During troubleshooting of issue at my customer in OneView, I have noticed that there is a SSL certificate issue with one of iLO4 of BL460gen9 ...
After seraching HPE support page, I have stumbled to this article:
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-a00042194en_us
Advisory: (Revision) HP Integrated Lights-Out (iLO) - iLO 3 and iLO 4 Self-Signed SSL Certificate May Have an Expiration Date Earlier Than the Issued Date
The HP Integrated Lights-Out 3 (iLO 3) and HP Integrated Lights-Out 4 (HP iLO 4) may have a self-signed Secure Socket Layer (SSL) certificate containing the incorrect year for the expiration date as follows:
RESOLUTION
Import a Trusted SSL Certificate signed by a Certification Authority (CA) into iLO 3 and iLO 4. Refer to the iLO User Guide for more details.
The HP iLO 4 User Guide is located at the following URL: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03334051 The HP iLO 3 User Guide is located at the following URL: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02774507
If a Certification Authority is not available, perform either of the following steps as a workaround:
Downgrade the iLO firmware
- Downgrade the iLO 3 firmware to Version 1.50 or the iLO 4 firmware to Version 1.13.
- Boot the server and press F9 to enter the ROM-Based Setup Utility (RBSU).
- In the RBSU Date and Time Menu, set the system date to 01-01-2013.
- Save changes and exit the RBSU.
- Wait until the server completes the Power-On Self-Test (POST).
- Log into iLO, verify the iLO date is January 1, 2013, and force iLO to generate a new self-signed SSL certificate by either changing the iLO hostname or restoring iLO to factory defaults.
- After iLO has a new self-signed SSL certificate containing a valid expiration date, the iLO 3 firmware can be upgraded to Version 1.55 and the iLO 4 firmware can be upgraded to Version 1.20.
OR
iLO 4 firmware version 2.55 (or later)
The iLO 4 self-signed certificate can also be regenerated using a REST command that was added in iLO 4 firmware 2.55 (or later). To regenerate the self-signed certificate using this REST command use the following syntax:
DELETE https://{iLO}/redfish/v1/Managers/{item}/SecurityService/HttpsCert/
Below is an example using curl.
curl -X DELETE https://ilo.example.net/redfish/v1/Managers/1/SecurityService/HttpsCert/
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-length: 299
Content-type: application/json; charset=utf-8
Date: Sat, 20 Jan 2018 03:38:28 GMT
ETag: W/"78E0DBAE"
X-Frame-Options: sameorigin
X_HP-CHRP-Service-Version: 1.0.3
{"Messages":[{"MessageID":"iLO.0.10.ImportCertSuccessfuliLOResetinProgress"}],"Type":"ExtendedError.1.0.0","error":{"@Message.ExtendedInfo": [{"MessageID":"iLO.0.10.ImportCertSuccessfuliLOResetinProgress"}],"code":"iLO.0.10.ExtendedInfo","message":"See @Message.ExtendedInfo for mo re information."}}
The expiration date on the self-signed SSL certificate is targeted to be resolved in a future version of the iLO 3 and iLO 4 firmware.
So I have tried to use 2nd option, as I have 2.55+ firmware.
You will need CURL for windows, and some extra command parameters to add so that CURL delete process can work:
curl -X DELETE https://iLO_IP_ADDRESS/redfish/v1/Managers/1/SecurityService/HttpsCert/ -i --insecure -u username:password -L
1 comment:
Amazing work! just solved a ilo4 access with it
Post a Comment