Closed vivekanand553 closed 2 years ago
Hi @vivekanand553
Can you confirm the cert you are trying to import is signed? Also make sure for SSLCertificateFile parameter value you are passing in newline characters.
Example below of importing signed cert using iDRAC 9 5.00.10 along with the body i passed in for POST action.
C:\Python39>ExportImportSSLCertificateREDFISH.py -ip 192.168.0.120 -u root -p calvin -i y -ct 1 -scf C:\Python39\79.cer
- PASS: POST command passed for ImportSSLCertificate method, status code 202 returned
POST body:
{'CertificateType': 'Server', 'SSLCertificateFile': '-----BEGIN CERTIFICATE-----\nMIID8zCCAtugAwIBAgITHwAAABXQUi1tc3qbJAAAAAAAFTANBgkqhkiG9w0BAQsF\nADARMQ8wDQYDVQQDEwZMQUItQ0EwHhcNMjExMDA0MDMxNjU3WhcNMjIxMDA0MDMy\nNjU3WjBZMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1\nc3RpbjELMAkGA1UEChMCUEcxDTALBgNVBAsTBHRlc3QxDTALBgNVBAMTBERlbGww\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1wMiHzBuNV6MB/1RWMk9s\nwiY9Fwt3IW9secQQutA9+B8+FNimVMtbN+EGsj6e9UhbKbZy/25ySY1EtNr/EI0i\nuQV0zIDF49e90wm71bdZT0vD8PNLYAT3B2R3I1nwmomk7lajuGmtL9ahXMRD585K\n1NSPWycVd88DX/ekgKlTN4smmoFBOeHyfUOI6NVnHTyqjl9tVPKDGfC9jZd7vFcg\nMmVly57JTZlLLP/+OkbpkQYV7EbY5aeHxxhWdZMJ7fLiUsdb092shTjEL5BFHpLP\nUZcjLY5uj+FpuwY2SlUy3+jDtk2YQYWW7M6uehwz+2zRiYiR222hpyNVQxJKSw+N\nAgMBAAGjgfswgfgwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYE\nFBPse74a/RSHwrh/9dKWk8N7HA3+MB8GA1UdIwQYMBaAFCkc3RCMggoDmWlht/yE\nlTH5VVGQMD8GA1UdHwQ4MDYwNKAyoDCGLmZpbGU6Ly8vL1dJTi1KT0pTVjRUUDhD\nVi9DZXJ0RW5yb2xsL0xBQi1DQS5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUF\nBzAChj5maWxlOi8vLy9XSU4tSk9KU1Y0VFA4Q1YvQ2VydEVucm9sbC9XSU4tSk9K\nU1Y0VFA4Q1ZfTEFCLUNBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAzASEf5iZNj+j\nCIr8r5F9+Ppypq90e3z7tFfxiFQYNDBBF78JHYIN/NjD5AOi9IiB6iSTVAXJBtpd\nvYI0BwZcLl/S5ObZqTQtzfMceCnK8EiYZ0x9pZrcST5h9UIppBvpiBqIJyEL8e8W\nCRx5TOa44WiFB/X5cBxK4CQd5iMcBM1k1F2Le+4EfP92a+w4dUUl2+t6dScoHyER\np7zRGzk8ncKRlzHHNZ+b3HDkseIpP1zMr4BCYnD93zjauvy12Tc4NXi9lKn+Axk1\nNXe0etos1/8NeYXMZKpbxKlQY9n7APelp7C4HOIKYFTwjS7YD1j1e3QAlhbnGVk7\n5nZbPyrcFg==\n-----END CERTIFICATE-----\n'}
Hello Texromer,
Thanks for your email!
Yes the certificate is a signed certificate downloaded from venafi website.
I will check on the steps you have provided me and will update on the results of those steps asap.
Thanks and regards Vivekanand
On Mon, 4 Oct 2021, 09:08 texroemer, @.***> wrote:
Hi @vivekanand553 https://github.com/vivekanand553
Can you confirm the cert you are trying to import is signed? Also make sure for SSLCertificateFile parameter value you are passing in newline characters.
