-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
python-hpilo can't connect anymore to an iLO2 server on python3.10 #274
Comments
Nothing we can do on the python-hpilo side. You'll need to use a python version that supports older ssl versions or ilos that support newer ssl versions. |
There's a flag that can be set in python to use a different encryption method, which I tried setting in the python-hpilo code, but because of the way the code is written it doesn't seem to pull that global configuration for python to override supported SSL versions. I don't know much python to figure out every request and make it respect the allowed ciphers and python 3.10 settings, and I imagine that it's only going to get worse the more time that passes, unless a way to define "these ciphers are acceptable" is made available in the code. There is a global method to add it, which I tried but it seems that python-hpilo doesn't respect that global, and defines it's own ssl parameters for each request and I'm not adept at python enough to change it myself. Changing to a newer version of iLO is not possible on the legacy iLO hardware (especially hardware that runs iLO2) as there are no updates to it. iLO4 is still in production and receives updates from HP, but not often now that they've moved onto iLO5. |
python-hpilo configures the ssl library to use any supported ssl version, including deprecated ones. However, more recent python/openssl versions have stopped shipping support for these versions completely, so no matter what you do in code: those versions cannot be used. The only option is to use older python and openssl versions, or newer ilo's. ilo/ilo2 is basically unsupportable with modern python, as they indeed don't have firmware available that supports newer ssl versions. That said, hardware with such old ilo's is well past its use-by date and should be replaced. HP hasn't supported it for years and the power and performance benefits of upgrading are huge and will offset the extra hardware cost. |
That might be true, the hardware is a bit older, but it still is perfectly functional... Buying new hardware isn't an option for me, especially for those servers that I have that are running iLO2, because new servers are expensive and I can't afford new ones. I'm an individual and I'm disabled, the only reason I have servers with iLO is in case something crashes, I can access the console without getting up and going to the physical console. I certainly wouldn't use it over the internet, and I monitor hardware temperatures via home assistant, or at least I did until it wasn't supported, when they bumped their python version. I guess I'll try putting nginx between it and home assistant to handle the ssl as a workaround, since I should be able to configure nginx to proxy sslv3 and then provide the pages as TLS1.2. My ilo4 server works fine, but that supports TLS1.2, but yeah... guess I'll figure something out, since using a different python version isn't possible as it's integrated into home assistant... so I guess i'll try nginx as a proxy. |
If that works, that'd be a good addition to the python-hpilo docs. The ssl situation is painful for many people. |
I tried all I could to get some kind of reverse proxy working for grabbing sensor data from the server. I had some success with nginx and ha proxy for accessing the webpage configurations in firefox just fine (I imagine console wouldn't work, but I could see, set and change all the other things within the ILO2 interface) Ultimately the way I figured to collect the sensor data again was to enable network IPMI within ILO2, and then create a bash script that pulls the data from each sensor, and publishes it to a MQTT server on home assistant. It's much faster than python-hpilo was for collecting all the details, but the disadvantage is you have to run the script somewhere that can access both ILO and the MQTT server. For now I'll still use the python-hpilo integration in home assistant for my iLO4 server (since it's still fairly well supported) but for iLO2 (and possibly 3) this is how I can monitor temperatures, fan speeds and current consumption. My shell script is loosely based on the information I found on the Home Assistant Community Forums here https://community.home-assistant.io/t/ipmi-sensors/279248 Hopefully this will prove useful to someone who wants a fairly easy way to monitor sensors from an older iLO system. I really don't understand why they didn't have a way to disable SSl entirely, maybe not by default but... when protocols upgrade in the future, you can always add in support for them with a proxy, stripping them is a bit more difficult, but it's possible! If you'd like to proxy iLO2 https connection and upgrade it to TLS1.2 or TLS1.3 with nginx, you can use this fairly basic configuration.
