HPE OneView
cancel
Showing results for 
Search instead for 
Did you mean: 

SHA-1 certificates must be replaced by new certificates.

 
Highlighted
Advisor

SHA-1 certificates must be replaced by new certificates.

Hi All

We have recently upgraded our OneView from an old 4.x version to   5.20.01-0420365 (appliance).

Under Appliance Alerts, Im seeing the following: 

The appliance is using an SCMB (State-Change Message Bus) or MSMB (Metric Streaming Message Bus) certificate created using SHA-1. SHA-1 certificates are insecure and will not be supported by most modern browsers in 2017 or by future versions of the appliance. SHA-1 certificates must be replaced by new certificates.

I've found the following thread: https://community.hpe.com/t5/hpe-oneview/self-signed-certificate-error-after-upgrade-oneview-4-0/td-p/6993311/page/2

This suggests that I try:

# Remove the SCMB certificate from the connected appliance
Remove-HPOVScmbCertificate

# Recreate and retrieve the certs
Get-HPOVScmbCertificates

 However, the first command gives me:

PS C:\WINDOWS\system32> Remove-HPOVScmbCertificate

Confirm
Are you sure you want to perform this action?
Performing the operation "Remove SCMB (RabbitMQ) rabbit_readonly user certificates" on target "10.33.1.28".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): y
Remove-HPOVScmbCertificate : The Method requested was DELETE but the required 'If-Match' HTTP header is not found.
At line:1 char:1
+ Remove-HPOVScmbCertificate
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Remove-HPOVScmbCertificate], Exception
+ FullyQualifiedErrorId : The Method requested was DELETE but the required 'If-Match' HTTP header is not found.,Re
move-HPOVScmbCertificate

 

I saw another suggestion in the above thread that said using the REST API command to:

DELETE https://xx.xx.xx.xxx/rest/certificates/ca/rabbitmq_readonly

I used a tool called Postman to submit the above (successfully passing an auth session token in the header. When sending that command I recieved "204 No Content"

I've rebooted the OneView appliance, and still the "The appliance is using an SCMB ...." alert shows up.

Any ideas would be much appreciated!

Cheers

 

 
20 REPLIES 20
Highlighted
HPE Pro

Re: SHA-1 certificates must be replaced by new certificates.

You can use the following instead via PowerShell:

Send-HPOVRequest -Uri /rest/certificates/ca/default -Method DELETE -AddHeaders @{“eTag” = “*”}

The API call is documented in this CA.  Do know that if your appliance uses the default Self-Signed Certificate, it will be deleted and recreated.


I am an HPE employee

Accept or Kudo

Highlighted
Advisor

Re: SHA-1 certificates must be replaced by new certificates.

Thanks for yuor reply there Chris - very much appreciated!

I've just reconnected to the oneview instance via Connect-HPOVMgmt.

I've tried your command and this is the output:

PS C:\WINDOWS\system32> Send-HPOVRequest -Uri /rest/certificates/ca/default -Method DELETE -AddHeaders @{"eTag" = "*"}
Send-HPOVRequest : A parameter cannot be found that matches parameter name 'AddHeaders'.
At line:1 char:68
+ ... -Uri /rest/certificates/ca/default -Method DELETE -AddHeaders @{“eTag ...
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Send-HPOVRequest], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Send-HPOVRequest

Any ideas? 

To answer your other question, how can I tell if my appliance is using the default self-signed cert?

Steve

Highlighted
Advisor

Re: SHA-1 certificates must be replaced by new certificates.

