0

Connecting to a Dell PowerEdge R7415 server using IDRAC 9 (Integrated Dell Remote Access Controller), I see that the default certificate's subject is "idrac-SVCTAG".

So all similar Dell servers would use the same subject to identify themselves.

I suspect that there is a bug, and SVCTAG should have been the Dell Service Tag; that way the subjects would be different at least, and you had at least a little clue where you are connecting to. At least, even when the certificates' subjects are identical, the keys are not.

(HP ProLiant servers using iLO would at least use the set hostname when generating the certificates)

So is that a bug?

Version Information

Currently I cannot tell what firmware version created those certificates, but they were created back in May 2018, so I guess it was the firmware either current at that date, or the firmware that was shipped with the server.

Re-creating the certificate

When re-creating the certificate using sslresetcfg and racreset in racadm>> as suggested, the "DNS iDRAC-Name" is used for the "certificate's subject. (iDRAC Firmware was 6.00.30.00)

U. Windl
  • 366
  • 3
  • 17
  • Regarding "_cannot tell what firmware version_" can you provide the current firmware version and if it is not the latest one, would you be able to upgrade? Regarding "_Is it a bug?_", maybe, but the post does not contain enough information to provide an answer or even to guess (... at least not for me). However, you could just do an `racadm sslresetcfg` and `racadm racreset`. For more details see on the Dell Forum [All my servers iDRAC ports use the same certificate](https://www.dell.com/community/Systems-Management-General/All-my-servers-iDRAC-ports-use-the-same-certificate/td-p/7540048). – U880D Feb 09 '23 at 07:57
  • Assuming that an IDRAC firmware update does not create a new certificate, I think it's of little use to tell which firmware the IDRAC has *now*; it would have been interesting to know the firmware at the time when the certificate had been created, but unfortunately the lifecycle protocol does not reach far enough in the past. – U. Windl Feb 09 '23 at 08:51
  • Regarding "_I think it's of little use to tell which firmware the IDRAC has now_", if you are interested if there is a bug, than, the version of the software is useful. Furthermore, "_at the time when the certificate had been created_", even that information is not available. However, the command `racadm sslresetcfg` should generate a certificate with the configured DNS iDRAC Name as well restarting the web service. If that's not enough, the command `racadm racreset` will result into an restart incl. the web service causing to force the use of the generated certificate. – U880D Feb 09 '23 at 09:08
  • If one might be interested in working with iDrac certificates: [RACADM Command Line Reference Guide for iDRAC7](https://dl.dell.com/manuals/all-products/esuprt_software/esuprt_remote_ent_sys_mgmt/esuprt_rmte_ent_sys_rmte_access_cntrllr/integrated-dell-remote-access-cntrllr-7-v1.50.50_reference%20guide4_en-us.pdf), p. 128 ff.. – U880D Feb 09 '23 at 09:09
  • It seems you are using an actual FW version from NOV 22. I've found some references which made the same observation as you, in example [1](https://bugzilla.mozilla.org/show_bug.cgi?id=1474963), [2](https://www.webhostingtalk.com/showthread.php?t=1836046) and especially [3](https://github.com/dell/iDRAC-Redfish-Scripting/issues/24), from which we can see that at least in the past was used `CN=idrac-SVCTAG` whereby it might or should probably be `CN=idrac-${SVCTAG}` (internally). So it could be that that behavior was not intended. – U880D Feb 09 '23 at 09:37
  • Yes HP's ProLiant servers used the serial numbers for their built-in certificates for quite some time. I am surprised that either Dell did not notice that, or (probably worse) did notice that, but did not fix it. – U. Windl Feb 09 '23 at 11:42
  • It could also be that this result is because of the different steps within production and deployment and when which information would be available resulting into this additional ssl reset commands, Maybe that part was intentionally left to rack and stack, roll-out and on customer site. We can agree that this behavior is not the "best", but still do not know the "why". – U880D Feb 09 '23 at 12:09

1 Answers1

2

Legally required notice: I work for Dell.

Yes it's a bug. I just checked on an R440, R7625, FC630, FC640, FX2 CMC, and an R6515. Everything 13G or 16G is just fine and correctly displays the service tag but everything 14G and 15G is effected including on the latest iDRAC version. I just put in a ticket for it and got it escalated to engineering. I'll write back here with updates.

Update

It has already been caught. New servers shipping already have the fix and iDRAC 6.10.80.00 will provide a fix for systems already in the field. Should be out within the next few months.

Grant Curell
  • 1,043
  • 6
  • 19