Closed whitehu81 closed 3 years ago
The default certificate that generated by the bmcweb is the version 1 from latest openbmc code base. I did some search from internet(google), it seems that the chrome only accept the version 3 self signed certificate with correct subjectAltName.
So my question is how do you access the bmcweb by chrome with latest openbmc code base? My understanding is the default https certificate is NOT accepted by the browser.
The error code about the certificate from chrome like below.
Subject Alternative Name Missing The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.
Certificate Error There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
root@evb-ast2500:/etc/ssl/certs/https# openssl x509 -in server.pem -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number: -783955026 (-0x2eba3452)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, O = OpenBMC, CN = testhost
Validity
Not Before: Aug 5 11:32:54 2020 GMT
Not After : Aug 3 11:32:54 2030 GMT
Subject: C = US, O = OpenBMC, CN = testhost
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:ec:7a:94:a3:8b:dc:28:c4:38:47:a4:a2:ff:63:
d4:8c:7a:31:a6:ba:6f:35:52:3b:fa:c7:ae:2e:05:
e4:49:4b:30:21:21:92:7e:de:39:96:14:27:0e:8c:
c4:68:de:1b:ea:1a:10:00:44:49:b4:8a:19:9d:36:
d4:c3:7d:3a:9d:e2:8a:78:14:6d:8b:20:ba:72:3f:
5d:83:aa:48:77:18:2a:be:3d:f8:47:aa:2e:67:9d:
03:35:1d:8a:2b:8c:d1
ASN1 OID: secp384r1
NIST CURVE: P-384
Signature Algorithm: ecdsa-with-SHA256
30:65:02:31:00:d2:b1:6e:1a:15:15:4b:82:2a:4d:d3:c1:f4:
e1:59:ba:69:12:86:30:f5:ba:53:2a:17:64:8a:4b:ac:ce:e1:
89:aa:51:4e:b2:6b:4c:34:6c:fc:29:ba:6f:9e:f7:91:c0:02:
30:31:d0:1e:a4:bf:33:16:9e:d7:0b:65:19:45:13:56:38:88:
24:08:1b:d2:1b:c7:e0:a1:3a:50:62:6d:17:8e:91:a9:4d:8d:
4d:07:ea:73:1c:1f:d1:3d:19:8a:71:f7:4d
Can you browse to https://ip_or_hostname_of_bmc ? In your case, https://10.84. 108.39 ?
This is a common bug. You're attempting to navigate to a bmc using a UI (ie chrome) but haven't installed a ui (either phosphor-webui or webui-vue.)
An example of adding a UI: https://gerrit.openbmc-project.xyz/c/openbmc/meta-ibm/+/35445 is switching several IBM systems from phosphor-webui to webui-vue
This is a common bug. You're attempting to navigate to a bmc using a UI (ie chrome) but haven't installed a ui (either phosphor-webui or webui-vue.)
I am sure the bmcweb service has been install and started successfully in my openbmc firmware, that's why I think the issue cause by the certificate of my chrome browser.
So my question is to access the UI of BMC firmware by bmcweb is expected solution or NOT? if yes, why i meet the certificate issue with chrome browser?
Oct 12 02:00:03 evb-ast2500 systemd[1]: Started Start bmcweb server.
Can you browse to https://ip_or_hostname_of_bmc ? In your case, https://10.84. 108.39 ?
I failed to access the UI of my openbmc firmware by the https://IP_of_bmc.
This is a common bug. You're attempting to navigate to a bmc using a UI (ie chrome) but haven't installed a ui (either phosphor-webui or webui-vue.)
I am sure the bmcweb service has been install and started successfully in my openbmc firmware, that's why I think the issue cause by the certificate of my chrome browser.
So my question is to access the UI of BMC firmware by bmcweb is expected solution or NOT? if yes, why i meet the certificate issue with chrome browser?
- bmcweb process has been started as below in my AST2500 evb. root@evb-ast2500:~# ps | grep bmcweb ps | grep bmcweb 152 root 12184 S /usr/bin/bmcweb
- systemd already start the bmcweb service. root@evb-ast2500:~# systemctl status bmcweb ● bmcweb.service - Start bmcweb server Loaded: loaded (/lib/systemd/system/bmcweb.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2020-10-12 02:00:03 UTC; 20min ago TriggeredBy: ● bmcweb.socket Main PID: 152 (bmcweb) CGroup: /system.slice/bmcweb.service └─152 /usr/bin/bmcweb
Oct 12 02:00:03 evb-ast2500 systemd[1]: Started Start bmcweb server.
Neither of those are UI projects. Have you installed one of the two UIs on your machine?
Closing from lack of response. Feel free to reopen if this is still an issue.
If i launch the openbmc with the ast2500 evb, it is NOT possible to access the bmcweb via brower.
It look like the issue cause by the un-trusted certificate.
Is it possible to show me why it happen and how to fix it?
Below is my openbmc cert snapshot, for your reference.
BTW: I can successfully access the bmcweb when i launch the openbmc by the QEMU with the same computer.