In addition to my last reply, here is a verbose output of your powershell command:

PS C:\WINDOWS\system32> Set-PSDebug -Trace 2
PS C:\WINDOWS\system32> Send-HPOVRequest -Uri /rest/certificates/ca/default -Method DELETE -AddHeaders @{"eTag" = "*"}
DEBUG: 1+ >>>> Send-HPOVRequest -Uri /rest/certificates/ca/default -Method DELETE -AddHeaders @{“eTag” = “*”}
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 5138+ [ValidateScript ( >>>> {if ($_.StartsWith('/')) {$true} else {throw "-URI must being with a '/'
(eg. /rest/server-hardware) in its value. Please correct the value and try again."}})]
DEBUG: ! CALL function '<ScriptBlock>' (defined in file 'C:\Program
Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1')
DEBUG: 5138+ [ValidateScript ({if ( >>>> $_.StartsWith('/')) {$true} else {throw "-URI must being with a '/'
(eg. /rest/server-hardware) in its value. Please correct the value and try again."}})]
DEBUG: 5138+ [ValidateScript ({if ($_.StartsWith('/')) { >>>> $true} else {throw "-URI must being with a '/'
(eg. /rest/server-hardware) in its value. Please correct the value and try again."}})]
DEBUG: 5138+ [ValidateScript ({if ($_.StartsWith('/')) {$true} else {throw "-URI must being with a '/' (eg.
/rest/server-hardware) in its value. Please correct the value and try again."} >>>> })]
DEBUG: 5142+ [ValidateScript ( >>>> {if ("GET","POST","DELETE","PATCH","PUT" -match $_) {$true} else { Throw
"'$_' is not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." }})]
DEBUG: ! CALL function '<ScriptBlock>' (defined in file 'C:\Program
Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1')
DEBUG: 5142+ [ValidateScript ({if ( >>>> "GET","POST","DELETE","PATCH","PUT" -match $_) {$true} else { Throw
"'$_' is not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." }})]
DEBUG: 5142+ [ValidateScript ({if ("GET","POST","DELETE","PATCH","PUT" -match $_) { >>>> $true} else { Throw
"'$_' is not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." }})]
DEBUG: 5142+ [ValidateScript ({if ("GET","POST","DELETE","PATCH","PUT" -match $_) {$true} else { Throw "'$_' is
not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." } >>>> })]
DEBUG: 19+ if ( & >>>> { Set-StrictMode -Version 1; $_.PSMessageDetails } )
{
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 19+ if ( & { >>>> Set-StrictMode -Version 1; $_.PSMessageDetails } )
{
DEBUG: 19+ if ( & { Set-StrictMode -Version 1; >>>> $_.PSMessageDetails } )
{
DEBUG: 1+ & >>>> { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 1+ & { >>>> Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }
DEBUG: 1+ & { Set-StrictMode -Version 1; >>>> $this.Exception.InnerException.PSMessageDetails }
DEBUG: 1+ & { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails >>>> }
DEBUG: 19+ if ( & { Set-StrictMode -Version 1; $_.PSMessageDetails >>>> } )
{
DEBUG: 26+ $errorCategoryMsg = & >>>> { Set-StrictMode -Version 1;
$_.ErrorCategory_Message }
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 26+ $errorCategoryMsg = & { >>>> Set-StrictMode -Version 1;
$_.ErrorCategory_Message }
DEBUG: 26+ $errorCategoryMsg = & { Set-StrictMode -Version 1; >>>>
$_.ErrorCategory_Message }
DEBUG: 26+ $errorCategoryMsg = & { Set-StrictMode -Version 1;
$_.ErrorCategory_Message >>>> }
DEBUG: 42+ $originInfo = & >>>> { Set-StrictMode -Version 1; $_.OriginInfo
}
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 42+ $originInfo = & { >>>> Set-StrictMode -Version 1; $_.OriginInfo
}
DEBUG: 42+ $originInfo = & { Set-StrictMode -Version 1; >>>> $_.OriginInfo
}
DEBUG: 42+ $originInfo = & { Set-StrictMode -Version 1; $_.OriginInfo >>>>
}
Send-HPOVRequest : A parameter cannot be found that matches parameter name 'AddHeaders'.
At line:1 char:68
+ ... -Uri /rest/certificates/ca/default -Method DELETE -AddHeaders @{“eTag ...
+ ~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Send-HPOVRequest], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Send-HPOVRequest

PS C:\WINDOWS\system32>

Highlighted
HPE Pro

Re: SHA-1 certificates must be replaced by new certificates.

