Join Log in
Score:0
U. Windl avatar Server

Is it a bug that Dell's iDRAC uses certificate subject "idrac-SVCTAG"?

it flag
U. Windl

Connecting to a Dell PowerEdge R7415 server using IDRAC 9 (Integrated Dell Remote Access Controller), I see that the default certificate's subject is "idrac-SVCTAG".

So all similar Dell servers would use the same subject to identify themselves.

I suspect that there is a bug, and SVCTAG should have been the Dell Service Tag; that way the subjects would be different at least, and you had at least a little clue where you are connecting to. At least, even when the certificates' subjects are identical, the keys are not.

(HP ProLiant servers using iLO would at least use the set hostname when generating the certificates)

So is that a bug?

Version Information

Currently I cannot tell what firmware version created those certificates, but they were created back in May 2018, so I guess it was the firmware either current at that date, or the firmware that was shipped with the server.

Re-creating the certificate

When re-creating the certificate using sslresetcfg and racreset in racadm>> as suggested, the "DNS iDRAC-Name" is used for the "certificate's subject. (iDRAC Firmware was 6.00.30.00)

509
1 + 7
U880D avatar
ca flag
U880D
Regarding "_cannot tell what firmware version_" can you provide the current firmware version and if it is not the latest one, would you be able to upgrade? Regarding "_Is it a bug?_", maybe, but the post does not contain enough information to provide an answer or even to guess (... at least not for me). However, you could just do an `racadm sslresetcfg` and `racadm racreset`. For more details see on the Dell Forum [All my servers iDRAC ports use the same certificate](https://www.dell.com/community/Systems-Management-General/All-my-servers-iDRAC-ports-use-the-same-certificate/td-p/7540048).
0
Reply
U. Windl avatar
it flag
U. Windl
Assuming that an IDRAC firmware update does not create a new certificate, I think it's of little use to tell which firmware the IDRAC has *now*; it would have been interesting to know the firmware at the time when the certificate had been created, but unfortunately the lifecycle protocol does not reach far enough in the past.
0
Reply
U880D avatar
ca flag
U880D
Regarding "_I think it's of little use to tell which firmware the IDRAC has now_", if you are interested if there is a bug, than, the version of the software is useful. Furthermore, "_at the time when the certificate had been created_", even that information is not available. However, the command `racadm sslresetcfg` should generate a certificate with the configured DNS iDRAC Name as well restarting the web service. If that's not enough, the command `racadm racreset` will result into an restart incl. the web service causing to force the use of the generated certificate.
0
Reply
U880D avatar
ca flag
U880D
If one might be interested in working with iDrac certificates: [RACADM Command Line Reference Guide for iDRAC7](https://dl.dell.com/manuals/all-products/esuprt_software/esuprt_remote_ent_sys_mgmt/esuprt_rmte_ent_sys_rmte_access_cntrllr/integrated-dell-remote-access-cntrllr-7-v1.50.50_reference%20guide4_en-us.pdf), p. 128 ff..
0
Reply
U880D avatar
ca flag
U880D
It seems you are using an actual FW version from NOV 22. I've found some references which made the same observation as you, in example [1](https://bugzilla.mozilla.org/show_bug.cgi?id=1474963), [2](https://www.webhostingtalk.com/showthread.php?t=1836046) and especially [3](https://github.com/dell/iDRAC-Redfish-Scripting/issues/24), from which we can see that at least in the past was used `CN=idrac-SVCTAG` whereby it might or should probably be `CN=idrac-${SVCTAG}` (internally). So it could be that that behavior was not intended.
0
Reply
U. Windl avatar
it flag
U. Windl
Yes HP's ProLiant servers used the serial numbers for their built-in certificates for quite some time. I am surprised that either Dell did not notice that, or (probably worse) did notice that, but did not fix it.
0
Reply
U880D avatar
ca flag
U880D
It could also be that this result is because of the different steps within production and deployment and when which information would be available resulting into this additional ssl reset commands, Maybe that part was intentionally left to rack and stack, roll-out and on customer site. We can agree that this behavior is not the "best", but still do not know the "why".
0
Reply
Score:2
Grant Curell avatar Server
mx flag
Grant Curell

Legally required notice: I work for Dell.

Yes it's a bug. I just checked on an R440, R7625, FC630, FC640, FX2 CMC, and an R6515. Everything 13G or 16G is just fine and correctly displays the service tag but everything 14G and 15G is effected including on the latest iDRAC version. I just put in a ticket for it and got it escalated to engineering. I'll write back here with updates.

Update

It has already been caught. New servers shipping already have the fix and iDRAC 6.10.80.00 will provide a fix for systems already in the field. Should be out within the next few months.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.