Thursday, April 23, 2015
Tuesday, November 4, 2014
After not having to manage my ILO3based HP servers for a while, today I did feel the need for remote console access. Unfortunately, Firefox 33 decided that the SSL certificate shipped out of the box is invalid. So, for my future reference and for everybody running into a similar issue, here's how to fix access by creating a certificate sign request (CSR) on the ILO, creating an SSL certification authority (CA) on your work machine and using the CA to sign the CSR. The bonus of doing this is that you don't have to bother with browser warnings about the SSL cert anymore.
Start by logging into the ILO with a less picky browser (Chromium worked for me) and under Administration > Security > SSL Certificate, fill out the required information. I initially tried using the IP address to avoid the "certificate name/host mismatch" warning, but it turns out that while ILO3 claims to load a certificate when the CN is an IP, it just falls back to the old invalid certificate instead. So use the ILO's host name and then set up that host name to access the ILO (DNS or
/etc/hosts). Click the "Generate CSR" button. This will take a while to generate the CSR, so in the meantime, get the CA started on your work machine.
In the meantime, hopefully the generation of the CSR in the ILO has finished (make sure to wait 10 minutes), so click the "Generate CSR" button again to get a pop-up with the base64-encoded CSR. Copy&paste that into a file on your work machine, I'll assume
# generate the CA key, using a 4096 bit RSA key with an AES256 passphrase openssl genrsa -aes256 -out rootCA.key 4096 ...enter password twice when prompted, don't forget this password... # Create and self-sign the root CA certificate openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem # copy the rootCA certificate to the distro's CA certificate store cp rootCA.pem /etc/ssl/certs/ # might be different for your distro
Now click the "Import certificate" button in the ILO and copy&paste the
# optional: Check if the CSR looks sane openssl req -text -noout -verify -in ilo.csr # sign the ILO CSR using the rootCA key openssl x509 -req -in ilo.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ilo.crt -days 500 ...enter password when prompted...
ilo.crtfile contents into the text box. Click import and wait for an ILO restart.
While the ILO is restarting, open your browser settings and import your
/etc/ssl/certs/rootCA.pemfile as trusted CA.
Tuesday, September 17, 2013
While expedient to get set up and move the mess of cable out of the way, this setup has some problems. First, the Raspberry Pi tended to crash a lot. Not the software, but the hardware. That's because this yellow tape sucks, and that's why eventually I brought some proper duct tape and "fixed it". Still, it was clear that eventually even duct tape would succumb to the pull of gravity. Also, we'll lose power for a scheduled test of the emergency power system on Thursday, and I wanted to get my little Pi into the server rack so I could hook it up to the UPS.
Thursday, August 15, 2013
After running the compressor at full whack for about 100 minutes, the cooling finally fails and the freezer starts to thaw. At 12:45, the temperature rises above -10 °C, triggering an alert email. Thus alerted, yours truly walks over to the freezer room and notices that the door doesn't close correctly. After shuffling some boxes around, the door closes correctly again and the temperature begins to fall.
Unfortunately, the controller of the freezer must have crashed at 12:40 as well, because the freezer does not resume cooling. The rising temperature triggers a second warning email at 13:06. This time, it takes a bit longer to realize what the actual problem is about, but eventually I realize that the cooling isn't doing anything and toggle power on the freezer. The cooling comes back on, and the situation is improving again.