Sorry, the parameter name is -AddHeader, not -AddHeaders as it is documented for the Cmdlet. I cannot remember when I added that parameter. So please make sure your library is the same version as the appliance (at a minimum).

I am an HPE employee

Accept or Kudo

Highlighted
Advisor

Re: SHA-1 certificates must be replaced by new certificates.

Cheers for that - 

Here is the latest:

PS C:\WINDOWS\system32> Send-HPOVRequest -Uri /rest/certificates/ca/default -Method DELETE -AddHeader @{"eTag" = "*"}
DEBUG: 1+ >>>> Send-HPOVRequest -Uri /rest/certificates/ca/default -Method DELETE -AddHeader @{“eTag” = “*”}
DEBUG: ! CALL function '<ScriptBlock>'
DEBUG: 5138+ [ValidateScript ( >>>> {if ($_.StartsWith('/')) {$true} else {throw "-URI must being with a '/'
(eg. /rest/server-hardware) in its value. Please correct the value and try again."}})]
DEBUG: ! CALL function '<ScriptBlock>' (defined in file 'C:\Program
Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1')
DEBUG: 5138+ [ValidateScript ({if ( >>>> $_.StartsWith('/')) {$true} else {throw "-URI must being with a '/'
(eg. /rest/server-hardware) in its value. Please correct the value and try again."}})]
DEBUG: 5138+ [ValidateScript ({if ($_.StartsWith('/')) { >>>> $true} else {throw "-URI must being with a '/'
(eg. /rest/server-hardware) in its value. Please correct the value and try again."}})]
DEBUG: 5138+ [ValidateScript ({if ($_.StartsWith('/')) {$true} else {throw "-URI must being with a '/' (eg.
/rest/server-hardware) in its value. Please correct the value and try again."} >>>> })]
DEBUG: 5142+ [ValidateScript ( >>>> {if ("GET","POST","DELETE","PATCH","PUT" -match $_) {$true} else { Throw
"'$_' is not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." }})]
DEBUG: ! CALL function '<ScriptBlock>' (defined in file 'C:\Program
Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1')
DEBUG: 5142+ [ValidateScript ({if ( >>>> "GET","POST","DELETE","PATCH","PUT" -match $_) {$true} else { Throw
"'$_' is not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." }})]
DEBUG: 5142+ [ValidateScript ({if ("GET","POST","DELETE","PATCH","PUT" -match $_) { >>>> $true} else { Throw
"'$_' is not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." }})]
DEBUG: 5142+ [ValidateScript ({if ("GET","POST","DELETE","PATCH","PUT" -match $_) {$true} else { Throw "'$_' is
not a valid Method. Only GET, POST, DELETE, PATCH, or PUT are allowed." } >>>> })]
DEBUG: 5172+ [Object]$Hostname = >>>> (${Global:ConnectedSessions} | Where-Object Default)
DEBUG: 5177+ >>>> {
DEBUG: ! CALL function 'Send-HPOVRequest<Begin>' (defined in file 'C:\Program
Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1')
DEBUG: 5179+ >>>> "[{0}] BEGIN" -f $MyInvocation.InvocationName.ToString().ToUpper() | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] BEGIN
DEBUG: 5181+ >>>> $Caller = (Get-PSCallStack)[1].Command
DEBUG: ! SET $Caller = '<ScriptBlock>'.
DEBUG: 5183+ >>>> "[{0}] Called from: {1}" -f $MyInvocation.InvocationName.ToString().ToUpper(), $Caller |
Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Called from: <ScriptBlock>
DEBUG: 5185+ if ( >>>> $uri -eq $ApplianceLoginSessionsUri -and $Method -eq 'POST')
DEBUG: 5195+ >>>> "[{0}] Bound PS Parameters: {1}" -f $MyInvocation.InvocationName.ToString().ToUpper(),
($PSBoundParameters | out-string) | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Bound PS Parameters:
Key Value
--- -----
uri /rest/certificates/ca/default
method DELETE
AddHeader {eTag}


