search

openbmc / bmcweb

A do everything Redfish, KVM, GUI, and DBus webserver for OpenBMC
Apache License 2.0
156 stars 131 forks source link

How to access the bmcweb of openbmc firmware with correct certificate? #140

Closed whitehu81 closed 3 years ago

whitehu81 commented 4 years ago

If i launch the openbmc with the ast2500 evb, it is NOT possible to access the bmcweb via brower.

It look like the issue cause by the un-trusted certificate. image

Is it possible to show me why it happen and how to fix it?

Below is my openbmc cert snapshot, for your reference.

root@evb-ast2500:/etc/ssl/certs/https# openssl s_client -connect 127.0.0.1:443 -showcerts
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, O = OpenBMC, CN = testhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, O = OpenBMC, CN = testhost
verify return:1
---
Certificate chain
 0 s:C = US, O = OpenBMC, CN = testhost
   i:C = US, O = OpenBMC, CN = testhost
-----BEGIN CERTIFICATE-----
MIIBjDCCARICBNFFy64wCgYIKoZIzj0EAwIwMjELMAkGA1UEBhMCVVMxEDAOBgNV
BAoMB09wZW5CTUMxETAPBgNVBAMMCHRlc3Rob3N0MB4XDTIwMDgwNTExMzI1NFoX
DTMwMDgwMzExMzI1NFowMjELMAkGA1UEBhMCVVMxEDAOBgNVBAoMB09wZW5CTUMx
ETAPBgNVBAMMCHRlc3Rob3N0MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE7HqUo4vc
KMQ4R6Si/2PUjHoxprpvNVI7+seuLgXkSUswISGSft45lhQnDozEaN4b6hoQAERJ
tIoZnTbUw306neKKeBRtiyC6cj9dg6pIdxgqvj34R6ouZ50DNR2KK4zRMAoGCCqG
SM49BAMCA2gAMGUCMQDSsW4aFRVLgipN08H04Vm6aRKGMPW6UyoXZIpLrM7hiapR
TrJrTDRs/Cm6b573kcACMDHQHqS/Mxae1wtlGUUTVjiIJAgb0hvH4KE6UGJtF46R
qU2NTQfqcxwf0T0ZinH3TQ==
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, O = OpenBMC, CN = testhost

issuer=C = US, O = OpenBMC, CN = testhost

---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 803 bytes and written 373 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 62E3930F6263FDEDBB2EA6F96D1ACBB118ABF52C9BAB7C4C682ED7C00FA13644
    Session-ID-ctx:
    Resumption PSK: 72D0975732A57D52423052F9A749E28C6734A5E45419DA44EAC9AFE4392924AF5DC8A60E776450630FBA32510914BE1E
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - be 9e 8a 23 1c 87 a5 48-47 9e 45 b5 89 73 b7 21   ...#...HG.E..s.!
    0010 - fa 06 61 ac 27 95 9d 71-b2 3b 2c 2e 0a 7e f0 df   ..a.'..q.;,..~..
    0020 - 9d 85 3c 70 d7 86 90 1f-52 d8 48 27 b3 b2 35 b7   ..<p....R.H'..5.
    0030 - 8d af 7f 9c 7b a0 45 7e-f4 62 ee 2c 1e 2d b1 d6   ....{.E~.b.,.-..
    0040 - f2 85 b4 af 1d 3b 67 f4-da 4f 79 8b 4a 4a f7 dc   .....;g..Oy.JJ..
    0050 - 02 d9 f7 48 ee 96 41 e5-f2 a5 dc 39 4d d0 8d 38   ...H..A....9M..8
    0060 - 21 cc a1 e9 ca bf 7b 6d-2b 7b 82 6a 7e 64 3e a1   !.....{m+{.j~d>.
    0070 - 62 30 22 b1 68 aa 8a df-28 9f f7 a8 03 3b 5e 3e   b0".h...(....;^>
    0080 - a3 b7 07 43 bf d7 2b 34-ca 34 9b 7c 57 fe 2e 33   ...C..+4.4.|W..3
    0090 - 06 85 74 16 d4 f9 e3 ba-89 43 85 2c a1 5f 53 7c   ..t......C.,._S|
    00a0 - 7e 38 31 fc b4 90 3d f9-72 2b 41 ee 70 6b 7d e3   ~81...=.r+A.pk}.
    00b0 - 2c cc cd e2 60 e2 ad bb-69 a5 3b 43 cb 08 4c 7e   ,...`...i.;C..L~

