ChrisLynchHPE
commented
6 years ago Is the IP Address you are connecting with the real IP of your appliance? Or are you trying to connect to your appliance via a NAT address?
Closed DAVIDMARTINEZROBLES closed 6 years ago
ChrisLynchHPE
commented
6 years ago Is the IP Address you are connecting with the real IP of your appliance? Or are you trying to connect to your appliance via a NAT address?
DAVIDMARTINEZROBLES
commented
6 years ago it is the real IP Address of the customer appliance.
ChrisLynchHPE
commented
6 years ago Then please provide the output from the following:
Import-Module HPOneView.400
[HPOneView.PKI.SslValidation]::EnableVerbose = $true
[HPOneView.PKI.SslValidation]::EnableDebug = $true
Connect-HPOVMgmt -Hostname 10.9.8.11 -Usename Administrator -Password $PasswordThe Thrusday, i run it in the customer Synergy.
DAVIDMARTINEZROBLES
commented
6 years ago I try connect to another Synergy and this is the output.
PS C:\Users\Damartinez> Import-Module HPOneView.400
PS C:\Users\Damartinez> [HPOneView.PKI.SslValidation]::EnableVerbose = $true
PS C:\Users\Damartinez> [HPOneView.PKI.SslValidation]::EnableDebug = $true
PS C:\Users\Damartinez> Connect-HPOVMgmt -Hostname 22.90.8.114 -Username Administrator -Password $Password
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Starting callback verification.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Certificate: [Subject]
CN=ci-30e171686a38, O=Hewlett Packard Enterprise, L=Palo Alto, S=California, C=US
[Issuer]
CN=ci-30e171686a38, O=Hewlett Packard Enterprise, L=Palo Alto, S=California, C=US
[Serial Number]
008C762A7A2F7C74F3
[Not Before]
23/01/2018 19:23:05
[Not After]
23/01/2019 19:23:05
[Thumbprint]
AB2061F64BDC63F6875296F149AD48006A998EA4
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Host: '22.90.8.114'
VERBOSE: [HPOneVIew.PKI.SslValidator]::IsTrustedHost() Looking for '22.90.8.114' within TrustedHosts dictionary.
VERBOSE: [HPOneVIew.PKI.SslValidator]::IsTrustedHost() In TrustedHosts dictionary: 'False'
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Cert has chain errors.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Processing 'UntrustedRoot' chain status.
[DEBUG]: [HPOneVIew.PKI.SslValidator]::ParseSubjectAlternativeName() Init parse SAN from certificate.
[DEBUG]: [HPOneVIew.PKI.SslValidator]::ParseSubjectAlternativeName() Certificate does not contain Subject Alternative Names.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() SAN contains host: False
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() The hostname used to connect does not match the Subject or SAN of the provided host certificate. Throw error.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Starting callback verification.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Certificate: [Subject]
CN=ci-30e171686a38, O=Hewlett Packard Enterprise, L=Palo Alto, S=California, C=US
[Issuer]
CN=ci-30e171686a38, O=Hewlett Packard Enterprise, L=Palo Alto, S=California, C=US
[Serial Number]
008C762A7A2F7C74F3
[Not Before]
23/01/2018 19:23:05
[Not After]
23/01/2019 19:23:05
[Thumbprint]
AB2061F64BDC63F6875296F149AD48006A998EA4
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Host: '22.90.8.114'
VERBOSE: [HPOneVIew.PKI.SslValidator]::IsTrustedHost() Looking for '22.90.8.114' within TrustedHosts dictionary.
VERBOSE: [HPOneVIew.PKI.SslValidator]::IsTrustedHost() In TrustedHosts dictionary: 'False'
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Cert has chain errors.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Processing 'UntrustedRoot' chain status.
[DEBUG]: [HPOneVIew.PKI.SslValidator]::ParseSubjectAlternativeName() Init parse SAN from certificate.
[DEBUG]: [HPOneVIew.PKI.SslValidator]::ParseSubjectAlternativeName() Certificate does not contain Subject Alternative Names.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() SAN contains host: False
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() The hostname used to connect does not match the Subject or SAN of the provided host certificate. Throw error.
Connect-HPOVMgmt : Unable to connect to '22.90.8.114' appliance. The hostname used to connect does not match the Subject or SAN of the provided host certificate.
At line:1 char:1
+ Connect-HPOVMgmt -Hostname 22.90.8.114 -Username Administrator -Passw ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (Hostname:String) [Connect-HPOVMgmt], ApplianceTransportException
+ FullyQualifiedErrorId : HostnameAndCertDoNotMatch,Connect-HPOVMgmt
PS C:\Users\Damartinez>
Hmm.. that last debug output has me concerned a bit. The Subject Alternative Name (SAN) extension to the Self-Signed Certificate is empty, and should not be. While we look internally to see if we can reproduce this condition, you will need to go to the Composer UI and regenerate the Self-Signed Certificate, making sure the Subject Alternative Name (SAN) field is not empty and contains the IPv4 Address of the Composer.