DEBUG: 5200+ if ( >>>> $PSBoundParameters['body'] -and $body.ApplianceConnection -and (-not($Hostname)) -and
($body -isnot [System.Collections.IEnumerable]))
DEBUG: 5210+ >>>> $AllResponses = [System.Collections.ArrayList]::new()
DEBUG: ! SET $AllResponses = ''.
DEBUG: 5212+ >>>> }
DEBUG: 5215+ >>>> {
DEBUG: ! CALL function 'Send-HPOVRequest<Process>' (defined in file 'C:\Program
Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1')
DEBUG: 5217+ >>>> $c = 1
DEBUG: ! SET $c = '1'.
DEBUG: 5219+ if ( >>>> -not($PSboundParameters['Hostname']) -and (-not([Bool]($Hostname |
Measure-Object).count)))
DEBUG: 5227+ ForEach ($ApplianceHost in >>>> $Hostname)
DEBUG: ! SET $foreach = 'IEnumerator'.
DEBUG: 5227+ ForEach ( >>>> $ApplianceHost in $Hostname)
DEBUG: ! SET $ApplianceHost = '10.33.1.28'.
DEBUG: 5230+ >>>> "[{0}] Process" -f $MyInvocation.InvocationName.ToString().ToUpper() | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Process
DEBUG: 5232+ >>>> "[{0}] Hostname value: {1}" -f $MyInvocation.InvocationName.ToString().ToUpper(),
($ApplianceHost | Out-String) | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Hostname value:
ConnectionID Name UserName AuthLoginDomain Default
------------ ---- -------- --------------- -------
1 10.33.1.28 administrator LOCAL True