    Start Time: 1596627993
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: EDB2F20E2EA7589930DB290BEC189D7799C0C045E676E92E465EF47C201AF323
    Session-ID-ctx:
    Resumption PSK: 10B3132F79783F449E0FCCF608B7B28D4934F0058AC6873EB4A9DEC2063B0EF036B3C2A7858116F03E2134F15D5AF052
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - be 9e 8a 23 1c 87 a5 48-47 9e 45 b5 89 73 b7 21   ...#...HG.E..s.!
    0010 - 19 0e 69 b0 ee b3 df 5f-26 b9 ce aa 4a 28 23 4d   ..i...._&...J(#M
    0020 - 9e 98 03 d3 8a 66 ee b6-57 a6 20 43 aa 89 96 35   .....f..W. C...5
    0030 - 55 ea 5e a9 35 64 9d 49-f9 5c db 81 66 4b 07 60   U.^.5d.I.\..fK.`
    0040 - 65 ad 25 76 57 de 81 15-53 17 69 84 9a 57 f6 cd   e.%vW...S.i..W..
    0050 - 75 94 40 bf f3 45 96 fb-50 e6 ef 24 75 51 81 91   u.@..E..P..$uQ..
    0060 - 37 bd 32 fb e1 e2 0a b1-24 99 b5 1a 7d d2 17 15   7.2.....$...}...
    0070 - de 7d ac 24 87 0a f3 d9-0a 4a 38 b0 a8 cc 3e 88   .}.$.....J8...>.
    0080 - 0b 7c 7b ba 3a 64 72 11-39 e9 4b 34 27 20 a0 0f   .|{.:dr.9.K4' ..
    0090 - c0 14 da 0f 28 a7 2c 76-05 6f b8 26 22 0e d9 56   ....(.,v.o.&"..V
    00a0 - 9a 64 64 ab 82 6e fa 75-c0 b9 a6 9e 04 ff 32 46   .dd..n.u......2F
    00b0 - a2 a6 2f 9b 48 30 f4 64-9d 94 f5 e2 70 c3 c8 fe   ../.H0.d....p...

    Start Time: 1596627993
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

BTW: I can successfully access the bmcweb when i launch the openbmc by the QEMU with the same computer.

whitehu81 commented 4 years ago

The default certificate that generated by the bmcweb is the version 1 from latest openbmc code base. I did some search from internet(google), it seems that the chrome only accept the version 3 self signed certificate with correct subjectAltName.

So my question is how do you access the bmcweb by chrome with latest openbmc code base? My understanding is the default https certificate is NOT accepted by the browser.

The error code about the certificate from chrome like below.

Subject Alternative Name Missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Certificate Error There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).

root@evb-ast2500:/etc/ssl/certs/https# openssl x509 -in server.pem -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: -783955026 (-0x2eba3452)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, O = OpenBMC, CN = testhost
        Validity
            Not Before: Aug  5 11:32:54 2020 GMT
            Not After : Aug  3 11:32:54 2030 GMT
        Subject: C = US, O = OpenBMC, CN = testhost
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:ec:7a:94:a3:8b:dc:28:c4:38:47:a4:a2:ff:63:
                    d4:8c:7a:31:a6:ba:6f:35:52:3b:fa:c7:ae:2e:05:
                    e4:49:4b:30:21:21:92:7e:de:39:96:14:27:0e:8c:
                    c4:68:de:1b:ea:1a:10:00:44:49:b4:8a:19:9d:36:
                    d4:c3:7d:3a:9d:e2:8a:78:14:6d:8b:20:ba:72:3f:
                    5d:83:aa:48:77:18:2a:be:3d:f8:47:aa:2e:67:9d:
                    03:35:1d:8a:2b:8c:d1
                ASN1 OID: secp384r1
                NIST CURVE: P-384
    Signature Algorithm: ecdsa-with-SHA256
         30:65:02:31:00:d2:b1:6e:1a:15:15:4b:82:2a:4d:d3:c1:f4:
         e1:59:ba:69:12:86:30:f5:ba:53:2a:17:64:8a:4b:ac:ce:e1:
         89:aa:51:4e:b2:6b:4c:34:6c:fc:29:ba:6f:9e:f7:91:c0:02:
         30:31:d0:1e:a4:bf:33:16:9e:d7:0b:65:19:45:13:56:38:88:
         24:08:1b:d2:1b:c7:e0:a1:3a:50:62:6d:17:8e:91:a9:4d:8d:
         4d:07:ea:73:1c:1f:d1:3d:19:8a:71:f7:4d
gtmills commented 4 years ago

