Server Products
Data Center Products including boards, integrated systems, Intel® Xeon® Processors, RAID Storage, and Intel® Xeon® Processors
4761 Discussions

S2600WFT - Latest BIOS - Unable to import SSL certificate to BMC

bbs2web
Novice
2,320 Views

Hi,

 

We are experiencing a problem on S2600WFT boards since upgrading to the latest BIOS (02.01.0014). The board ships as part of R1208WFTYSR systems, we have validated the problem on two systems that were upgraded.

 

BIOS download link:

https://www.intel.com/content/www/us/en/download/18911/intel-server-board-s2600wf-family-bios-and-firmware-update-package-for-uefi.html?wapkw=S2600WFT

 

Chassis and product information:

bbs2web_0-1642537434969.png

 

BIOS and BMC version information:

bbs2web_1-1642537460139.png

 

Certificate information:

bbs2web_2-1642537759440.png

 

Security settings:

bbs2web_3-1642537836943.png

 

Uploading SSL certificate:

bbs2web_4-1642537893478.png

 

Generates the following error:

bbs2web_5-1642537929532.png

 

During BIOS update to 02.01.0014, when BMC is restarted after flashing, the web UI was unavailable for approximately 5 minutes. When it recovered it was using a self-signed certificate so we had to use an alternative browser (Edge) due to HSTS (HTTP Strict Transport Security) being cached in Chrome.

 

Hoping this can be fixed, can provide BIOS and BMC syscfg exports should they be relevant.

 

 

Regards

David Herselman

Labels (2)
0 Kudos
8 Replies
SergioS_Intel
Moderator
2,302 Views

Hello bbs2web,


Thank you for contacting Intel Customer Support.

 

We understand that you are not able to unable to import SSL certificate to BMC after updating the BIOS.


I will be more than glad to help you today


Please help us by providing the follow information:


Have you tried to power cycle the system and generate the SSL certificate ?


Do you have the latest BIOS version that you used to have on your system?


Were you able to generate the certificates before?


We will be looking forward to your updates.


Best regards,

Sergio S.

Intel Customer Support Technician


For firmware updates and troubleshooting tips, visit :https://intel.com/support/serverbios


0 Kudos
bbs2web
Novice
2,296 Views

Hi Sergio,

 

Yip, the BIOS is the latest available for the system/board/product. Previous revisions of the BMC firmware had no issue dealing with our certificate. We upgrade firmware relatively regularly, the previous revision of the BIOS/BMC/ME/etc update worked perfectly.

 

Yes, we tried physically turning off the system by removing power from both PSUs, as well as turning it off via the BMC.

 

We additionally reset the BIOS to defaults but this has no bearing on the problem as the SSL certificate is used by the BMC which is technically a separate system on chip, on the motherboard.

 

As mentioned in my post, the BMC stopped responding to pings for the usual +-15 seconds as it reset after upgrading the BMC firmware but the web interface was inaccessible for approximately 5 minutes which was very unusual. We then had problems connecting via Google Chrome as it cached the HSTS information relating to the site. Upon connecting via Edge we observed the SSL certificate having been replaced with a self-generated one and we are now unable to import our proper certificate.

 

Looks to me like a regression in the BMC firmware.

 

PS: We have reproduced this on another identical system which was running BIOS release 02.01.0013 prior to upgrading to the problematic BIOS release 02.01.0014 (latest).

 

Regards

David Herselman

0 Kudos
SergioS_Intel
Moderator
2,291 Views

Hello bbs2web,


We appreciate the additional information.


  1. Could you please provide us with the details of the current environment of the server (Production, QA, Official Test, Lab)? 
  2. May we know what is the status/staging of the server (pre-live, maintenance mode or live)?  

 


Best regards,

Sergio S.

