dell / iDRAC-Redfish-Scripting

Python and PowerShell scripting for Dell EMC PowerEdge iDRAC REST API with DMTF Redfish
GNU General Public License v2.0
609 stars 279 forks source link

Idrac SSL certification fails while pushing certificate with message: certification inport failed #184

Closed vivekanand553 closed 2 years ago

vivekanand553 commented 3 years ago

Hello Team,

We are trying to do ssl certification of idrac 9 R840 server,we are able to request and download venafi certificates using the ansible playbook but while pushing the pkcs#12 format certificate it failed with error message "certification import failed"

Playbook details as below

Not sure if the url path to push the certificate has changed for idrac 9 R840 server

Kindly do the needful.

Regards Vivekanand

texroemer commented 3 years ago

Hi @vivekanand553

Can you confirm the cert you are trying to import is signed? Also make sure for SSLCertificateFile parameter value you are passing in newline characters.

Example below of importing signed cert using iDRAC 9 5.00.10 along with the body i passed in for POST action.

C:\Python39>ExportImportSSLCertificateREDFISH.py -ip 192.168.0.120 -u root -p calvin -i y -ct 1 -scf C:\Python39\79.cer

- PASS: POST command passed for ImportSSLCertificate method, status code 202 returned

POST body:

{'CertificateType': 'Server', 'SSLCertificateFile': '-----BEGIN CERTIFICATE-----\nMIID8zCCAtugAwIBAgITHwAAABXQUi1tc3qbJAAAAAAAFTANBgkqhkiG9w0BAQsF\nADARMQ8wDQYDVQQDEwZMQUItQ0EwHhcNMjExMDA0MDMxNjU3WhcNMjIxMDA0MDMy\nNjU3WjBZMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1\nc3RpbjELMAkGA1UEChMCUEcxDTALBgNVBAsTBHRlc3QxDTALBgNVBAMTBERlbGww\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1wMiHzBuNV6MB/1RWMk9s\nwiY9Fwt3IW9secQQutA9+B8+FNimVMtbN+EGsj6e9UhbKbZy/25ySY1EtNr/EI0i\nuQV0zIDF49e90wm71bdZT0vD8PNLYAT3B2R3I1nwmomk7lajuGmtL9ahXMRD585K\n1NSPWycVd88DX/ekgKlTN4smmoFBOeHyfUOI6NVnHTyqjl9tVPKDGfC9jZd7vFcg\nMmVly57JTZlLLP/+OkbpkQYV7EbY5aeHxxhWdZMJ7fLiUsdb092shTjEL5BFHpLP\nUZcjLY5uj+FpuwY2SlUy3+jDtk2YQYWW7M6uehwz+2zRiYiR222hpyNVQxJKSw+N\nAgMBAAGjgfswgfgwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYE\nFBPse74a/RSHwrh/9dKWk8N7HA3+MB8GA1UdIwQYMBaAFCkc3RCMggoDmWlht/yE\nlTH5VVGQMD8GA1UdHwQ4MDYwNKAyoDCGLmZpbGU6Ly8vL1dJTi1KT0pTVjRUUDhD\nVi9DZXJ0RW5yb2xsL0xBQi1DQS5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUF\nBzAChj5maWxlOi8vLy9XSU4tSk9KU1Y0VFA4Q1YvQ2VydEVucm9sbC9XSU4tSk9K\nU1Y0VFA4Q1ZfTEFCLUNBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAzASEf5iZNj+j\nCIr8r5F9+Ppypq90e3z7tFfxiFQYNDBBF78JHYIN/NjD5AOi9IiB6iSTVAXJBtpd\nvYI0BwZcLl/S5ObZqTQtzfMceCnK8EiYZ0x9pZrcST5h9UIppBvpiBqIJyEL8e8W\nCRx5TOa44WiFB/X5cBxK4CQd5iMcBM1k1F2Le+4EfP92a+w4dUUl2+t6dScoHyER\np7zRGzk8ncKRlzHHNZ+b3HDkseIpP1zMr4BCYnD93zjauvy12Tc4NXi9lKn+Axk1\nNXe0etos1/8NeYXMZKpbxKlQY9n7APelp7C4HOIKYFTwjS7YD1j1e3QAlhbnGVk7\n5nZbPyrcFg==\n-----END CERTIFICATE-----\n'}
vivekanand553 commented 3 years ago

Hello Texromer,

Thanks for your email!

Yes the certificate is a signed certificate downloaded from venafi website.

I will check on the steps you have provided me and will update on the results of those steps asap.

Thanks and regards Vivekanand

On Mon, 4 Oct 2021, 09:08 texroemer, @.***> wrote:

Hi @vivekanand553 https://github.com/vivekanand553

Can you confirm the cert you are trying to import is signed? Also make sure for SSLCertificateFile parameter value you are passing in newline characters.

Example below of importing signed cert using iDRAC 9 5.00.10 along with the body i passed in for POST action.