Example below of importing signed cert using iDRAC 9 5.00.10 along with the body i passed in for POST action.
C:\Python39>ExportImportSSLCertificateREDFISH.py -ip 192.168.0.120 -u root -p calvin -i y -ct 1 -scf C:\Python39\79.cer
- PASS: POST command passed for ImportSSLCertificate method, status code 202 returned
POST body:
{'CertificateType': 'Server', 'SSLCertificateFile': '-----BEGIN CERTIFICATE-----\nMIID8zCCAtugAwIBAgITHwAAABXQUi1tc3qbJAAAAAAAFTANBgkqhkiG9w0BAQsF\nADARMQ8wDQYDVQQDEwZMQUItQ0EwHhcNMjExMDA0MDMxNjU3WhcNMjIxMDA0MDMy\nNjU3WjBZMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1\nc3RpbjELMAkGA1UEChMCUEcxDTALBgNVBAsTBHRlc3QxDTALBgNVBAMTBERlbGww\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1wMiHzBuNV6MB/1RWMk9s\nwiY9Fwt3IW9secQQutA9+B8+FNimVMtbN+EGsj6e9UhbKbZy/25ySY1EtNr/EI0i\nuQV0zIDF49e90wm71bdZT0vD8PNLYAT3B2R3I1nwmomk7lajuGmtL9ahXMRD585K\n1NSPWycVd88DX/ekgKlTN4smmoFBOeHyfUOI6NVnHTyqjl9tVPKDGfC9jZd7vFcg\nMmVly57JTZlLLP/+OkbpkQYV7EbY5aeHxxhWdZMJ7fLiUsdb092shTjEL5BFHpLP\nUZcjLY5uj+FpuwY2SlUy3+jDtk2YQYWW7M6uehwz+2zRiYiR222hpyNVQxJKSw+N\nAgMBAAGjgfswgfgwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYE\nFBPse74a/RSHwrh/9dKWk8N7HA3+MB8GA1UdIwQYMBaAFCkc3RCMggoDmWlht/yE\nlTH5VVGQMD8GA1UdHwQ4MDYwNKAyoDCGLmZpbGU6Ly8vL1dJTi1KT0pTVjRUUDhD\nVi9DZXJ0RW5yb2xsL0xBQi1DQS5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUF\nBzAChj5maWxlOi8vLy9XSU4tSk9KU1Y0VFA4Q1YvQ2VydEVucm9sbC9XSU4tSk9K\nU1Y0VFA4Q1ZfTEFCLUNBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAzASEf5iZNj+j\nCIr8r5F9+Ppypq90e3z7tFfxiFQYNDBBF78JHYIN/NjD5AOi9IiB6iSTVAXJBtpd\nvYI0BwZcLl/S5ObZqTQtzfMceCnK8EiYZ0x9pZrcST5h9UIppBvpiBqIJyEL8e8W\nCRx5TOa44WiFB/X5cBxK4CQd5iMcBM1k1F2Le+4EfP92a+w4dUUl2+t6dScoHyER\np7zRGzk8ncKRlzHHNZ+b3HDkseIpP1zMr4BCYnD93zjauvy12Tc4NXi9lKn+Axk1\nNXe0etos1/8NeYXMZKpbxKlQY9n7APelp7C4HOIKYFTwjS7YD1j1e3QAlhbnGVk7\n5nZbPyrcFg==\n-----END CERTIFICATE-----\n'}
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/dell/iDRAC-Redfish-Scripting/issues/184#issuecomment-933115679, or unsubscribe https://github.com/notifications/unsubscribe-auth/ASEUSANYYOVRV7Q7TOUOIRLUFEOUFANCNFSM5FC2PYKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Hello @texroemer,
Sorry to hijack this topic, i am currently experiencing the same issue. IDrac version: 5.00.10.20
either with curl -d /redfish/v1/Dell/Managers/iDRAC.Embedded.1/DelliDRACCardService or python3 iDRAC-Redfish-Scripting/Redfish\ Python/ExportImportSSLCertificateREDFISH.py I am getting somewhat the same error. Uploading the cert via the GUI in p12 format works fine. It is a wildcard certificate. Tried different flavours. With a chain and a key, cert + chain and just the cert.
