Thursday, September 24, 2020

Reset iLO4 certificate

 During troubleshooting of issue at my customer in OneView, I have noticed that there is a SSL certificate issue with one of iLO4 of BL460gen9 ... 

After seraching HPE support page, I have stumbled to this article:

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-a00042194en_us

Advisory: (Revision) HP Integrated Lights-Out (iLO) - iLO 3 and iLO 4 Self-Signed SSL Certificate May Have an Expiration Date Earlier Than the Issued Date

The HP Integrated Lights-Out 3 (iLO 3) and HP Integrated Lights-Out 4 (HP iLO 4) may have a self-signed Secure Socket Layer (SSL) certificate containing the incorrect year for the expiration date as follows:




RESOLUTION

Import a Trusted SSL Certificate signed by a Certification Authority (CA) into iLO 3 and iLO 4. Refer to the iLO User Guide for more details.

The HP iLO 4 User Guide is located at the following URL: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03334051 The HP iLO 3 User Guide is located at the following URL: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02774507

If a Certification Authority is not available, perform either of the following steps as a workaround:

Downgrade the iLO firmware

  1. Downgrade the iLO 3 firmware to Version 1.50 or the iLO 4 firmware to Version 1.13.
  2. Boot the server and press F9 to enter the ROM-Based Setup Utility (RBSU).
  3. In the RBSU Date and Time Menu, set the system date to 01-01-2013.
  4. Save changes and exit the RBSU.
  5. Wait until the server completes the Power-On Self-Test (POST).
  6. Log into iLO, verify the iLO date is January 1, 2013, and force iLO to generate a new self-signed SSL certificate by either changing the iLO hostname or restoring iLO to factory defaults.
  7. After iLO has a new self-signed SSL certificate containing a valid expiration date, the iLO 3 firmware can be upgraded to Version 1.55 and the iLO 4 firmware can be upgraded to Version 1.20.

OR

iLO 4 firmware version 2.55 (or later)

The iLO 4 self-signed certificate can also be regenerated using a REST command that was added in iLO 4 firmware 2.55 (or later). To regenerate the self-signed certificate using this REST command use the following syntax:

DELETE https://{iLO}/redfish/v1/Managers/{item}/SecurityService/HttpsCert/

Below is an example using curl.

curl -X DELETE https://ilo.example.net/redfish/v1/Managers/1/SecurityService/HttpsCert/

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-length: 299
Content-type: application/json; charset=utf-8
Date: Sat, 20 Jan 2018 03:38:28 GMT
ETag: W/"78E0DBAE"
X-Frame-Options: sameorigin
X_HP-CHRP-Service-Version: 1.0.3

{"Messages":[{"MessageID":"iLO.0.10.ImportCertSuccessfuliLOResetinProgress"}],"Type":"ExtendedError.1.0.0","error":{"@Message.ExtendedInfo": [{"MessageID":"iLO.0.10.ImportCertSuccessfuliLOResetinProgress"}],"code":"iLO.0.10.ExtendedInfo","message":"See @Message.ExtendedInfo for mo re information."}}

The expiration date on the self-signed SSL certificate is targeted to be resolved in a future version of the iLO 3 and iLO 4 firmware.


So I have tried to use 2nd option, as I have 2.55+ firmware.

You will need CURL for windows, and some extra command parameters to add so that CURL delete process can work:

curl -X DELETE https://iLO_IP_ADDRESS/redfish/v1/Managers/1/SecurityService/HttpsCert/ -i --insecure -u username:password -L

1 comment:

renanr said...

Amazing work! just solved a ilo4 access with it

How to use DiskSpd to simulate Veeam Backup & Replication disk actions

This HOW-TO contains information on how to use Microsoft© DiskSpd to simulate Veeam Backup & Replication disk actions to measure disk pe...