C:\Python39>ExportImportSSLCertificateREDFISH.py -ip 192.168.0.120 -u root -p calvin -i y -ct 1 -scf C:\Python39\79.cer

  • PASS: POST command passed for ImportSSLCertificate method, status code 202 returned

POST body:

{'CertificateType': 'Server', 'SSLCertificateFile': '-----BEGIN CERTIFICATE-----\nMIID8zCCAtugAwIBAgITHwAAABXQUi1tc3qbJAAAAAAAFTANBgkqhkiG9w0BAQsF\nADARMQ8wDQYDVQQDEwZMQUItQ0EwHhcNMjExMDA0MDMxNjU3WhcNMjIxMDA0MDMy\nNjU3WjBZMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1\nc3RpbjELMAkGA1UEChMCUEcxDTALBgNVBAsTBHRlc3QxDTALBgNVBAMTBERlbGww\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1wMiHzBuNV6MB/1RWMk9s\nwiY9Fwt3IW9secQQutA9+B8+FNimVMtbN+EGsj6e9UhbKbZy/25ySY1EtNr/EI0i\nuQV0zIDF49e90wm71bdZT0vD8PNLYAT3B2R3I1nwmomk7lajuGmtL9ahXMRD585K\n1NSPWycVd88DX/ekgKlTN4smmoFBOeHyfUOI6NVnHTyqjl9tVPKDGfC9jZd7vFcg\nMmVly57JTZlLLP/+OkbpkQYV7EbY5aeHxxhWdZMJ7fLiUsdb092shTjEL5BFHpLP\nUZcjLY5uj+FpuwY2SlUy3+jDtk2YQYWW7M6uehwz+2zRiYiR222hpyNVQxJKSw+N\nAgMBAAGjgfswgfgwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYE\nFBPse74a/RSHwrh/9dKWk8N7HA3+MB8GA1UdIwQYMBaAFCkc3RCMggoDmWlht/yE\nlTH5VVGQMD8GA1UdHwQ4MDYwNKAyoDCGLmZpbGU6Ly8vL1dJTi1KT0pTVjRUUDhD\nVi9DZXJ0RW5yb2xsL0xBQi1DQS5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUF\nBzAChj5maWxlOi8vLy9XSU4tSk9KU1Y0VFA4Q1YvQ2VydEVucm9sbC9XSU4tSk9K\nU1Y0VFA4Q1ZfTEFCLUNBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAzASEf5iZNj+j\nCIr8r5F9+Ppypq90e3z7tFfxiFQYNDBBF78JHYIN/NjD5AOi9IiB6iSTVAXJBtpd\nvYI0BwZcLl/S5ObZqTQtzfMceCnK8EiYZ0x9pZrcST5h9UIppBvpiBqIJyEL8e8W\nCRx5TOa44WiFB/X5cBxK4CQd5iMcBM1k1F2Le+4EfP92a+w4dUUl2+t6dScoHyER\np7zRGzk8ncKRlzHHNZ+b3HDkseIpP1zMr4BCYnD93zjauvy12Tc4NXi9lKn+Axk1\nNXe0etos1/8NeYXMZKpbxKlQY9n7APelp7C4HOIKYFTwjS7YD1j1e3QAlhbnGVk7\n5nZbPyrcFg==\n-----END CERTIFICATE-----\n'}

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/dell/iDRAC-Redfish-Scripting/issues/184#issuecomment-933115679, or unsubscribe https://github.com/notifications/unsubscribe-auth/ASEUSANYYOVRV7Q7TOUOIRLUFEOUFANCNFSM5FC2PYKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

xtalkme commented 3 years ago

Hello @texroemer,

Sorry to hijack this topic, i am currently experiencing the same issue. IDrac version: 5.00.10.20

either with curl -d /redfish/v1/Dell/Managers/iDRAC.Embedded.1/DelliDRACCardService or python3 iDRAC-Redfish-Scripting/Redfish\ Python/ExportImportSSLCertificateREDFISH.py I am getting somewhat the same error. Uploading the cert via the GUI in p12 format works fine. It is a wildcard certificate. Tried different flavours. With a chain and a key, cert + chain and just the cert.

{ "error": { "code": "Base.1.5.GeneralError", "message": "A general error has occurred. See ExtendedInfo for more information.", "@Message.ExtendedInfo":[ { "@odata.type": "#Message.v1_0_0.Message", "MessageId": "Base.1.5.GeneralError", "Message": "A general error has occurred. See Resolution for information on how to resolve the error.", "Resolution": "Redfish request contains unsupported media type. Correct the request body and resubmit.", "Severity": "Warning" } ] } }

Is their an option to get more information about this general error ?