{ "error": { "code": "Base.1.5.GeneralError", "message": "A general error has occurred. See ExtendedInfo for more information.", "@Message.ExtendedInfo":[ { "@odata.type": "#Message.v1_0_0.Message", "MessageId": "Base.1.5.GeneralError", "Message": "A general error has occurred. See Resolution for information on how to resolve the error.", "Resolution": "Redfish request contains unsupported media type. Correct the request body and resubmit.", "Severity": "Warning" } ] } }
Is their an option to get more information about this general error ?
Hi @xtalkme
Can you post your curl command along with the body so i can confirm the format is correct? It should look similar to this:
curl -k "https://192.168.0.120/redfish/v1/Dell/Managers/iDRAC.Embedded.1/DelliDRACCardService/Actions/DelliDRACCardService.ImportSSLCertificate" -X POST -u root:calvin -H "Content-Type: application/json" -i -d '{"CertificateType": "Server", "SSLCertificateFile": "-----BEGIN CERTIFICATE-----\nMIID8zCCAtugAwIBAgITHwAAABXQUi1tc3qbJAAAAAAAFTANBgkqhkiG9w0BAQsF\nADARMQ8wDQYDVQQDEwZMQUItQ0EwHhcNMjExMDA0MDMxNjU3WhcNMjIxMDA0MDMy\nNjU3WjBZMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxDzANBgNVBAcTBkF1\nc3RpbjELMAkGA1UEChMCUEcxDTALBgNVBAsTBHRlc3QxDTALBgNVBAMTBERlbGww\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD1wMiHzBuNV6MB/1RWMk9s\nwiY9Fwt3IW9secQQutA9+B8+FNimVMtbN+EGsj6e9UhbKbZy/25ySY1EtNr/EI0i\nuQV0zIDF49e90wm71bdZT0vD8PNLYAT3B2R3I1nwmomk7lajuGmtL9ahXMRD585K\n1NSPWycVd88DX/ekgKlTN4smmoFBOeHyfUOI6NVnHTyqjl9tVPKDGfC9jZd7vFcg\nMmVly57JTZlLLP/+OkbpkQYV7EbY5aeHxxhWdZMJ7fLiUsdb092shTjEL5BFHpLP\nUZcjLY5uj+FpuwY2SlUy3+jDtk2YQYWW7M6uehwz+2zRiYiR222hpyNVQxJKSw+N\nAgMBAAGjgfswgfgwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0OBBYE\nFBPse74a/RSHwrh/9dKWk8N7HA3+MB8GA1UdIwQYMBaAFCkc3RCMggoDmWlht/yE\nlTH5VVGQMD8GA1UdHwQ4MDYwNKAyoDCGLmZpbGU6Ly8vL1dJTi1KT0pTVjRUUDhD\nVi9DZXJ0RW5yb2xsL0xBQi1DQS5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUF\nBzAChj5maWxlOi8vLy9XSU4tSk9KU1Y0VFA4Q1YvQ2VydEVucm9sbC9XSU4tSk9K\nU1Y0VFA4Q1ZfTEFCLUNBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAzASEf5iZNj+j\nCIr8r5F9+Ppypq90e3z7tFfxiFQYNDBBF78JHYIN/NjD5AOi9IiB6iSTVAXJBtpd\nvYI0BwZcLl/S5ObZqTQtzfMceCnK8EiYZ0x9pZrcST5h9UIppBvpiBqIJyEL8e8W\nCRx5TOa44WiFB/X5cBxK4CQd5iMcBM1k1F2Le+4EfP92a+w4dUUl2+t6dScoHyER\np7zRGzk8ncKRlzHHNZ+b3HDkseIpP1zMr4BCYnD93zjauvy12Tc4NXi9lKn+Axk1\nNXe0etos1/8NeYXMZKpbxKlQY9n7APelp7C4HOIKYFTwjS7YD1j1e3QAlhbnGVk7\n5nZbPyrcFg==\n-----END CERTIFICATE-----\n"}'
Thanks Tex
Hi @texroemer, Thanks for your quick response!