DEBUG: 5235+ if ( >>>> ${Global:ResponseErrorObject} | Where-Object Name -eq $ApplianceHost.Name)
DEBUG: 5235+ if ( >>>> ${Global:ResponseErrorObject} | Where-Object Name -eq $ApplianceHost.Name)
DEBUG: 5247+ if ( >>>> $ApplianceHost -is [String] -and (${Global:ConnectedSessions} | Where-Object Name
-eq $ApplianceHost ))
DEBUG: 5256+ elseif ( >>>> $ApplianceHost -isnot [HPOneView.Appliance.Connection] -and
$ApplianceHost.Name)
DEBUG: 5265+ >>>> "[{0}] Processing '{1}' appliance connection request. {2} of {3}" -f
$MyInvocation.InvocationName.ToString().ToUpper(), $ApplianceHost.Name,$c,$Hostname.count | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Processing '10.33.1.28' appliance connection request. 1 of 1
DEBUG: 5268+ >>>> "[{0}] Requested URI '{1}' to '{2}'" -f
$MyInvocation.InvocationName.ToString().ToUpper(), $uri, ($ApplianceHost.Name -join ',') | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Requested URI '/rest/certificates/ca/default' to '10.33.1.28'
DEBUG: 5270+ if ( >>>> $WhiteListedURIs -contains $uri)
DEBUG: 5278+ elseif ( >>>> -not($ApplianceHost.SessionID))
DEBUG: 5287+ >>>> $AllMembers = [System.Collections.ArrayList]::new()
DEBUG: ! SET $AllMembers = ''.
DEBUG: 5291+ >>>> [Bool]$manualPaging = $false
DEBUG: ! SET $manualPaging = 'False'.
DEBUG: 5293+ if ( >>>> $uri.ToLower().Contains("count=") -or $uri.ToLower().Contains("count ="))
DEBUG: 5300+ elseif ( >>>> $count -gt 0)
DEBUG: 5319+ elseif ( >>>> $start -gt 0)
DEBUG: 5339+ >>>> $_TelemetryStopWatch = [system.diagnostics.stopwatch]::startNew()
DEBUG: ! SET $_TelemetryStopWatch = 'System.Diagnostics.Stopwatch'.
DEBUG: 5342+ >>>> $taskReceived = $False
DEBUG: ! SET $taskReceived = 'False'.
DEBUG: 5344+ >>>> $url = 'https://{0}{1}' -f $ApplianceHost.Name, $uri
DEBUG: ! SET $url = 'https://10.33.1.28/rest/certificates/ca/default'.
DEBUG: 5346+ >>>> [System.Net.WebRequest]$req = ([HPOneView.Utilities.Net]::new()).RestClient($url,
$Method, $MaxXAPIVersion)
DEBUG: ! SET $req = 'System.Net.HttpWebRequest'.
DEBUG: 5348+ if ( >>>> $PSBoundParameters['OverrideContentType'])
DEBUG: 5355+ if ( >>>> $PSBoundParameters['OverrideTimeout'])
DEBUG: 5363+ if ( >>>> $ApplianceHost.SessionID -and $ApplianceHost.SessionID -ne
'TemporaryConnection')
DEBUG: 5366+ >>>> $req.Headers.Item("auth") = $ApplianceHost.SessionID
DEBUG: 5372+ if( >>>> $PSBoundParameters['AddHeader'])
DEBUG: 5375+ ForEach ($_header in >>>> $AddHeader.GetEnumerator())
DEBUG: ! SET $foreach = 'IEnumerator'.
DEBUG: 5375+ ForEach ( >>>> $_header in $AddHeader.GetEnumerator())
DEBUG: ! SET $_header = 'System.Collections.DictionaryEntry'.
DEBUG: 5380+ if ( >>>> $_header.Key -eq 'If-Match')
DEBUG: 5403+ >>>> "[{0}] Overloading '{1}' in HttpWebRequest object to: {2}" -f
$MyInvocation.InvocationName.ToString().ToUpper(), $_header.Key, $_header.Value | Write-Verbose
VERBOSE: [SEND-HPOVREQUEST] Overloading 'eTag' in HttpWebRequest object to: *
DEBUG: 5405+ >>>> $req.Headers.Item($_header.Key) = [String]$_header.Value
DEBUG: 5375+ ForEach ( >>>> $_header in $AddHeader.GetEnumerator())
DEBUG: ! SET $foreach = 'IEnumerator'.
DEBUG: 5414+ if ( >>>> $Method -eq 'DELETE' -and -not $req.Headers.Item('If-Match') -and $Uri -ne
$ApplianceLoginSessionsUri)
DEBUG: 5417+ >>>> Throw ([Exception]::new("The Method requested was DELETE but the required
'If-Match' HTTP header is not found."))
DEBUG: ! SET $foreach = ''.
The Method requested was DELETE but the required 'If-Match' HTTP header is not found.
At C:\Program Files\WindowsPowerShell\Modules\HPOneView.520\5.20.2470.2147\HPOneView.520.psm1:5417 char:21
+ ... Throw ([Exception]::new("The Method requested was DELETE ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], Exception
+ FullyQualifiedErrorId : The Method requested was DELETE but the required 'If-Match' HTTP header is not found.

PS C:\WINDOWS\system32>

Highlighted
HPE Pro

Re: SHA-1 certificates must be replaced by new certificates.

What you are providing is not really helpful. Instead, please use the Get-HPOVCommandTrace Cmdlet to capture the verbose output. And please provide the output from $PSVersionTable.

I am an HPE employee

Accept or Kudo

Highlighted
Advisor

Re: SHA-1 certificates must be replaced by new certificates.

$PSVersionTable

Name Value
---- -----
PSVersion 5.1.19041.1
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.19041.1
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Highlighted
HPE Pro

Re: SHA-1 certificates must be replaced by new certificates.

What about $PSModuleVersion? Or Get-Module HPOneView*.

I am an HPE employee

Accept or Kudo

Highlighted
Advisor

Re: SHA-1 certificates must be replaced by new certificates.

Cheers

Get-Module HPOneView* -verbose

ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 5.20.24... HPOneView.520 {Add-HPOVApplianceTrustedCertificate, Add-HPOVBaseline, Add-HPOVClusterManager, Add-HPOVClusterNode...}