ChrisLynchHPE
commented
6 years ago After further investigation, I think there may be something I can do to help address this. I just publishedRelease 4.00.1630.2612 and in PowerShell Gallery.
Can you please test this version with your customer environment and let me know if it helps address? If so, I'll then tag the release to and close this issue.
ChrisLynchHPE
commented
6 years ago Closing due to no further activity. If this issue persists, we can re-open this request.
DAVIDMARTINEZROBLES
commented
6 years ago The same problem with the last version of HPOV
PS C:\_INVENTARIOS\Synergy> Import-Module HPOneView.400
PS C:\_INVENTARIOS\Synergy> [HPOneView.PKI.SslValidation]::EnableVerbose = $true
PS C:\_INVENTARIOS\Synergy> [HPOneView.PKI.SslValidation]::EnableDebug = $true
PS C:\_INVENTARIOS\Synergy> Connect-HPOVMgmt -Hostname 192.168.10.92 -Username Administrator -Password CONTRASEÑA
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Starting callback verification.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Certificate: [Subject]
CN=synergy01.mgmt.local, O=Hewlett Packard Enterprise, L=Palo Alto, S=California, C=US
[Issuer]
CN=synergy01.mgmt.local, O=Hewlett Packard Enterprise, L=Palo Alto, S=California, C=US
[Serial Number]
6ED4
[Not Before]
12/03/2018 14:02:42
[Not After]
12/03/2028 14:02:42
[Thumbprint]
914B8513D04978E3DB84517B8A3E9382B860F04D
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Host: '192.168.10.92'
VERBOSE: [HPOneVIew.PKI.SslValidator]::IsTrustedHost() Looking for '192.168.10.92' within TrustedHosts dictionary.
VERBOSE: [HPOneVIew.PKI.SslValidator]::IsTrustedHost() In TrustedHosts dictionary: 'False'
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Cert has chain errors.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Processing 'UntrustedRoot' chain status.
[DEBUG]: [HPOneVIew.PKI.SslValidator]::ParseSubjectAlternativeName() Init parse SAN from certificate.
[DEBUG]: [HPOneVIew.PKI.SslValidator]::ParseSubjectAlternativeName() Certificate does not contain Subject Alternative Names.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() SAN contains host: False
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() The hostname used to connect does not match the Subject or SAN of the provided host certi
ficate. Throw error.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Starting callback verification.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Certificate: [Subject]
CN=synergy01.mgmt.local, O=Hewlett Packard Enterprise, L=Palo Alto, S=California, C=US
[Issuer]
CN=synergy01.mgmt.local, O=Hewlett Packard Enterprise, L=Palo Alto, S=California, C=US
[Serial Number]
6ED4
[Not Before]
12/03/2018 14:02:42
[Not After]
12/03/2028 14:02:42
[Thumbprint]
914B8513D04978E3DB84517B8A3E9382B860F04D
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Host: '192.168.10.92'
VERBOSE: [HPOneVIew.PKI.SslValidator]::IsTrustedHost() Looking for '192.168.10.92' within TrustedHosts dictionary.
VERBOSE: [HPOneVIew.PKI.SslValidator]::IsTrustedHost() In TrustedHosts dictionary: 'False'
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Cert has chain errors.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Processing 'UntrustedRoot' chain status.
[DEBUG]: [HPOneVIew.PKI.SslValidator]::ParseSubjectAlternativeName() Init parse SAN from certificate.
[DEBUG]: [HPOneVIew.PKI.SslValidator]::ParseSubjectAlternativeName() Certificate does not contain Subject Alternative Names.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() SAN contains host: False
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() The hostname used to connect does not match the Subject or SAN of the provided host certi
ficate. Throw error.
Connect-HPOVMgmt : Unable to connect to '192.168.10.92' appliance. The hostname used to connect does not match the Subject or SAN of the provided host
certificate.
At line:1 char:1
+ Connect-HPOVMgmt -Hostname 192.168.10.92 -Username Administrator -Pas ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (Hostname:String) [Connect-HPOVMgmt], ApplianceTransportException
+ FullyQualifiedErrorId : HostnameAndCertDoNotMatch,Connect-HPOVMgmt
PS C:\_INVENTARIOS\Synergy>
You are using the IP Address of the Composer, which does not match the [Subject] value of the certificate, and the certificate does not contain any values within the Subject Alternative Names extension field. You have two options to help resolve this:
C:\Windows\System32\drivers\etc\hosts file or on the DNS server(s) in your local environment.Settings -> Security -> Create Self Signed Certificate.DAVIDMARTINEZROBLES
commented
6 years ago Hi.
