- Community Home
- >
- Software
- >
- HPE OneView
- >
- Re: Unable to establish trusted communication with...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-22-2020 01:24 AM
тАО01-22-2020 01:24 AM
Unable to establish trusted communication with servers after installing certificate in HPOneView 5.0
Hi all,,
I recently installed a public certificate on our OneView applicance and I can now view it over ssl without any issue except that the certificates on the blades sem to have disappeared and the appliance now seems unable to communicate xithe blades correcty as you should be able to see in the atached screen shot :
Do I have to create a CSR on each blade and have it signed via the same public CA for thing to come back to normal ?
Thanks in advance for any advice,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2020 05:25 AM
тАО01-23-2020 05:25 AM
Re: Unable to establish trusted communication with servers after installing certificate in HPOneView
Hi Marc ,
Yes you may have to generate CSRs from the server ILOs if they are missing in Oneview appliance trust store.
Alternativley you may also remove the affected enclosure from the appliance and import it
Regards
Ronny
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2020 01:17 PM - edited тАО01-23-2020 01:48 PM
тАО01-23-2020 01:17 PM - edited тАО01-23-2020 01:48 PM
Re: Unable to establish trusted communication with servers after installing certificate in HPOneView
I would not suggest removing and then adding back the enclosure, as it is Managed. Removing then adding a managed enclosure would require downtime, if HPE Virtual Connect fabric modules were present within the enclosure.
The certificates are likely expired. One way you can validate the iLO cert is to view it the same way you did with your HPE OneView appliance. Alternatively, you can use the openssl client to retreive the peer certificates:
openssel s_client -connect ilo-ip-address-or-fqdn -port 443
# Example using IP Address
openssl s_client -connect 10.4.3.2 -port 443
# Example using FQDN
openssl s_client -connect server-ilo.domain.local -port 443
# Save the base64 string of the peer certificate (the text that starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----" to a local file, then use openssl x509 to show cert validitiy
openssl x509 -in C:\path\to\file -noout -dates
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-24-2020 01:06 AM
тАО01-24-2020 01:06 AM
Re: Unable to establish trusted communication with servers after installing certificate in HPOneView
Indeed there are Virtual Connects fabric modules present.
When checking via openssl it looks as if there are no certificates installed in the iLO:
CONNECTED(00000003)
140231902615360:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 299 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
and yet when looking via the web administration console I see this :
The issue I have is that when I create a CSR via the web administration and paste the CSR in our CA Web site (DigiCert) to get the certificate I get an error message saying ""Domain Name has an invalid value" but it maybe something to check up with them rather than here since you seem to confirm this should be the way to go about it ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-24-2020 02:32 AM
тАО01-24-2020 02:32 AM
Re: Unable to establish trusted communication with servers after installing certificate in HPOneView
Hi @Marc_BE
The CN=ILOGB8050BS97 is probably what DigiCert is complaining about.
Most CAs expect a FQDN there such as CN=ILOGB8050BS97.ilo.ulb.be
So you may need to set the hostname on the iLO with the FQDN like that and generate the CSR after that.
One thing I want to point out is that when you apply a CA signed certificate for the OV appliance, you need not necessarily have to have CA signed certificates for the iLOs at all.
The two are not related.
It is ok for the iLOs to have self-signed certificate (or whatever comes with them by default).
Regards,
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-27-2020 02:28 AM
тАО01-27-2020 02:28 AM
Re: Unable to establish trusted communication with servers after installing certificate in HPOneView
Hi @Marc_BE
On the error you have shown in the screen shot, what is the text beyond
Unable to establish trusted communication.
Can you share?
What has most probably happened is a "Do not trust" CA certificate that belongs to an iLO has got accidentally trusted in the OV trust store. See below from the OneView User Guide.
Trusting a root CA certificate - тАЬiLO/iLO 3/iLO 4/iLO 5 Default Issuer (do not trust)тАЭcertificate
When you trust an iLO self-signed certificate using the Settings > Security > Manage Certificates > Add Certificate screen and select Fetch from IP address or hostname, always enable the Force trust leaf certificate option, that ensures only the iLO leaf certificate is added to the trust store. If you forget to use this option, the iLO Default Issuer (do not trust) certificate is sometimes added to the trust store. In that case, delete the Default Issuer (do not trust) certificate. Never place these certificates into the trust store as they can cause errors when present.
Regards
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-27-2020 07:35 AM
тАО01-27-2020 07:35 AM
Re: Unable to establish trusted communication with servers after installing certificate in HPOneView
Hi BhaskarV,
Here is the full error message :
Unable to establish trusted communication with the server. The iLO certificate does not have any IP address or host name specified.
Locked
1/21/20 2:58:38 pm
Resolution Ensure that the iLO is set up with a certificate that has a valid ip address or host name specified. After setting up iLO with the certificate as specified, in case of a CA signed certificate, ensure that the root certificate and the appropriate intermediate certificates are present in OneView's trust store. In case a new iLO self-signed certificate was generated to correct the issue, add the same into OneView's trust store. Refresh the server and retry the operation. Use the link provided below to add certificate(s) to OneView's trust store.
Trying to solve the issue I think I did a factory reset on the blade for which this message shows up. Can it be related ?
How should I go about removing the iLO Defaukt Issuer certificate ? From the HPOneView via the CLI openssl ?
Thanks in advance,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-27-2020 08:00 PM
тАО01-27-2020 08:00 PM
Re: Unable to establish trusted communication with servers after installing certificate in HPOneView
Hi @Marc_BE
Navigate to Settings -> Security -> Manage Certificates and search for "Do not trust".
See if you are able to find a certificate such as this.
If yes, you can delete it.
Regards,
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-27-2020 08:42 PM
тАО01-27-2020 08:42 PM
Re: Unable to establish trusted communication with servers after installing certificate in HPOneView
And yes, factory reset of the blade will cause a new certificate to be regenerated on the iLO.
Once the certificate on the iLO changes, the server hardware status for this blade will be red.
You will need to navigate to Settings -> Security -> Manage Certificates -> Add Certificate -> Fetch from IP address and hostname, type in the IP address of the server.
This time, make sure to select the Force trust leaf certificate check box. Then validate and Trust the certificate. This ensures the leaf level certificate is fetched and trusted but skips the "iLO Default Issuer (Do not trust)" CA certificate.
Once you do this right, the server hadware status will turn green.
Try this out and let me know.
Do not hesitate to ask questions if this is unclear.
Regards,
Bhaskar
I am an HPE employee