After a monitoring (satellite) server was upgraded from Debian 9 (Stretch) to 10 (Buster), the hardware monitoring of HP servers (using ILO3) stopped working.
The plugin used for monitoring the HP hardware health is check_ilo2_health, an excellent monitoring plugin created and maintained since 2007 by Alexander Greiner-Baer, which uses the ILO (Integrated Lights Out) management interface of HP servers.
After the distribution upgrade, the ILO hardware checks stopped working. On the command line the error could be reproduced:
root@buster:~# /usr/lib/nagios/plugins/check_ilo2_health.pl -H iloip -3 -u monitoring -p secret -a -c -d -o -W -t 60
ILO2_HEALTH UNKNOWN - ERROR: Failed to establish SSL connection with iloip:443 SSL connect attempt failed error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol.
The Debian upgrade from Stretch to Buster includes a major change in the OpenSSL version and its settings:
Besides this, the OpenSSL configuration (/etc/ssl/openssl.cnf) sets a minimum protocol of TLSv1.2 since the upgrade:
root@buster:~# tail /etc/ssl/openssl.cnf
# identifier (optional, default: sha1)
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
The problem with this? ILO3 is too old and does not support TLSv1.2. And HP refused to create a new ILO3 firmware which would enable a newer TLS protocol:
HPE does not plan for support to be added to iLO 3 because the HPE ProLiant G7-series servers are out of the product support timeframe.
Use a web browser that still supports TLSv1.0 and TLSv1.1 or use the Remote Insight Board Command Language (RIBCL) and Command Line Interface (CLI) SSH to access iLO 3.
Welcome in the land of legacy.
The OpenSSL settings were adjusted to use a lower minimum protocol (TLSv1.0):
root@buster:~# tail /etc/ssl/openssl.cnf
# identifier (optional, default: sha1)
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=2
Right after this change, the hardware checks with check_ilo2_health started working again:
root@buster:~# /usr/lib/nagios/plugins/check_ilo2_health.pl -H iloip -3 -u monitoring -p secret -a -c -d -o -W -t 60
ILO2_HEALTH OK - (Board-Version: ILO>=3) Power Usage: 218 Watts, Temperatures: Temp_1 (OK): 28, Temp_2 (OK): 40, Temp_3 (OK): 40, Temp_4 (OK): 44, Temp_5 (OK): 43, Temp_6 (OK): 52, Temp_7 (OK): 51, Temp_8 (OK): 52, Temp_9 (OK): 47, Temp_10 (OK): 53, Temp_11 (OK): 45, Temp_12 (OK): 54, Temp_19 (OK): 31, Temp_20 (OK): 39, Temp_21 (OK): 39, Temp_22 (OK): 37, Temp_23 (OK): 46, Temp_24 (OK): 43, Temp_25 (OK): 44, Temp_26 (OK): 46, Temp_30 (OK): 77 | power=218;; Temp_1=28;41;45 Temp_2=40;82;83 Temp_3=40;82;83 Temp_4=44;87;92 Temp_5=43;87;92 Temp_6=52;87;92 Temp_7=51;87;92 Temp_8=52;90;95 Temp_9=47;65;70 Temp_10=53;90;95 Temp_11=45;70;75 Temp_12=54;90;95 Temp_19=31;70;75 Temp_20=39;70;75 Temp_21=39;80;85 Temp_22=37;80;85 Temp_23=46;77;82 Temp_24=43;70;75 Temp_25=44;70;75 Temp_26=46;70;75 Temp_30=77;110;115
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder