrictMode -Version 1; >>>> $_.OriginInfo
}
DEBUG: 42+ $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo >>>>
}
Send-HPOVRequest : A parameter cannot be found that matches parameter name 'AddHeaders'.
At line:1 char:68
+ ... -Uri /rest/certificates/ca/default -Method DELETE -AddHeaders @{тАЬeTag ...
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Send-HPOVRequest], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Send-HPOVRequest

PS C:\WINDOWS\system32>

0 Kudos
Reply
ChrisLynch
HPE Pro

тАО07-23-2020 05:57 PM

тАО07-23-2020 05:57 PM

Re: SHA-1 certificates must be replaced by new certificates.

Sorry, the parameter name is -AddHeader, not -AddHeaders as it is documented for the Cmdlet. I cannot remember when I added that parameter. So please make sure your library is the same version as the appliance (at a minimum).

I am an HPE employee

Accept or Kudo

0 Kudos
Reply
Ruster007
Advisor

тАО07-23-2020 06:45 PM

тАО07-23-2020 06:45 PM

Re: SHA-1 certificates must be replaced by new certificates.

Cheers for that - 

Here is the latest:

PS C:\WINDOWS\system32> Send-HPOVRequest -Uri /rest/certificates/ca/default -Method DELETE -AddHeader @{"eTag" = "*"}
DEBUG: 1+ >>>> Send-HPOVRequest -Uri /rest/certificates/ca/default -Method DELETE -AddHeader @{тАЬeTagтАЭ = тАЬ*тАЭ}
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 5138+ [ValidateScript ( >>>> {if ($_.StartsWith('/')) {$true} else {throw "-URI must being with a '/'
(eg. /rest/server-hardware) in its value. Please correct the value and try again."}})]
DEBUG: ! CALL function '<ScriptBlock>' (defined in file 'C:\Program
Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1')
DEBUG: 5138+ [ValidateScript ({if ( >>>> $_.StartsWith('/')) {$true} else {throw "-URI must being with a '/'
(eg. /rest/server-hardware) in its value. Please correct the value and try again."}})]
DEBUG: 5138+ [ValidateScript ({if ($_.StartsWith('/')) { >>>> $true} else {throw "-URI must being with a '/'
(eg. /rest/server-hardware) in its value. Please correct the value and try again."}})]
DEBUG: 5138+ [ValidateScript ({if ($_.StartsWith('/')) {$true} else {throw "-URI must being with a '/' (eg.
/rest/server-hardware) in its value. Please correct the value and try again."} >>>> })]
DEBUG: 5142+ [ValidateScript ( >>>> {if ("GET","POST","DELETE","PATCH","PUT" -match $_) {$true} else { Throw
"'$_' is not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." }})]
DEBUG: ! CALL function '<ScriptBlock>' (defined in file 'C:\Program
Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1')
DEBUG: 5142+ [ValidateScript ({if ( >>>> "GET","POST","DELETE","PATCH","PUT" -match $_) {$true} else { Throw
"'$_' is not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." }})]
DEBUG: 5142+ [ValidateScript ({if ("GET","POST","DELETE","PATCH","PUT" -match $_) { >>>> $true} else { Throw
"'$_' is not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." }})]
DEBUG: 5142+ [ValidateScript ({if ("GET","POST","DELETE","PATCH","PUT" -match $_) {$true} else { Throw "'$_' is
not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." } >>>> })]
DEBUG: 5172+ [Object]$Hostname = >>>> (${Global:ConnectedSessions} | Where-Object Default)
DEBUG: 5177+ >>>> {
DEBUG: ! CALL function 'Send-HPOVRequest<Begin>' (defined in file 'C:\Program
Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1')
DEBUG: 5179+ >>>> "[{0}] BEGIN" -f $MyInvocation.InvocationName.ToString().ToUpper() | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] BEGIN
DEBUG: 5181+ >>>> $Caller = (Get-PSCallStack)[1].Command
DEBUG: ! SET $Caller = '<ScriptBlock>'.
DEBUG: 5183+ >>>> "[{0}] Called from: {1}" -f $MyInvocation.InvocationName.ToString().ToUpper(), $Caller |
Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Called from: <ScriptBlock>
DEBUG: 5185+ if ( >>>> $uri -eq $ApplianceLoginSessionsUri -and $Method -eq 'POST')
DEBUG: 5195+ >>>> "[{0}] Bound PS Parameters: {1}" -f $MyInvocation.InvocationName.ToString().ToUpper(),
($PSBoundParameters | out-string) | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Bound PS Parameters:
Key Value
--- -----
uri /rest/certificates/ca/default
method DELETE
AddHeader {eTag}