texroemer commented 3 years ago

Hi @xtalkme

Can you post your curl command along with the body so i can confirm the format is correct? It should look similar to this:

curl -k "https://192.168.0.120/redfish/v1/Dell/Managers/iDRAC.Embedded.1/DelliDRACCardService/Actions/DelliDRACCardService.ImportSSLCertificate" -X POST -u root:calvin -H "Content-Type: application/json" -i -d '{"CertificateType": "Server", "SSLCertificateFile": "-----BEGIN CERTIFICATE-----\nMIID8zCCAtugAwIBAgITHwAAABXQUi1tc3qbJAAAAAAAFTANBgkqhkiG9w0BAQsF\nADARMQ8wDQYDVQQDEwZMQUItQ0EwHhcNMjExMDA0MDMxNjU3WhcNMjIxMDA0MDMy\nNjU3WjBZMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1\nc3RpbjELMAkGA1UEChMCUEcxDTALBgNVBAsTBHRlc3QxDTALBgNVBAMTBERlbGww\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1wMiHzBuNV6MB/1RWMk9s\nwiY9Fwt3IW9secQQutA9+B8+FNimVMtbN+EGsj6e9UhbKbZy/25ySY1EtNr/EI0i\nuQV0zIDF49e90wm71bdZT0vD8PNLYAT3B2R3I1nwmomk7lajuGmtL9ahXMRD585K\n1NSPWycVd88DX/ekgKlTN4smmoFBOeHyfUOI6NVnHTyqjl9tVPKDGfC9jZd7vFcg\nMmVly57JTZlLLP/+OkbpkQYV7EbY5aeHxxhWdZMJ7fLiUsdb092shTjEL5BFHpLP\nUZcjLY5uj+FpuwY2SlUy3+jDtk2YQYWW7M6uehwz+2zRiYiR222hpyNVQxJKSw+N\nAgMBAAGjgfswgfgwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYE\nFBPse74a/RSHwrh/9dKWk8N7HA3+MB8GA1UdIwQYMBaAFCkc3RCMggoDmWlht/yE\nlTH5VVGQMD8GA1UdHwQ4MDYwNKAyoDCGLmZpbGU6Ly8vL1dJTi1KT0pTVjRUUDhD\nVi9DZXJ0RW5yb2xsL0xBQi1DQS5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUF\nBzAChj5maWxlOi8vLy9XSU4tSk9KU1Y0VFA4Q1YvQ2VydEVucm9sbC9XSU4tSk9K\nU1Y0VFA4Q1ZfTEFCLUNBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAzASEf5iZNj+j\nCIr8r5F9+Ppypq90e3z7tFfxiFQYNDBBF78JHYIN/NjD5AOi9IiB6iSTVAXJBtpd\nvYI0BwZcLl/S5ObZqTQtzfMceCnK8EiYZ0x9pZrcST5h9UIppBvpiBqIJyEL8e8W\nCRx5TOa44WiFB/X5cBxK4CQd5iMcBM1k1F2Le+4EfP92a+w4dUUl2+t6dScoHyER\np7zRGzk8ncKRlzHHNZ+b3HDkseIpP1zMr4BCYnD93zjauvy12Tc4NXi9lKn+Axk1\nNXe0etos1/8NeYXMZKpbxKlQY9n7APelp7C4HOIKYFTwjS7YD1j1e3QAlhbnGVk7\n5nZbPyrcFg==\n-----END CERTIFICATE-----\n"}'

Thanks Tex

xtalkme commented 3 years ago

Hi @texroemer, Thanks for your quick response!

I removed some of the "secret sauce". i assume they are not vital ?

curl -k "https://$IP/redfish/v1/Dell/Managers/iDRAC.Embedded.1/DelliDRACCardService/Actions/DelliDRACCardService.ImportSSLCertificate" -X POST -u "foo:bar" -H "Content-Type: application/json" -i -d '{"CertificateType": "Server", "SSLCertificateFile": "-----BEGIN CERTIFICATE-----\nBASE64DATA\n-----END CERTIFICATE-----\n"}' HTTP/1.1 100 Continue

HTTP/1.1 400 Bad Request Date: Tue, 09 Nov 2021 19:19:19 GMT Server: Apache OData-Version: 4.0 Access-Control-Allow-Origin: * Cache-Control: no-cache X-Frame-Options: DENY Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Content-Length: 580 Connection: close Content-Type: application/json;odata.metadata=minimal;charset=utf-8

{"error":{"@Message.ExtendedInfo":[{"Message":"Certificate import operation failed.","MessageArgs":[""],"MessageArgs@odata.count":1,"MessageId":"IDRAC.2.4.LC011","RelatedProperties":[],"RelatedProperties@odata.count":0,"Resolution":"Do the following and retry the operation: 1) WS-Man: Rerun the command or reset the iDRAC by invoking the iDRACReset method which is defined in the DCIM_iDRACCardService class. 2) iDRAC GUI: Restart the iDRAC.","Severity":"Critical"}],"code":"Base.1.7.GeneralError","message":"A general error has occurred. See ExtendedInfo for more information"}}

Thanks again, Stefan

texroemer commented 3 years ago

@xtalkme

Did you convert the PKCS file to base64 string before trying to import? I just tested this by first creating a PKCS file using openssl, then using base64 command in linux to convert the file to base64 string, then imported it which passed.

I did the same workflow but set a password for the PKCS file, that also passed but when I executed the POST command, I had to pass in "Passphrase":"" in the body for it to pass.