I removed some of the "secret sauce". i assume they are not vital ?
curl -k "https://$IP/redfish/v1/Dell/Managers/iDRAC.Embedded.1/DelliDRACCardService/Actions/DelliDRACCardService.ImportSSLCertificate" -X POST -u "foo:bar" -H "Content-Type: application/json" -i -d '{"CertificateType": "Server", "SSLCertificateFile": "-----BEGIN CERTIFICATE-----\nBASE64DATA\n-----END CERTIFICATE-----\n"}' HTTP/1.1 100 Continue
HTTP/1.1 400 Bad Request Date: Tue, 09 Nov 2021 19:19:19 GMT Server: Apache OData-Version: 4.0 Access-Control-Allow-Origin: * Cache-Control: no-cache X-Frame-Options: DENY Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Content-Length: 580 Connection: close Content-Type: application/json;odata.metadata=minimal;charset=utf-8
{"error":{"@Message.ExtendedInfo":[{"Message":"Certificate import operation failed.","MessageArgs":[""],"MessageArgs@odata.count":1,"MessageId":"IDRAC.2.4.LC011","RelatedProperties":[],"RelatedProperties@odata.count":0,"Resolution":"Do the following and retry the operation: 1) WS-Man: Rerun the command or reset the iDRAC by invoking the iDRACReset method which is defined in the DCIM_iDRACCardService class. 2) iDRAC GUI: Restart the iDRAC.","Severity":"Critical"}],"code":"Base.1.7.GeneralError","message":"A general error has occurred. See ExtendedInfo for more information"}}
Thanks again, Stefan
@xtalkme
Did you convert the PKCS file to base64 string before trying to import? I just tested this by first creating a PKCS file using openssl, then using base64 command in linux to convert the file to base64 string, then imported it which passed.
I did the same workflow but set a password for the PKCS file, that also passed but when I executed the POST command, I had to pass in "Passphrase":"
Also for "CertificateType" in body for POST, you need to pass in "CSC" as the value.
Thanks Tex
Hi @texroemer, So from the SSL provider we got a root, intermediate and the signed wildcard cert.
Then i executed the following steps: cat rootca.cer intermediate.cer signed_wildcard.cer > cert_chain.cer openssl pkcs12 -export -inkey wildcard.domain.key -in cert_chain.cer -out wildcard.p12 provide password simple this p12 file works fine in the iDrac GUI.
base64 -i wildcard.p12 > base64_pkcs.cer curl -k "https://$IP/redfish/v1/Dell/Managers/iDRAC.Embedded.1/DelliDRACCardService/Actions/DelliDRACCardService.ImportSSLCertificate" -X POST -u "foo:bar" -H "Content-Type: application/json" -i -d '{"Passphrase": "simple","CertificateType": "CSC", "SSLCertificateFile": "-----BEGIN CERTIFICATE-----\nBASE64DATA from base64_pkcs.cer\n-----END CERTIFICATE-----\n"}'
also tried the "TRUSTED CERTIFICATE" header
The error remains the same. Is their a way to get more feedback about the certificate validation ?
@texroemer Installing it as ct 3 or 4 works fine...
Ok, good to hear its working and that sounds correct.
For failures, you can always check iDRAC Lifecycle Logs, should have more details about why the cert failed to import. Here's an example of entry logged for failed import attempt.
2021-11-09 15:06:30 | SWC0726 | Unable to import the CUSTOM SIGNED CERT certificate because either the certificate is invalid, expired, or has a key mismatch issue.
Hello Team,
We are trying to do ssl certification of idrac 9 R840 server,we are able to request and download venafi certificates using the ansible playbook but while pushing the pkcs#12 format certificate it failed with error message "certification import failed"
Playbook details as below
Not sure if the url path to push the certificate has changed for idrac 9 R840 server
Kindly do the needful.
Regards Vivekanand