HPE Community
HPE OneView
1824363 Members
3266 Online
109669 Solutions
New Discussion юеВ

Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

 
MarioE
Trusted Contributor

тАО03-26-2018 04:03 AM

тАО03-26-2018 04:03 AM

Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Hello

I upgraded HPE OneView from Verion 4.00.07 to 4.00.07.02.
Since I have installed this update .02, I receive about 20 messages every day:

Bild1.jpg

Unable to establish trusted communication with the server. The iLO certificate does not have any IP address or host name specified.

Some of these alarms are "Locked".
When I do a refresh of the server, the alarm is mostly cleared again. Sometimes I have to do the refresh 2 or 3 times.

However, most alarms will be cleared right away:

Bild2.jpg

I only have ProLiant DL Server in the HPE OneView. This error I have over all servers (G7, Gen8, Gen9) with all iLO FW versions and over again. Only with the Gen10 servers I do not have this problem.

Does anyone else have this problem?

 

 

2 people had this problem.
0 Kudos
Reply
18 REPLIES 18
peyrache
Respected Contributor

тАО03-26-2018 05:17 AM

тАО03-26-2018 05:17 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Only update ? nor Ilo Ip address change ?
0 Kudos
Reply
MarioE
Trusted Contributor

тАО03-26-2018 05:21 AM

тАО03-26-2018 05:21 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

I only did the updates of the HPE OneView. Before the update, I had never seen this error. I did not make any changes to the iLOs.

0 Kudos
Reply
peyrache
Respected Contributor

тАО03-26-2018 05:32 AM

тАО03-26-2018 05:32 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Shall you post exact error message (complete screen)
Thanks
0 Kudos
Reply
MarioE
Trusted Contributor

тАО03-26-2018 06:14 AM

тАО03-26-2018 06:14 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Unable to establish trusted communication with the server. The iLO certificate does not have any IP address or host name specified.

Resolution Ensure that the iLO is set up with a certificate that has a valid ip address or host name specified. After setting up iLO with the certificate as specified, in case of a CA signed certificate, ensure that the root certificate and the appropriate intermediate certificates are present in OneView's trust store. In case a new iLO self-signed certificate was generated to correct the issue, add the same into OneView's trust store. Refresh the server and retry the operation. Use the link provided below to add certificate(s) to OneView's trust store.

Event details
certificateMismatch true
clearPriorEvents true
correctiveAction Ensure that the iLO is set up with a certificate that has a valid ip address or host name specified. After setting up iLO with the certificate as specified, in case of a CA signed certificate, ensure that the root certificate and the appropriate intermediate certificates are present in OneView's trust store. In case a new iLO self-signed certificate was generated to correct the issue, add the same into OneView's trust store. Refresh the server and retry the operation. Use the link provided below to add certificate(s) to OneView's trust store.
locked     true
resourceUri   /rest/server-hardware/32333536-3030-5A43-3234-323730484452

0 Kudos
Reply
peyrache
Respected Contributor

тАО03-26-2018 06:53 AM

тАО03-26-2018 06:53 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Should be related to:
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00042194en_us&docLocale=en_US
or
Certificate expiration alerts reported during HPE OneView 4.0 upgrade

HPE OneView has a new certificate-related security setting: "Check for expiration of self-signed certificates". The setting is disabled by default. When disabled, a warning alert is displayed for any device with an expired certificate on the device's resource screen. For example, server hardware screen. Additionally, separate alerts for expired certificates are displayed on the Settings > Activity screen.

After HPE OneView 4.0 upgrade, under certain circumstances, warning alerts for expired iLO certificates are not displayed on the corresponding server hardware screen. Note that any server hardware warning alerts will be displayed on the Settings > Activity screen.

The certificate expiration alerts displayed on the Settings > Activity screen are created incorrectly as critical, locked alerts (red alerts) instead of warning alerts.

Suggested action

Communications with devices is not impacted by these specific critical alerts. Both warning and critical alerts are cleared automatically when the corresponding expired certificates are fixed. The certificate alert can be fixed by either generating a new self-signed certificate for the device and placing that in the HPE OneView certificate trust store or by performing a certificate signing request and using a certificate authority-issued certificate for the device. For more information on regenerating iLO certificates, see Correcting expired certificates for an iLO.
0 Kudos
Reply
MarioE
Trusted Contributor

тАО03-26-2018 08:25 AM

тАО03-26-2018 08:25 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

I have no self-signed certificates. All iLO certificate are Trusted SSL Certificate signed by our Certification Authority (CA).
All certificates are valid and have not expired.