DEBUG: 5200+ if ( >>>> $PSBoundParameters['body'] -and $body.ApplianceConnection -and (-not($Hostname)) -and
($body -isnot [System.Collections.IEnumerable]))
DEBUG: 5210+ >>>> $AllResponses = [System.Collections.ArrayList]::new()
DEBUG: ! SET $AllResponses = ''.
DEBUG: 5212+ >>>> }
DEBUG: 5215+ >>>> {
DEBUG: ! CALL function 'Send-HPOVRequest<Process>' (defined in file 'C:\Program
Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1')
DEBUG: 5217+ >>>> $c = 1
DEBUG: ! SET $c = '1'.
DEBUG: 5219+ if ( >>>> -not($PSboundParameters['Hostname']) -and (-not([Bool]($Hostname |
Measure-Object).count)))
DEBUG: 5227+ ForEach ($ApplianceHost in >>>> $Hostname)
DEBUG: ! SET $foreach = 'IEnumerator'.
DEBUG: 5227+ ForEach ( >>>> $ApplianceHost in $Hostname)
DEBUG: ! SET $ApplianceHost = '10.33.1.28'.
DEBUG: 5230+ >>>> "[{0}] Process" -f $MyInvocation.InvocationName.ToString().ToUpper() | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Process
DEBUG: 5232+ >>>> "[{0}] Hostname value: {1}" -f $MyInvocation.InvocationName.ToString().ToUpper(),
($ApplianceHost | Out-String) | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Hostname value:
ConnectionID Name UserName AuthLoginDomain Default
------------ ---- -------- --------------- -------
1 10.33.1.28 administrator LOCAL True