Intel Customer Support Technician

For firmware updates and troubleshooting tips, visit :https://intel.com/support/serverbios



0 Kudos
bbs2web
Novice
2,274 Views

The system has been in production for 2+ years, we have approximately 10 identical R1208WFTYSR systems each with:

  • 2 x Intel Xeon 6248 CPUs
  • 24 x 64 GiB Registered ECC RAM
  • Intel RAID mezzanine module for JBOD (RMS3HC080)
  • Intel X722 mezzanine networking module (2 x 10G SFP+)
  • 3 x Western Digital WUSTR6464ASS200 SSDs

 

I however don't think that the components are relevant as the problem affects the BMC not working with a stock standard public wildcard certificate procured via Sectigo (product is 'Sectigo - Multi-Domain wildcard SSL').

 

PS: Certificate details are available in my opening post of this thread.

 

 

Regards

David Herselman

0 Kudos
JoseH_Intel
Moderator
2,261 Views

Hello bbs2web,


Thank you very much for all the details. Please allow us some time to check with our engineering team about any reported issues with this latest BIOS update Version: 02.01.0014. We will get back to you as soon as we have updates.


Regards


Jose A.

Intel Customer Support Technician

For firmware updates and troubleshooting tips, visit:

https://intel.com/support/serverbios


0 Kudos
JoseH_Intel
Moderator
2,228 Views

Hello bbs2web,


Please follow below steps:


For version after Purley 20’Q4 official release, the SSL certificate generate steps is like below:

1. Generate CA private keyopenssl genrsa -out CA-key.pem 2048

 

2. Generate CA certificate request fileopenssl req -new -key CA-key.pem -out CA-csr.pem -subj /C=CN/ST=Shanghai/L=Shanghai/O=XXX/OU=XXX/CN=xxx/emailAddress=xxx.xxx@xxx.xxx

which C=Country Name, ST= State or Province Name, L= Locality Name, O= Organization Name, OU= Organizational Unit Name, CN= Common Name. Also, you can input this information manually without -subj option

 

3. Signed the CA certificate request file with the CA private key to get the CA certificateopenssl x509 -req -in CA-csr.pem -out CA-cert.pem -signkey CA-key.pem -days 36500

 

4. Generate server private keyopenssl genrsa -out server-key.pem 2048

 

5. Generate an unsigned server certificate request file and send it to the CA to complete the signingopenssl req -new -key server-key.pem -out server-csr.pem -subj /C=CN/ST=Shanghai/L=Shanghai/O=XXX/OU=XXX/CN=XXX/emailAddress=xxx.xxx@xxx.xxx/subjectAltName=DNS:xxx-xxx.xxx.xxx.xxx.com,ip:x.x.x.x

which C=Country Name, ST= State or Province Name, L= Locality Name, O= Organization Name, OU= Organizational Unit Name, CN= Common Name. Also, you can input this information manually without -subj option

 

6. Sign the server certificate request file with the CA certificate and CA private key to get the server certificateopenssl x509 -req -in server-csr.pem -out server-cert.pem -CA CA-cert.pem -CAkey CA-key.pem -CAcreateserial -days 36500

 

cat server-cert.pem CA-cert.pem > CertName.chain

 

mv CertName.chain server-cert.pem


Regards


Jose A.

Intel Customer Support Technician

For firmware updates and troubleshooting tips, visit:

https://intel.com/support/serverbios


0 Kudos
JoseH_Intel
Moderator
2,214 Views

Hello bbs2web,


I am just following up to double-check if you found the provided information useful. If you have further questions please don't hesitate to ask. If you consider the issue to be completed please let us know so we can proceed to mark this thread as resolved. I will try to reach you as a very last time on next Thursday 10th. After that the thread will be automatically archived..


Regards


Jose A.

Intel Customer Support Technician

For firmware updates and troubleshooting tips, visit:

https://intel.com/support/serverbios


0 Kudos
JoseH_Intel
Moderator
2,203 Views

Hello bbs2web,


We will proceed to mark this thread as closed. If you have further issues or questions just go ahead and submit a new topic.


Regards


Jose A.

Intel Customer Support Technician

For firmware updates and troubleshooting tips, visit:

https://intel.com/support/serverbios


0 Kudos
Reply