Also for "CertificateType" in body for POST, you need to pass in "CSC" as the value.

Thanks Tex

xtalkme commented 3 years ago

Hi @texroemer, So from the SSL provider we got a root, intermediate and the signed wildcard cert.

Then i executed the following steps: cat rootca.cer intermediate.cer signed_wildcard.cer > cert_chain.cer openssl pkcs12 -export -inkey wildcard.domain.key -in cert_chain.cer -out wildcard.p12 provide password simple this p12 file works fine in the iDrac GUI.

base64 -i wildcard.p12 > base64_pkcs.cer curl -k "https://$IP/redfish/v1/Dell/Managers/iDRAC.Embedded.1/DelliDRACCardService/Actions/DelliDRACCardService.ImportSSLCertificate" -X POST -u "foo:bar" -H "Content-Type: application/json" -i -d '{"Passphrase": "simple","CertificateType": "CSC", "SSLCertificateFile": "-----BEGIN CERTIFICATE-----\nBASE64DATA from base64_pkcs.cer\n-----END CERTIFICATE-----\n"}'

also tried the "TRUSTED CERTIFICATE" header

The error remains the same. Is their a way to get more feedback about the certificate validation ?

xtalkme commented 3 years ago

@texroemer Installing it as ct 3 or 4 works fine...

texroemer commented 3 years ago

Ok, good to hear its working and that sounds correct.

For failures, you can always check iDRAC Lifecycle Logs, should have more details about why the cert failed to import. Here's an example of entry logged for failed import attempt.

2021-11-09 15:06:30 | SWC0726 | Unable to import the CUSTOM SIGNED CERT certificate because either the certificate is invalid, expired, or has a key mismatch issue.

xtalkme commented 3 years ago

@texroemer the exact same certificate fails with -ct 1 which is what I am trying to achieve.

texroemer commented 3 years ago

When you upload the p12 cert using the GUI, can you run this racadm command to see if it reports your cert "racadm sslcertview -t 1".

xtalkme commented 3 years ago

Hi @texroemer, Yes the certificate is visable when running racadm sslcertview -t 1

xtalkme commented 3 years ago

Hi @texroemer, Is their something else we can investigate ? Would creating a support ticket help?

xtalkme commented 2 years ago

@texroemer I believe we have a support case now that has your attention, it is related to this issue.

texroemer commented 2 years ago

@xtalkme

Thanks for submitting a support case to Tech Support. I confirmed with internal teams for importing P12 cert, it must be in base 64 string format and value CSC used for cert type. I just noticed in one of your previous comments you pasted BEGIN and END CERTIFICATE tags which means this cert was not converted to base 64. See example below where i printed the payload for POST showing the base64 string value being passed in.