The same problem in new synergy installation
PS C:\_INVENTARIOS\Synergy>
PS C:\_INVENTARIOS\Synergy> [HPOneView.PKI.SslValidation]::EnableDebug = $true
PS C:\_INVENTARIOS\Synergy> [HPOneView.PKI.SslValidation]::EnableVerbose = $true
PS C:\_INVENTARIOS\Synergy> Connect-HPOVMgmt -hostname 22.2.60.10 -u Administrator -p HPinvent2017
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Starting callback verification.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Certificate: [Subject]
CN=BECH2TNGHVSYP02, O=Hewlett Packard Enterprise, L=Palo Alto, S=California, C=US
[Issuer]
CN=BECH2TNGHVSYP02, O=Hewlett Packard Enterprise, L=Palo Alto, S=California, C=US
[Serial Number]
009D7CCC451ABFC075
[Not Before]
04/05/2018 20:54:54
[Not After]
04/05/2028 20:54:54
[Thumbprint]
FA9E9A61F629E8BDE71961CF6CCF3200AE4BC320
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Host: '22.2.60.10'
VERBOSE: [HPOneVIew.PKI.SslValidator]::IsTrustedHost() Looking for '22.2.60.10' within TrustedHosts dictionary.
VERBOSE: [HPOneVIew.PKI.SslValidator]::IsTrustedHost() In TrustedHosts dictionary: 'False'
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Cert has chain errors.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Processing 'UntrustedRoot' chain status.
[DEBUG]: [HPOneVIew.PKI.SslValidator]::ParseSubjectAlternativeName() Init parse SAN from certificate.
[DEBUG]: [HPOneVIew.PKI.SslValidator]::ParseSubjectAlternativeName() Certificate does not contain Subject Alternative Names.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() SAN contains host: False
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() The hostname used to connect does not match the Subject or SAN of the provided
row error.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Starting callback verification.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Certificate: [Subject]
CN=BECH2TNGHVSYP02, O=Hewlett Packard Enterprise, L=Palo Alto, S=California, C=US
[Issuer]
CN=BECH2TNGHVSYP02, O=Hewlett Packard Enterprise, L=Palo Alto, S=California, C=US
[Serial Number]
009D7CCC451ABFC075
[Not Before]
04/05/2018 20:54:54
[Not After]
04/05/2028 20:54:54
[Thumbprint]
FA9E9A61F629E8BDE71961CF6CCF3200AE4BC320
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Host: '22.2.60.10'
VERBOSE: [HPOneVIew.PKI.SslValidator]::IsTrustedHost() Looking for '22.2.60.10' within TrustedHosts dictionary.
VERBOSE: [HPOneVIew.PKI.SslValidator]::IsTrustedHost() In TrustedHosts dictionary: 'False'
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Cert has chain errors.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() Processing 'UntrustedRoot' chain status.
[DEBUG]: [HPOneVIew.PKI.SslValidator]::ParseSubjectAlternativeName() Init parse SAN from certificate.
[DEBUG]: [HPOneVIew.PKI.SslValidator]::ParseSubjectAlternativeName() Certificate does not contain Subject Alternative Names.
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() SAN contains host: False
VERBOSE: [HPOneVIew.PKI.SslValidator]::CertificateValidationCallBack() The hostname used to connect does not match the Subject or SAN of the provided
row error.
Connect-HPOVMgmt : Unable to connect to '22.2.60.10' appliance. The hostname used to connect does not match the Subject or SAN of the provided host c
At line:1 char:1
+ Connect-HPOVMgmt -hostname 22.2.60.10 -u Administrator -p HPinvent201 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (Hostname:String) [Connect-HPOVMgmt], ApplianceTransportException
+ FullyQualifiedErrorId : HostnameAndCertDoNotMatch,Connect-HPOVMgmt
PS C:\_INVENTARIOS\Synergy>
I try to use the second option to resolve the issue, but it did not work
ChrisLynchHPE
commented
6 years ago @DAVIDMARTINEZROBLES My comments above about how you are using the IP Address of the Composer, and the SSL certificate cannot be validated (even a self-signed certificate) still stand. How are you performing Hardware Setup on the Composer? Please provide detailed steps.
neocox
commented
5 years ago Same problem. I'm connecting to the appliance via a NAT address, the appliance hostname is not on the DNS server and the C:\Windows\System32\drivers\etc workaround is not valid when using some secure VPNs clients (it disables this type of name resolution for security reasons).
Is there any way/option to simply disable hostname verification? I have no problem when I connect with OneView python binding.
DAVIDMARTINEZROBLES
commented
5 years ago My workaround is:
Connect with the HPOneView.310\Connect-HPOVMgmt Import SSLCertificate Import-HPOVSSLCertificate close the Powershell session and open a new one.
Use the HPOneView.420\Connect-HPOVMgmt
Please fill in as much information as possible to help resolve your issue.
Expected Behavior
Connect to Appliance is not possible.
I´m trying to connect to two Synergy OneView Appliance 3.10.07 and 4.00.07
If I use the HPOneView.310, all is ok.
Actual Behavior
The hostname used to connect does not match the Subject or SAN of the provided host certificate.
Steps to reproduce
Version Information
HPE OneView PowerShell Library Version (
Get-HPOVVersionor$PSLibraryVersion): HPE OneView Appliance Version (Get-HPOVVersion -ApplianceVer):Output from
$PSVersionTableon your Windows Host:4.0.1612.2800 C:\Program Files\WindowsPowerShell\Modules\HPOneView.400\4.0.1612.2800