Asrock BMC no longer accessible after SSL certificate install

[tfboy]

Since purchasing an Asrock rack X570D4U-2L2T, it's been fine and the BMC IPMI has been really useful.
Today, I tried installing a certificate so have proper SSL (certificate generated from my own private PKI CA), and I must have done something wrong or it has serious QA issues as I can no longer access the web interace.

I can reach the IP over SSH (I get the Smashlite Scorpio Console), but that's about it.

Unfortunately, I'm physically away so cannot reset anything physically.

So I have two question:

1. Is there a way to reset / fix / return to the default self-signed certificate using the SSH console or do I have to wait till I have physical access to the machine again?

2. Clearly, I've had an issue with the certificate used. It was with a .pem extension for both the cert and the key and in PEM format. Are there any funny restrictions?

 

[casperghst42]

When you say "not longer accessible", is that fully no access, or that the browser complains that the BMC no longer have a valid certificate?

 

[RolloZ170]

1. Is there a way to reset / fix / return to the default self-signed certificate using the SSH console or do I have to wait till I have physical access to the machine again?

for BMC reset without PW you need physical access. would be strange if not.

 

[tfboy]

When you say "not longer accessible", is that fully no access, or that the browser complains that the BMC no longer have a valid certificate?

I get an error, cannot connect. Not an invalid cert.

for BMC reset without PW you need physical access. would be strange if not.

I have the password and can login over SSH. Is there a way to reset the BMC over SSH? I've found how to reset the server but not the BMC itself.

 

[marcoi]

try this support page from asrock
ASRock Rack > Support

 

[RolloZ170]

I have the password and can login over SSH. Is there a way to reset the BMC over SSH? I've found how to reset the server but not the BMC itself.

can you run a linux cmd ?

https://www.asrockrack.com/support/faq.asp?id=62

 

[tfboy]

can you run a linux cmd ?

https://www.asrockrack.com/support/faq.asp?id=62

Yes, but I'm completely flummuxed how this works.
Their website tells you to install ipmitool which is straight foward, then jumps straight to that second command.
No information how you connect to it!
I've tried ipmitool -H <BMC IP address> -U admin and then entering the password, but I just get :

Authentication type NONE not supported
Error: Unable to establish LAN session
Error: Unable to establish IPMI v1.5 / RMCP session

 

[RolloZ170]

heir website tells you to install ipmitool which is straight foward, then jumps straight to that second command.
No information how you connect to it!

run on local machine don't need connection path(ip i.e.)

 

[tfboy]

run on local machine don't need connection path(ip i.e.)

Ah. OK.
Only issue, I'm running vSphere on it, so no bare metal OS access.
I guess this is serial? If I can have a passthrough serial or something... I'll give it a try.

 

[RolloZ170]

Only issue, I'm running vSphere on it, so no bare metal OS access.

have seen many using ipmitool binary for ESXi.
ther should be a solution for vSphere thought.

 

[tfboy]

Aha.
I've had some success!
I stumbled across this site ipmitool 1.8.11 vib for ESXi
And managed to get it installed.
I ran the command and it just returned a prompt. I assumed it worked because shortly after, the IP side went down (ping dropped) and after a few minutes, came back up. So the BMC was reset!
But still no https interface
My guess is the reset doesn't restore the SSL side to the factory-installed self-signed certificate.
I might just have to wait till I can access the box physically to reset.

I have emailed Asrock support so will see what they suggest.

It's probably worth digging a little more with the ipmi, maybe another command can help me out

 

[tfboy]

Final update:
The reset was successful in that the user account and password was reset to admin / admin. I can se this with the ipmitool - if I have the wrong credentials, I get a Error: Unable to establish IPMI v2 / RMCP+ session message.

However, when I use the correct credentials, I'm still stuck:

$ ipmitool -H 192.168.18.200 -U admin -I lanplus sol activate
Password:
Error activating SOL payload: Unknown (0x18)

If I can't get this resolved remotely (looking unlikely now!), then I hope I can do a deeper reset than what I've been able to do so far as that doesn't reset the SSL certificates...

 

[RolloZ170]

"I was able to set the password using ipmitool locally with the command "ipmitool -I open user set password 2 [password]", cf.)"

 

[twin_savage]

When/If you do a system reset, ensure the BMC actually has a MAC address after the reboot. I had an Asrock BMC "forget" its MAC address after an update once and all kinds of weird problems ensued until I re-established it.

 

[tfboy]

ok, took me a while to sort this out.
A full reset, clearing of the BIOS didn't help.
In the end, I had to do a full reflash of the BIOS. This was the only solution to this particular problem which I find a little worrying: supplying a certificate that, for some reason, it doesn't like, completely crashes the web server side to the point that a full re-writing of the flash is required and not even a full BMC BIOS reset will work.
The flashing takes a while too...