C:\Python39>ExportImportSSLCertificateREDFISH.py -ip 192.168.0.120 -u root -p calvin -i y -ct 2 -scf p12_cert.pem
{'CertificateType': 'CSC', 'SSLCertificateFile': 'MIIKGQIBAzCCCd8GCSqGSIb3DQEHAaCCCdAEggnMMIIJyDCCBH8GCSqGSIb3DQEHBqCCBHAwggRs\nAgEAMIIEZQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAXZwDgQIn76LweaO8vgCAggAgIIEOEZvlP4U\nnwhq0qhLMC7c/9Sbs1FhjMWVoAvfEjhPCtt9k0SayLe6sSfprzj7FcRWmF3QWShli/uAMWqU26gp\nNvD5cdyuFKGhg1LwDAlVgWT1LPsf9pl5lZ+j5wJkk2Z7OwMsHp6VsoRLtb+DSgyE5cKT4g0Nqn4t\nDfFg52A4kW1uAy2/07sZcKsJ8QUYYusyUCYXp3Nl7pFayPmKCVRnljVm/uYi8gKfxAeo8FmJBn53\nAmGbF5/zBISl4kbk9aIyaazyrrq5mbCHK3t6zMxtOxtrzYYYjXae6trjU7UzWq0Z8tpWgDMjninU\nJz/mzOb4w/ayV63cpvnE18R41e/jJ6IxhddnASgpb0g+1wqTnPf9ExXsB8s46irl5r6qTWBRdi9G\nyM2d2ig1NNwTxCqY5NUREm3zJH0Csd9LMGMcvAPpC02sxjGKRP2aHL+j/ceVN/7dCapgUpfqQUyk\niXl2jjUk/dHc93Kgey87qrd2VjDihsJe8QGctj9jsb/LX/PflgRJ8grzVgHVpVz+0tFuhNn5Qhx1\nSWr9+JaY/jlomZeDY9D5bnhrKTTwM6xD6LzE40+x+RnFzZzVvtOcv6/E5ryHrQ9rjIjJDoFbEX90\nXUim9O4vX1cWz+NCJIHsTyX4R6igDhnyZAtjdetIbvhXQopl+weUKNwcX1s1lkwbJmtFG2R2biWL\ndApG3mNr22ecYgoiNJa8RIgC2HaHNXxPsajDUFRSEZXkmK1f2Pl6kTOhmCcFq8i0kPFgw0xEo109\nl6Tw1ETdXDlGzxqziH8cFnJt80InLT2ofwF4oekIzsUYjii3WMVFrEFLv5P1UPD2cyrgy1sqJn2D\niDyUJUlSxpkFsAUALDQXWU69uJ4X0mhqwcuZ/fF6vMPPBCE9MciKaVEXk83Op5uQ6fMJX0OE6JE+\nTAzZ87OqLUs0toGNGhs0o0KHn1LLWDcZzGorvH9oUDK7RIXLS0CzFdXbLcIqGtzgf81gTKkOcyZV\nBCKcsQKoSW88+9uRP+T5MyL5zIt+PMxsLnu8thLts1IFw0M9r+KpD8JFqOyKUeAx5tulEZ5cwAqM\ni7FTAq/t6WOAmQfuHsBWMm3mk1b44XdxrGWJEtZWepzGLZJu/IPyvpW/DSnu5wgY7e0eFgRNjpcs\nD5eqE3j93w5Kcrg1ia4Q0/XekZU2500onurlikj6xQxJbjDAejTlgqCZ/Ircr8DMPk4d5dStkVZF\n3eAI8yo88KsSb9/F6c3R4lgTWCNOtLjN49JitipI4zyk6pWzjvfkPn77iDDEQ6P0ARcxoX74osP7\nz0ka+Z2vpSP3OqmjEvjfCIe6uC+0wUy+q1rhqzMZ+wWO+WwhRQUjFOjeQ1ojM/O+aETswTvh1yDK\nLjBUlsq94IxRyvor4H+tB2MIHnCD7EJBVm1c8g6Uk1XefdLZb77ImO3iKq9oBo4yADCCBUEGCSqG\nSIb3DQEHAaCCBTIEggUuMIIFKjCCBSYGCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcNAQwB\nAzAOBAgL1BPnk7mp/wICCAAEggTIzIdSw6KMWdAj1rb9owXzkaFzyU1NubTc5LJxaX8Ajh0rrnXa\nO3X/vEkzdbRY+gyx02JFndp+bN97Bh/sKSSne3X9IQdL45KvuhcmKjnQrWbjhnqbfn+b6Nk/fuYm\nF8afIoPi8CX4xh6XOjG00wfPbQCs9XEU5t/Z8fDoau45aIFeN4SC53A8emOYW4MdRXEkjKm7A7SF\nl8Z/bWL/CP9JsDzZArOpujH8cun6ZnFnGCJ5dA4vnh0Ut2iVjx9LZo6LicCiqPK7jkJi4R0cWmBW\nzBjTKMWJ6n/Olrs72r/hMNiL7wu+71XJdUTE+FI/IN0ES8Ip842O1GeaGgJw4xPyIlEX/hQA4kb/\nCXGoXsGgiaFZLKhpgTtMiQidn0Y4T39eO9cN9SQj9brynMvAq1F9h7TjhivPw+PW9GG1FLSCip6+\nggYRP3rF/RFUqTJ1sshGjvctH4Gj2GEc+kW2WsehIPVDKZZnFwmxJNM+oluqnlRAUWY1QV1ujJfs\nejT9DqUkvySlB6oi2hSZEMyqk+zCCSYByi18HCkKdmORFLowwXnXWjFIZTHKDU2XlGCv4FJ1M6is\nlvv+3cNDuKdmq48xHp+9RMdQ9CuX0LOoJz3k5elpX9vWgq9TF2reRi96/1NV5Yq42R/k311Qzioc\nzaiCmp1Emp4Jc9Y5VWBFr5z1vinhRnpbG3yBNRbhNmOXoANjaf0xDX5Cze6w6i45pOSl8TSkYI/4\nES2r0Sjn7BfMHh33HTklqZ1GCvLrLAb9Yu1Eqe8zQIcB3uW77TUYcV2sZoTtAAZyaaNQXSB+0FE/\nwjkB8sOruIPIJk0IY+bdbhuSBz7ZKY+3bIAUUWcKYcHk+vF8vJv9+q5ZUNAv7HnCEuFVvXuqCdu3\nj0DqXJoh14Ug6hvwLSMVOF11mZnwSy7WdJhTbFpDtX3gvSCLe4Of6Q/U1hLvSsEVIlChs0tkUk2Y\nuCyK3ajycQxbKeiLfK6X4uh1eDYayb38tcPect5Y7RuZpSibhLXAENN7gw2yc5nTCDfCMoKmYU38\nTPuQpuGarVCMA6Rj1gCKTO3XlF1omRSDkUfxGyRs6VuRNfzRrD2zFRao0kc9UwPHR/LN4hIzeVyA\nHoD+UC5vTKrR7ynBr3RQEQMkUQcIkoC8QoateN1s4D8jKJETJ//B/YAAVALWGWYraNdmk71Jd5va\nD0Pgv7+41X+tP1EDP5vewo6PmTKHqnuRVfp9BTiMGWaF0CM8hNugrysy4agQVKuA2lId9FWYlYvQ\nF4ZOGtm7TDF+8G7jz0cFiw61VeO7Gar6iRX0Ns9vigL1nieok1wvdLLPD/ALFhpVJcNJiRHqalLq\nYNe387sevJJh6HPOT91TNqCfQ0Tn7Iyort1e3ZJPmwRaSCZdaskK2horEMsVhFeaxL3Uj+ItBGie\nB9lsCQBnlHbEqQsxvir2YXP2EncMc0EDEvmuD4vKMhulQ9ic8RMa8w3fB+6mMBNuYzitq4ua9ErC\nTBjfyeiAvcuBjX/wKv7tnOGa62qSyWyyISS0dAHLEOHcO00rWapHPLDPVzr9uN4NuDfwWPPfrUr7\nkNIz1nWhQlsgFvGXhIaYNm4T4JHGsHWvmKO6tK4f5ACnfhnJmjg7D+lXn7RvU76YMSUwIwYJKoZI\nhvcNAQkVMRYEFHNfWwDqbBFU5pUfHt8fhxTJSzXnMDEwITAJBgUrDgMCGgUABBQJwIL9lVXp5/Gk\ntzSiy78gxe3IsQQISYX7esLaf5ACAggA\n'}