DEBUG: 5235+ if ( >>>> ${Global:ResponseErrorObject} | Where-Object Name -eq $ApplianceHost.Name)
DEBUG: 5235+ if ( >>>> ${Global:ResponseErrorObject} | Where-Object Name -eq $ApplianceHost.Name)
DEBUG: 5247+ if ( >>>> $ApplianceHost -is [String] -and (${Global:ConnectedSessions} | Where-Object Name
-eq $ApplianceHost ))
DEBUG: 5256+ elseif ( >>>> $ApplianceHost -isnot [HPOneView.Appliance.Connection] -and
$ApplianceHost.Name)
DEBUG: 5265+ >>>> "[{0}] Processing '{1}' appliance connection request. {2} of {3}" -f
$MyInvocation.InvocationName.ToString().ToUpper(), $ApplianceHost.Name,$c,$Hostname.count | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Processing '10.33.1.28' appliance connection request. 1 of 1
DEBUG: 5268+ >>>> "[{0}] Requested URI '{1}' to '{2}'" -f
$MyInvocation.InvocationName.ToString().ToUpper(), $uri, ($ApplianceHost.Name -join ',') | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Requested URI '/rest/certificates/ca/default' to '10.33.1.28'
DEBUG: 5270+ if ( >>>> $WhiteListedURIs -contains $uri)
DEBUG: 5278+ elseif ( >>>> -not($ApplianceHost.SessionID))
DEBUG: 5287+ >>>> $AllMembers = [System.Collections.ArrayList]::new()
DEBUG: ! SET $AllMembers = ''.
DEBUG: 5291+ >>>> [Bool]$manualPaging = $false
DEBUG: ! SET $manualPaging = 'False'.
DEBUG: 5293+ if ( >>>> $uri.ToLower().Contains("count=") -or $uri.ToLower().Contains("count ="))
DEBUG: 5300+ elseif ( >>>> $count -gt 0)
DEBUG: 5319+ elseif ( >>>> $start -gt 0)
DEBUG: 5339+ >>>> $_TelemetryStopWatch = [system.diagnostics.stopwatch]::startNew()
DEBUG: ! SET $_TelemetryStopWatch = 'System.Diagnostics.Stopwatch'.
DEBUG: 5342+ >>>> $taskReceived = $False
DEBUG: ! SET $taskReceived = 'False'.
DEBUG: 5344+ >>>> $url = 'https://{0}{1}' -f $ApplianceHost.Name, $uri
DEBUG: ! SET $url = 'https://10.33.1.28/rest/certificates/ca/default'.
DEBUG: 5346+ >>>> [System.Net.WebRequest]$req = ([HPOneView.Utilities.Net]::new()).RestClient($url,
$Method, $MaxXAPIVersion)
DEBUG: ! SET $req = 'System.Net.HttpWebRequest'.
DEBUG: 5348+ if ( >>>> $PSBoundParameters['OverrideContentType'])
DEBUG: 5355+ if ( >>>> $PSBoundParameters['OverrideTimeout'])
DEBUG: 5363+ if ( >>>> $ApplianceHost.SessionID -and $ApplianceHost.SessionID -ne
'TemporaryConnection')
DEBUG: 5366+ >>>> $req.Headers.Item("auth") = $ApplianceHost.SessionID
DEBUG: 5372+ if( >>>> $PSBoundParameters['AddHeader'])
DEBUG: 5375+ ForEach ($_header in >>>> $AddHeader.GetEnumerator())
DEBUG: ! SET $foreach = 'IEnumerator'.
DEBUG: 5375+ ForEach ( >>>> $_header in $AddHeader.GetEnumerator())
DEBUG: ! SET $_header = 'System.Collections.DictionaryEntry'.
DEBUG: 5380+ if ( >>>> $_header.Key -eq 'If-Match')
DEBUG: 5403+ >>>> "[{0}] Overloading '{1}' in HttpWebRequest object to: {2}" -f
$MyInvocation.InvocationName.ToString().ToUpper(), $_header.Key, $_header.Value | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Overloading 'eTag' in HttpWebRequest object to: *
DEBUG: 5405+ >>>> $req.Headers.Item($_header.Key) = [String]$_header.Value
DEBUG: 5375+ ForEach ( >>>> $_header in $AddHeader.GetEnumerator())
DEBUG: ! SET $foreach = 'IEnumerator'.
DEBUG: 5414+ if ( >>>> $Method -eq 'DELETE' -and -not $req.Headers.Item('If-Match') -and $Uri -ne
$ApplianceLoginSessionsUri)
DEBUG: 5417+ >>>> Throw ([Exception]::new("The Method requested was DELETE but the required
'If-Match' HTTP header is not found."))
DEBUG: ! SET $foreach = ''.
The Method requested was DELETE but the required 'If-Match' HTTP header is not found.
At C:\Program Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1:5417 char:21
+ ... Throw ([Exception]::new("The Method requested was DELETE ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], Exception
+ FullyQualifiedErrorId : The Method requested was DELETE but the required 'If-Match' HTTP header is not found.

PS C:\WINDOWS\system32>

0 Kudos
Reply
ChrisLynch
HPE Pro

тАО07-23-2020 06:56 PM

тАО07-23-2020 06:56 PM

Re: SHA-1 certificates must be replaced by new certificates.

What you are providing is not really helpful. Instead, please use the Get-HPOVCommandTrace Cmdlet to capture the verbose output. And please provide the output from $PSVersionTable.

I am an HPE employee

Accept or Kudo

0 Kudos
Reply
Ruster007
Advisor

тАО07-23-2020 07:39 PM

тАО07-23-2020 07:39 PM

Re: SHA-1 certificates must be replaced by new certificates.

$PSVersionTable

Name Value
---- -----
PSVersion 5.1.19041.1
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.1
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

0 Kudos
Reply
ChrisLynch
HPE Pro

тАО07-23-2020 07:46 PM

тАО07-23-2020 07:46 PM

Re: SHA-1 certificates must be replaced by new certificates.

What about $PSModuleVersion? Or Get-Module HPOneView*.

I am an HPE employee

Accept or Kudo

0 Kudos
Reply
Ruster007
Advisor

тАО07-23-2020 07:53 PM

тАО07-23-2020 07:53 PM

Re: SHA-1 certificates must be replaced by new certificates.

Cheers

Get-Module HPOneView* -verbose

ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 5.20.24... HPOneView.520 {Add-HPOVApplianceTrustedCertificate, Add-HPOVBaseline, Add-HPOVClusterManager, Add-HPOVClusterNode...}

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.