Asrock BMC no longer accessible after SSL certificate install

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

tfboy

New Member
Mar 19, 2023
12
0
1
Since purchasing an Asrock rack X570D4U-2L2T, it's been fine and the BMC IPMI has been really useful.
Today, I tried installing a certificate so have proper SSL (certificate generated from my own private PKI CA), and I must have done something wrong or it has serious QA issues as I can no longer access the web interace.

I can reach the IP over SSH (I get the Smashlite Scorpio Console), but that's about it.

Unfortunately, I'm physically away so cannot reset anything physically.

So I have two question:

1. Is there a way to reset / fix / return to the default self-signed certificate using the SSH console or do I have to wait till I have physical access to the machine again?

2. Clearly, I've had an issue with the certificate used. It was with a .pem extension for both the cert and the key and in PEM format. Are there any funny restrictions?
 

casperghst42

Member
Sep 14, 2015
118
23
18
56
When you say "not longer accessible", is that fully no access, or that the browser complains that the BMC no longer have a valid certificate?
 

RolloZ170

Well-Known Member
Apr 24, 2016
5,611
1,699
113
1. Is there a way to reset / fix / return to the default self-signed certificate using the SSH console or do I have to wait till I have physical access to the machine again?
for BMC reset without PW you need physical access. would be strange if not.
 

tfboy

New Member
Mar 19, 2023
12
0
1
When you say "not longer accessible", is that fully no access, or that the browser complains that the BMC no longer have a valid certificate?
I get an error, cannot connect. Not an invalid cert.
for BMC reset without PW you need physical access. would be strange if not.
I have the password and can login over SSH. Is there a way to reset the BMC over SSH? I've found how to reset the server but not the BMC itself.
 

tfboy

New Member
Mar 19, 2023
12
0
1
Yes, but I'm completely flummuxed how this works.
Their website tells you to install ipmitool which is straight foward, then jumps straight to that second command.
No information how you connect to it!
I've tried ipmitool -H <BMC IP address> -U admin and then entering the password, but I just get :

Code:
Authentication type NONE not supported
Error: Unable to establish LAN session
Error: Unable to establish IPMI v1.5 / RMCP session
 

RolloZ170

Well-Known Member
Apr 24, 2016
5,611
1,699
113
heir website tells you to install ipmitool which is straight foward, then jumps straight to that second command.
No information how you connect to it!
run on local machine don't need connection path(ip i.e.)
 

tfboy

New Member
Mar 19, 2023
12
0
1
run on local machine don't need connection path(ip i.e.)
Ah. OK.
Only issue, I'm running vSphere on it, so no bare metal OS access.
I guess this is serial? If I can have a passthrough serial or something... I'll give it a try.
 

tfboy

New Member
Mar 19, 2023
12
0
1
Aha.
I've had some success!
I stumbled across this site ipmitool 1.8.11 vib for ESXi
And managed to get it installed.
I ran the command and it just returned a prompt. I assumed it worked because shortly after, the IP side went down (ping dropped) and after a few minutes, came back up. So the BMC was reset! :)
But still no https interface :(
My guess is the reset doesn't restore the SSL side to the factory-installed self-signed certificate.
I might just have to wait till I can access the box physically to reset.

I have emailed Asrock support so will see what they suggest.

It's probably worth digging a little more with the ipmi, maybe another command can help me out :)
 

tfboy

New Member
Mar 19, 2023
12
0
1
Final update:
The reset was successful in that the user account and password was reset to admin / admin. I can se this with the ipmitool - if I have the wrong credentials, I get a Error: Unable to establish IPMI v2 / RMCP+ session message.

However, when I use the correct credentials, I'm still stuck:
Code:
$ ipmitool -H 192.168.18.200 -U admin -I lanplus sol activate
Password:
Error activating SOL payload: Unknown (0x18)
If I can't get this resolved remotely (looking unlikely now!), then I hope I can do a deeper reset than what I've been able to do so far as that doesn't reset the SSL certificates...
 

RolloZ170

Well-Known Member
Apr 24, 2016
5,611
1,699
113
"I was able to set the password using ipmitool locally with the command "ipmitool -I open user set password 2 [password]", cf.)"
 

twin_savage

Member
Jan 26, 2018
73
37
18
33
When/If you do a system reset, ensure the BMC actually has a MAC address after the reboot. I had an Asrock BMC "forget" its MAC address after an update once and all kinds of weird problems ensued until I re-established it.
 

tfboy

New Member
Mar 19, 2023
12
0
1
ok, took me a while to sort this out.
A full reset, clearing of the BIOS didn't help.
In the end, I had to do a full reflash of the BIOS. This was the only solution to this particular problem which I find a little worrying: supplying a certificate that, for some reason, it doesn't like, completely crashes the web server side to the point that a full re-writing of the flash is required and not even a full BMC BIOS reset will work.
The flashing takes a while too...