- PASS: POST command passed for ImportSSLCertificate method, status code 202 returned
xtalkme commented 2 years ago

@texroemer

Hi, thanks for replying!

So, we have a working p12 file, which we can upload in the GUI.

i tried the following: base64 working.p12 > base64.p12

python3 iDRAC-Redfish-Scripting/Redfish\ Python/ExportImportSSLCertificateREDFISH.py -ip host.example.com -u root -p "calvin" -i y -ct 2 -scf base64.p12 {"CertificateType": "CSC", "SSLCertificateFile": "MIIbs...gIIAA==\n"}

freedge commented 2 years ago

did you manage to make this work?

xtalkme commented 2 years ago

Nope still waiting on dell support...

freedge commented 2 years ago

I manage to upload a certificate with the command provided (running the latest idrac though) and a passphrase. However, I don't want to upload a "CSC", but a server certificate (with ct 1).

PASS=`dd if=/dev/random bs=1 count=8 | base64`
./vcert pickup -u https://tpp/vedsdk/ -t $AT --pickup-id '\mycertif' --file cert.pkcs12 --key-password "$PASS"  --format pkcs12

base64 cert.pkcs12 > cert.pkcs12.b64

python3 ExportImportSSLCertificateREDFISH.py -u root -p "${ROOTPASS}" -ip ${LEHOST} -i y -ct 2 -s "${PASS}" -scf cert.pkcs12.b64 

(works but don't do what I want)

with -ct 1, it fails with:

{
  "error": {
    "@Message.ExtendedInfo": [
      {
        "Message": "Certificate import operation failed.",
        "MessageArgs": [
          ""
        ],
        "MessageArgs@odata.count": 1,
        "MessageId": "IDRAC.2.5.LC011",
        "RelatedProperties": [],
        "RelatedProperties@odata.count": 0,
        "Resolution": "Do the following and retry the operation: 1) WS-Man: Rerun the command or reset the iDRAC by invoking the iDRACReset method which is defined in the DCIM_iDRACCardService class. 2) iDRAC GUI: Restart the iDRAC.",
        "Severity": "Critical"
      }
    ],
    "code": "Base.1.8.GeneralError",
    "message": "A general error has occurred. See ExtendedInfo for more information"
  }
}
egoruzmukhametov commented 2 years ago

Hello. I have same issue. 13:25 $ ExportImportSSLCertificateREDFISH.py -ip 192.168.0.1 -u root -p password -i y -ct 1 -scf newkeystore.pem -s passpharse


- FAIL, POST command failed for ImportSSLCertificate method, status code is 400

- POST command failure results:
 {'error': {
'@Message.ExtendedInfo': [{
'Message': 'Certificate import operation failed.', 'MessageArgs': [''], 'MessageArgs@odata.count': 1, 'MessageId': 'IDRAC.2.1.LC011', 'RelatedProperties': [], 'RelatedProperties@odata.count': 0, 'Resolution': 'Do the following and retry the operation: 1) WS-Man: Rerun the command or reset the iDRAC by invoking the iDRACReset method which is defined in the DCIM_iDRACCardService class. 2) iDRAC GUI: Restart the iDRAC.', 'Severity': 'Critical'}], 'code': 'Base.1.5.GeneralError', 'message': 'A general error has occurred. See ExtendedInfo for more information'}}
texroemer commented 2 years ago

Hi @freedge

Since the cert is p12 type, you must import it as custom signing certificate. Once you import it, it will show up as an iDRAC server certificate. You can see the cert using RACADM command "racadm sslcertview -t 1" after you import it.

Thanks Tex

texroemer commented 2 years ago

Hi @egoruzmukhametov

For your issue, did you try to import the same cert using either RACADM or iDRAC GUI and it passed? It not, can you please try, this will help in debugging the issue.

