Deploy SSL certificates via iracadm on a iDRAC 6

Sven Höxter sven.hoexter at hosteurope.de
Tue Jul 31 08:38:18 CDT 2012


Hi,

we're currently aiming at an automatic deployment of SSL certificates on
all iDRAC cards with the help of iracadm. Sadly we currently fail to
push keys, certificates or retrieve at least a CSR.

So far I've configured the following cfgRacSecurity settings:
# idracadm -r ww.xx.yy.zz -u root -p calvin getconfig -g
cfgRacSecurity
Security Alert: Certificate is invalid - unable to get local issuer
certificate
Continuing execution. Use -S option for racadm to stop execution on
certificate-related errors.
cfgRacSecCsrKeySize=2048
cfgRacSecCsrCommonName=testdrac.hosteurope.example
cfgRacSecCsrOrganizationName=Hosteurope
cfgRacSecCsrOrganizationUnit=MH
cfgRacSecCsrLocalityName=Cologne
cfgRacSecCsrStateName=NRW
cfgRacSecCsrCountryCode=DE
cfgRacSecCsrEmailAddr=me at hosteurope.example

idracadm -r ww.xx.yy.zz -u root -p calvin getversion
Security Alert: Certificate is invalid - unable to get local issuer
certificate
Continuing execution. Use -S option for racadm to stop execution on
certificate-related errors.
 Bios Version          = 6.0.7
 iDRAC Version         = 1.90
 USC Version           = 1.5.0.671

Operating system is RHEL 5.8 with srvadmin-idracadm-7.0.0-4.190.2.el5

Retrieving a CSR does nothing and idracadm just exists with return code 1:

idracadm -r ww.xx.yy.zz -u root -p calvin sslcsrgen -g
-f test.csr
Security Alert: Certificate is invalid - unable to get local issuer
certificate
Continuing execution. Use -S option for racadm to stop execution on
certificate-related errors.
[root at node1 ~]# echo $?
1

stracing the process I can see that it prints out
write(1, "Generating CSR. Please wait...", 30Generating CSR. Please
wait...) = 30
and exists later on.

It's similar for the sslcertupload command. No output and idracadm just
exists with a returncode 1.

Now we tried it locally and now we get some interesting output when we
don't define an output file:
idracadm sslcsrgen -g
ash Get The <Segmentation fault>, Retry!
ash Get The <Segmentation fault>, Retry Fail!

My best guess is that the segfault happens on the iDRAC card itself and
idracadm just receives the output via IPMI.

Has someone succeeded with SSL certificate deployment via idracadm at
all? Is there some secret switch you need to set first to get this working?


Utilizing the Webgui all of the cfgRacSecurity settings are present and
I can retrieve a CSR file and upload a certificate signed by my own CA.
So the settings itself seem to be valid. It's just that the ssl* command
implementation in idracadm seems to be broken or requires some special
settings?

Any help would be appreciated.

Regards,
Sven
-- 
Sven Höxter
Technical Service Linux
Managed Hosting

-----------------------------------------------------------------------
Host Europe GmbH - http://www.hosteurope.de
Welserstraße 14 - 51149 Köln - Germany
Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*)
HRB 28495 Amtsgericht Köln - USt-IdNr.: DE187370678
Geschäftsführer: Patrick Pulvermüller, Thomas Vollrath

(*) 0,14 EUR/Min. aus dem dt. Festnetz; maximal 0,42 EUR/Min. aus
den dt. Mobilfunknetzen



More information about the Linux-PowerEdge mailing list