0 Kudos
Reply
peyrache
Respected Contributor

тАО03-26-2018 08:28 AM

тАО03-26-2018 08:28 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

So the best is to open a case to HPE support
For Oneview dump analysis
0 Kudos
Reply
ChrisLynch
HPE Pro

тАО03-27-2018 01:29 PM - last edited on тАО11-13-2020 03:31 AM by

тАО03-27-2018 01:29 PM - last edited on тАО11-13-2020 03:31 AM by

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

If you have not already, please add your Issuing and all chain CA certs to your appliance.  Please see this help link about this topic and to navigate other supporting documentation.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
ChrisLynch
HPE Pro

тАО03-27-2018 01:33 PM

тАО03-27-2018 01:33 PM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Just as a quick follow up, 4.00.07.02 was only released to address an SNMPv3 issue with Gen10 and the recently released iLO 1.20 firmware.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Rextor
New Member

тАО06-01-2018 12:11 AM

тАО06-01-2018 12:11 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Did you find a solution for this one? We are facing the same problem when using certificates from our own certificate authority and not the self signed certificates

0 Kudos
Reply
MarioE
Trusted Contributor

тАО06-01-2018 05:07 AM

тАО06-01-2018 05:07 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Yes, I could solve the problem.
We are in the process of replacing our internal CA.
That means I have to enter both CA servers under Settings - Manage certificates (Trust Store).
I had to recreate all iLO Trusted SSL Certificate signed by our old CA, with the new CA.

In the Trust Store, I have changed nothing more, just recreated the certificates with the new CA. That is, there are still both CA (old and new) registered in the Trust Store.

I had both CA registered in the Trust Store for some time, but I only had problems after the update to Version 4.00.07.02.

0 Kudos
Reply
Ralph1969
Advisor

тАО11-06-2018 07:08 AM - edited тАО11-06-2018 07:09 AM

тАО11-06-2018 07:08 AM - edited тАО11-06-2018 07:09 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Hi,

I have the same issue, after all my G7 ILO 3 expired all at the same time, I reset the ILO to generate a new cert.
And when I tried to refresh or add in OneVew I get the error "The iLO certificate does not have any IP address or host name specified."

I placed a call to HP to show them the problem, got transfert to a L2 and worked 2hr in a My Room session trying to fix it.
2 weeks later when I ask for an update I get: 
Still working on lab server, will contact you at the earliest once have an update regarding the same.

HP obvioulsy aware of the problem but dont have any solution yet.

 I will update once we figure it out

Save the cheerleader save the world....
0 Kudos
Reply
BhaskarV
Trusted Contributor

тАО11-07-2018 07:15 AM

тАО11-07-2018 07:15 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Hi  @Ralph1969

This works, i.e. regenerating the cerificate on the iLO followed by fetching and trusting the new certificate in OneView.
Can you ask for an elevation of the support case?

Regards,
Bhaskar

 


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
craigpennock
Occasional Advisor

тАО02-07-2019 04:02 AM

тАО02-07-2019 04:02 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Hello.

Did anyone manage to resolved this for the G7's?

Gen 8 & 9 allow me to create a cert request with the IP address, but G7's do not have this option

Thanks

Craig

0 Kudos
Reply
BhaskarV
Trusted Contributor

тАО02-08-2019 05:49 AM

тАО02-08-2019 05:49 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Hi @craigpennock 

Given Gen 7 / iLO3, did you generate a CSR from the iLO and get a CA signed certificate?
Does the certificate you generated for the iLO have the DNS name for the iLO in the SAN / Subject field?
The CSR I generated on my test iLO looks like the attached.

iLO4 Gen7 CSRiLO4 Gen7 CSR

The CN "myilo.pe.com" in the CSR should have made its way through the certifcate signing process.
Let me know. 

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
craigpennock
Occasional Advisor

тАО02-08-2019 07:11 AM

тАО02-08-2019 07:11 AM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

I do not have the option for Common Name so had to add the below on the CA when requesting the cert.

san:dns=IPADDRESS&dns=ILONAME

 

thanks for the advise though

0 Kudos
Reply
BhaskarV
Trusted Contributor

тАО02-10-2019 08:32 PM

тАО02-10-2019 08:32 PM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Thanks @craigpennock  
Glad you worked around the problem by specifying the IP address and FQDN in the SAN when submitting the CSR to the CA.

What version of iLO3 firmware are the Gen7s you have at?
Anything close to 1.88, 1.89 or 1.91 (the latest available firmware for iO3)
If you take a look at the screen shot above where Common Name (CN) = myilo.hpe.com, that field gets carried forward as the Subject field at the very least in the CSR if not the SAN.

Even if the IP address is included in the SAN field, some CAs (Certificate Authorities) do no accept IP addresses.
They do accept FQDNs and allow a provision for you to specify the FQDN in the SAN at the time of submitting the CSR for getting signed, like you just did.

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
VinnyWills
HPE Pro

тАО04-07-2020 05:58 PM

тАО04-07-2020 05:58 PM

Re: Unable to establish trusted communication with the server -> HPE OneView 4.00.07.02

Hello All,

Try creating a new local user acc in ILO and try adding via that also you can resetting the local user account and try...

I am an HPE Employee

Accept or Kudo

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.