Thanks Tex

Thanks Tex

texroemer commented 2 years ago

Hi @xtalkme

I've been on vacation for the past 2 weeks, I'll contact support on Monday so we can make progress on resolving your issue.

Thanks Tex

freedge commented 2 years ago

Since the cert is p12 type, you must import it as custom signing certificate. Once you import it, it will show up as an iDRAC server certificate. You can see the cert using RACADM command "racadm sslcertview -t 1" after you import it.

before, using the same p12 certificate imported through the GUI:

racadm>>sslcertview -t 1
Serial Number             : 650000

Subject Information:
Common Name (CN)          : cpu34d.adm

Issuer Information:
Common Name (CN)          : Production CA 1

Valid From                : Jan 10 11:01:53 2022 GMT
Valid To                  : Jan 10 11:01:53 2024 GMT

after importing it with -ct 2:

racadm>>sslcertview -t 1
Serial Number             : B152A...

Subject Information:
Country Code (CC)         : US
State (S)                 : Texas
Locality (L)              : Round Rock
Organization (O)          : Dell Inc.
Organizational Unit (OU)  : Remote Access Group
Common Name (CN)          : cpu34d.adm

Issuer Information:
Common Name (CN)          : cpu34d.adm

Valid From                : Jan 21 00:00:00 2022 GMT
Valid To                  : Jan 21 06:20:45 2029 GMT

so the certificate is "somewhere* in there, but it is not installed as sever certificate. Instead a new certificate was generated and signed with that one. As a result:

$ curl https://cpu34d.adm/
curl: (60) SSL certificate problem: unable to get local issuer certificate

it just does not work.

I see there are multiple users reporting having the same issue, instead of debugging each issue, is it possible you provide steps to import a server certificate that work?

texroemer commented 2 years ago

Hi @freedge

After importing the cert, did you reboot the iDRAC for the new cert to get applied before running curl command? Reboot of iDRAC is needed after importing the cert.

Dell also has an iDRAC certificate whitepaper posted which has more details on installing different types of certs.

https://downloads.dell.com/solutions/general-solution-resources/White%20Papers/Managing%20Web%20Server%20Certificates%20on%20iDRAC.pdf

Thanks Tex

freedge commented 2 years ago

Yes I did reboot the iDRAC. This document provides steps to perform the manual upload of server certificate: I verified this is working already - but impractical if you have more than a few servers.

texroemer commented 2 years ago

Hi @freedge

Can you give me more details on the workflow you're trying to achieve? Are you wanting to importing same cert to multiple iDRACs?

Thanks Tex

freedge commented 2 years ago

Indeed, I was thinking of creating a certificate with a list of Subject Alternative Names (eg: with 50 names) and importing it on each iDRACs. Generating and updating certificate can be automated (so we could generate 1 certificate per iDRAC) but limiting the amount of certificates should make things more manageable.

texroemer commented 2 years ago

@freedge

That workflow will work but iDRAC subject alt name limit is 15. As long as the CSR is not generated by iDRAC itself, you can import the same cert to multiple iDRACs.

Thanks Tex

texroemer commented 2 years ago

Hi @xtalkme

Update, I have repro the issue on my server and collected logs, escalated issue to iDRAC development. I'll will keep you posted on when iDRAC build will available with the fix.

Thanks Tex

chrisjeter commented 2 years ago

@texroemer Is it safe to assume this is an issue with the idrac code itself? I'd been banging my head against this same problem for a few days until I found this thread post.

texroemer commented 2 years ago

Hi @chrisjeter

Can you explain the issue you are facing, what type of cert you are trying to import along with failure message.

Issues in this thread have been resolved and only one was an iDRAC bug due to wildcard characters being used in the cert for common name which caused import to fail. This bug will be fixed in iDRAC release coming this June.

Thanks Tex

chrisjeter commented 2 years ago

@texroemer That's probably exactly what I am running into then. I'm trying to import a signed wildcard cert/chain of CertificateType":"Server" type. The json body was as follows:

{"CertificateType":"Server","SSLCertificateFile":"base64 encoded p12 cert"} posted to the redfish/v1/Dell/Managers/iDRAC.Embedded.1/DelliDRACCardService/Actions/DelliDRACCardService.ImportSSLCertificate endpoint. The message returned at failure is: { "error": { "@Message.ExtendedInfo": [ { "Message": "Certificate import operation failed.", "MessageArgs": [ "" ], "MessageArgs@odata.count": 1, "MessageId": "IDRAC.2.3.LC011", "RelatedProperties": [], "RelatedProperties@odata.count": 0, "Resolution": "Do the following and retry the operation: 1) WS-Man: Rerun the command or reset the iDRAC by invoking the iDRACReset method which is defined in the DCIM_iDRACCardService class. 2) iDRAC GUI: Restart the iDRAC.", "Severity": "Critical" } ], "code": "Base.1.7.GeneralError", "message": "A general error has occurred. See ExtendedInfo for more information" } }

I'm able to upload the cert via the idrac web interface without issue. Do you know if there are any workarounds to this currently by chance?

texroemer commented 2 years ago

@chrisjeter

Until iDRAC is posted with the fix for Redfish, you'll need to leverage either iDRAC GUI or RACADM to install the cert. For RACADM, you can leverage command "racadm sslcertupload -f -t 16". RACADM is the same as GUI, you don't need to convert the cert to base64 to install (this is only required for Redfish).