Can you browse to https://ip_or_hostname_of_bmc ? In your case, https://10.84. 108.39 ?

edtanous commented 3 years ago

This is a common bug. You're attempting to navigate to a bmc using a UI (ie chrome) but haven't installed a ui (either phosphor-webui or webui-vue.)

gtmills commented 3 years ago

An example of adding a UI: https://gerrit.openbmc-project.xyz/c/openbmc/meta-ibm/+/35445 is switching several IBM systems from phosphor-webui to webui-vue

whitehu81 commented 3 years ago

This is a common bug. You're attempting to navigate to a bmc using a UI (ie chrome) but haven't installed a ui (either phosphor-webui or webui-vue.)

I am sure the bmcweb service has been install and started successfully in my openbmc firmware, that's why I think the issue cause by the certificate of my chrome browser.

So my question is to access the UI of BMC firmware by bmcweb is expected solution or NOT? if yes, why i meet the certificate issue with chrome browser?

  1. bmcweb process has been started as below in my AST2500 evb. root@evb-ast2500:~# ps | grep bmcweb ps | grep bmcweb 152 root 12184 S /usr/bin/bmcweb
  2. systemd already start the bmcweb service. root@evb-ast2500:~# systemctl status bmcweb ● bmcweb.service - Start bmcweb server Loaded: loaded (/lib/systemd/system/bmcweb.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2020-10-12 02:00:03 UTC; 20min ago TriggeredBy: ● bmcweb.socket Main PID: 152 (bmcweb) CGroup: /system.slice/bmcweb.service └─152 /usr/bin/bmcweb

Oct 12 02:00:03 evb-ast2500 systemd[1]: Started Start bmcweb server.

whitehu81 commented 3 years ago

Can you browse to https://ip_or_hostname_of_bmc ? In your case, https://10.84. 108.39 ?

I failed to access the UI of my openbmc firmware by the https://IP_of_bmc.

edtanous commented 3 years ago

This is a common bug. You're attempting to navigate to a bmc using a UI (ie chrome) but haven't installed a ui (either phosphor-webui or webui-vue.)

I am sure the bmcweb service has been install and started successfully in my openbmc firmware, that's why I think the issue cause by the certificate of my chrome browser.

So my question is to access the UI of BMC firmware by bmcweb is expected solution or NOT? if yes, why i meet the certificate issue with chrome browser?

  1. bmcweb process has been started as below in my AST2500 evb. root@evb-ast2500:~# ps | grep bmcweb ps | grep bmcweb 152 root 12184 S /usr/bin/bmcweb
  2. systemd already start the bmcweb service. root@evb-ast2500:~# systemctl status bmcweb ● bmcweb.service - Start bmcweb server Loaded: loaded (/lib/systemd/system/bmcweb.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2020-10-12 02:00:03 UTC; 20min ago TriggeredBy: ● bmcweb.socket Main PID: 152 (bmcweb) CGroup: /system.slice/bmcweb.service └─152 /usr/bin/bmcweb

Oct 12 02:00:03 evb-ast2500 systemd[1]: Started Start bmcweb server.

Neither of those are UI projects. Have you installed one of the two UIs on your machine?

edtanous commented 3 years ago

Closing from lack of response. Feel free to reopen if this is still an issue.