Thanks Tex

texroemer commented 2 years ago

FYI,

iDRAC 6.00.00 has been posted on Dell support site. This release supports importing custom certificates which contain wildcards. See example below of importing custom cert. For POST import, i pass in "CustomCertificate" value for cert type.

[root@SCPexport ca]# openssl req -new -sha256 -key key.pem -out csr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:Austin
Organization Name (eg, company) [Default Company Ltd]:Dell Technologies
Organizational Unit Name (eg, section) []:Server Test
Common Name (eg, your name or your server's hostname) []:**test@example.com**
Email Address []:tester@dell.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@SCPexport ca]# openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem
[root@SCPexport ca]# openssl pkcs12 -export -out client-identity_pwd.p12 -inkey key.pem -in certificate.pem
Enter Export Password:
Verifying - Enter Export Password:
[root@SCPexport ca]# base64 client-identity_pwd.p12 > test_wildcard.pem

[root@SCPexport ca]# python3 ExportImportSSLCertificateREDFISH.py -ip 192.168.0.120 -u root -p calvin --get-cert-types

- Support cert type values for ExportSSLCertificate -

['CA', 'CSC', 'ClientTrustCertificate', 'Server']

- Support cert type values for ImportSSLCertificate -

['CA', 'CSC', 'ClientTrustCertificate', '**CustomCertificate**', 'Server']

[root@SCPexport ca]# python3 ExportImportSSLCertificateREDFISH.py -ip 192.168.0.120 -u root -p calvin --import --cert-type **CustomCertificate** --filename test_wildcard.pem

- PASS: POST command passed for ImportSSLCertificate method, status code 202 returned

- INFO, iDRAC reboot is needed to apply the new certificate if using version older than 6.00.00, pass in "y" to reboot iDRAC now or "n" to not reboot: n

[root@SCPexport ca]#
omar-m-othman commented 1 year ago

@texroemer: I would really appreciate if you can help me with the exact same issue. I belong to the team responsible for the hardware at Booking.com, we literally have thousands of PowerEdge M640 servers. I have already upgraded the IDRAC9 firmware to 6.10.00.00.

I am trying to upload a certificate of type CA. I went through all this thread and nothing is helping. The log is also showing the generic error. Let me know what info I can provide in order to make the problem clear to you.

Thanks in advance.

texroemer commented 1 year ago

Hi @omar-m-othman

Can you share details on the status code and error message you see when running action DelliDRACCardService.ImportSSLCertificate?

Also using the same CA cert, did you try to upload it using iDRAC GUI, did it fail for pass? This info will help with debugging, if an iDRAC interface issue or cert issue.

Thanks Tex

omar-m-othman commented 1 year ago

Thanks a lot for your fast reply!

I am getting a 400 (redfish/v1/Dell/Managers/iDRAC.Embedded.1/DelliDRACCardService/Actions/DelliDRACCardService.ImportSSLCertificate), and the cert upload indeed works from the GUI.

{"level":"info","msg":"{\"error\":{\"@Message.ExtendedInfo\":[{\"Message\":\"Certificate import operation failed.\",\"MessageArgs\":[\"\"],\"MessageArgs@odata.count\":1,\"MessageId\":\"IDRAC.2.8.LC011\",\"RelatedProperties\":[],\"RelatedProperties@odata.count\":0,\"Resolution\":\"Do the following and retry the operation: 1) WS-Man: Rerun the command or reset the iDRAC by invoking the iDRACReset method which is defined in the DCIM_iDRACCardService class. 2) iDRAC GUI: Restart the iDRAC.\",\"Severity\":\"Critical\"}],\"code\":\"Base.1.12.GeneralError\",\"message\":\"A general error has occurred. See ExtendedInfo for more information\"}}","time":"2023-03-30T16:42:10+02:00"}

Cert upload POST request failed with status code 400.

texroemer commented 1 year ago

Thanks for the details. For CertificateType in the POST body, what value did you pass in? Did you try all supported possible values (['CA', 'CSC', 'ClientTrustCertificate', 'CustomCertificate', 'Server']), still fails?

omar-m-othman commented 1 year ago

I only tried "CA", since I know it's a CA from the previous versions of IDRAC9 firmware (we have our fork of https://github.com/bmc-toolbox/bmcbutler which we have been using forever). Is it a good idea to just give it a try with different types?

I tried all of them. Strangely enough, "ClientTrustCertificate" worked (I got a success), but logging into IDRAC9 (even after rebooting) still showed the current certificate to be expired (i.e. the original problem, as if nothing has changed). Trying with "Server" actually worked!

Sorry for the late reply, wanted to make sure I've tried "all combinations" on 3 different servers.

Thanks a million! You're the best... 🌸