You also need to change some settings in openSSL's config to allow older versions of the protocols to be used. I changed the bottom entries in the /usr/lib/ssl/openssl.cnf file to:
Of course you need to run this somewhere that can access ILO itself but the rest of the network can't (so firewall ILO or something, and only give iLO access to the iloproxy nginx server). I'm using Debian 11 as my base operating system, but I shouldn't imagine that the configuration would be any different for another, so long as openssl can be configured to allow those protocols. I did also get a configuration working with HA proxy, that could verify the TLS1.0 SSL certificate with that openSSL configuration too. I don't have it handy right now but if that would be useful for someone, I can provide that. I don't believe you'd be able to use the console, although I didn't try, I think it's hosted on a different port, and the XML status based logins I couldn't get working either, hence why I swapped to using the IPMI and MQTT solution above. Hope this at least helped someone :) Kind regards, P.S Not sure if github mangled any of my config/code files there... Edit - I managed to pull up my HAProxy configuration, and I grabbed a screenshot of ilo2 access working in Firefox (I don't have TLS1.0 or TLS1.1 enabled in my config, just to show it's secure. I run my own trusted root ca here that has been added to the system's trust root store. so I don't get certificate warnings. Here's a link to the screenshot: https://i.lowrex.com/i/BNPyd.png And here's the full config file for HAProxy
I'm not sure, but I think you also need to modify the openssl.cnf as with the nginx version to allow older versions, and the same firewall/security advice applies. I'm not exactly sure how much of the configuration is required, and it's a little slow to connect sometimes, but it works pretty well. I'll be sticking with the HAProxy version, just because it also can verify the certificate on my ILO server, but if you don't need that, the nginx one is probably easier. Good luck! I don't think python-hpilo likes it, because I think it logs in with XML and now i've got the MQTT way of getting sensor information... I've put about all the effort into it I have time for :) Final edit, to include screenshot of TLS information for the page in Firefox. https://i.lowrex.com/i/BNIlH.png and a copy of the shell script I put together for logging the sensors from iLO to MQTT (based on that linked home assistant article earlier)
Obviously change the IPs, passwords and names of sensors, but this is what I use on a DL360 G6, which I just run in Cron every minute with That's it, that's everything that I've done to make accessing my ILO2 instance a bit easier and do my logging. Might not be that reliable, but should be enough stuffs to get you started :) |
@accessiblepixel Thanks for your nginx example. It pointed me in the right direction to reach our ILO3 servers. However if you lower the global security level in /usr/lib/ssl/openssl.cnf it affects (and can break) other services on that host. Your changes also risks being overwritten in case of updates. It's better to override ssl options for nginx only using environment in the service. This worked for me on Ubuntu 22.04: sudo vi /etc/nginx/old_cipher_openssl.cnf
sudo vi /usr/lib/systemd/system/nginx.service
Edit: |
@sorano Glad I could help. I didn't know there was a way to tell nginx to use a specific OpenSSL config file (and in my case it didn't matter since I was working in an LXC so it was the only thing running) but definitely good information to add to the repository! It's also good to know that these bodges do have potential in ILO3 as well :) Have a great day, |
I got hit with an updated nginx package that shipped an updated service file which caused my edited changes to get lost. This is how to make service overrides that survives package updates:
|
Is also have proble to connect ilo3 to hp ilo integration on Home Assistant. Can someone post complete guide how to do it. thx in advance |
@lpt2007 Possibly, although maybe not directly from Home Assistant > iLO (if it uses old versions of TLS) since they bumped python versions and now disallow old ciphers, however if you enable the network IPMI within ILO you can probably do it with mqtt (with the Mosquitto broker addon in home assistant) and a variation of the script I added as a "Final edit" above in #274 (comment) which was based on information I found on the home assistant community (also linked within that comment). I'd imagine it'd be fairly similar, but you'd have to query it with ipmi to see what information iLO3 gives out to determine what you will be able to log... Running Good luck! |
Thanks for tip 👍 When I run Can I get something else from ipmitool? |
That's basically the information you can get, there might be different stuff available with other commands - one of them I use is sdr and then tell it which sensors I want then cut that stuff out with awk and what not (as above), but you'd have to read the manual. Not all HPE sensors are shown through ipmi, but that's basically the output you've got to strip and parse, and then ingest into ipmi |
Hello.
I use Home Assistant with the python-hpilo functionality to monitor some old servers in a dashboard.
From what I have read, the supported versions of TLS have had the defaults changed to not allow anything "worse" than TLS1.2, so the old versions of SSLv3 that iLO2 uses doesn't work anymore in python 3.10
I tried changing some options in hpilo.py to enable SSLv3 but haven't been successful thus far and I am unsure how to proceed.
Home Assistant has recently bumped its python version to 3.10 and downgrading to an older version isn't really an option, because even if I did downgrade, it would only be a stop gap solution.
I'm not sure how to proceed and I've tried as much as I can to figure out the problem by myself.
A potential workaround I could see is running a proxy webserver to sit between the two to "upgrade" it's TLS version, but I'm not sure.
I would appreciate any help that you can provide.
Kind regards,
Jessica
Here are the attached parts of the log that might be useful
`
Logger: homeassistant.components.sensor
Source: components/hp_ilo/sensor.py:166
Integration: Sensor (documentation, issues)
First occurred: 06:22:44 (4 occurrences)
Last logged: 06:22:45
hp_ilo: Error on device update!
Traceback (most recent call last):
File "/usr/local/lib/python3.10/site-packages/hpilo.py", line 401, in _get_socket
return ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLS)
File "/usr/local/lib/python3.10/ssl.py", line 1442, in wrap_socket
return context.wrap_socket(
File "/usr/local/lib/python3.10/ssl.py", line 513, in wrap_socket
return self.sslsocket_class._create(
File "/usr/local/lib/python3.10/ssl.py", line 1071, in _create
self.do_handshake()
File "/usr/local/lib/python3.10/ssl.py", line 1342, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/helpers/entity_platform.py", line 446, in _async_add_entity
await entity.async_device_update(warning=False)
File "/usr/src/homeassistant/homeassistant/helpers/entity.py", line 702, in async_device_update
await task
File "/usr/local/lib/python3.10/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/src/homeassistant/homeassistant/components/hp_ilo/sensor.py", line 166, in update
ilo_data = getattr(self.hp_ilo_data.data, self._ilo_function)()
File "/usr/local/lib/python3.10/site-packages/hpilo.py", line 1035, in get_embedded_health
return self._info_tag('SERVER_INFO', 'GET_EMBEDDED_HEALTH', 'GET_EMBEDDED_HEALTH_DATA',
File "/usr/local/lib/python3.10/site-packages/hpilo.py", line 730, in _info_tag
header, message = self._request(root)
File "/usr/local/lib/python3.10/site-packages/hpilo.py", line 238, in _request
self._detect_protocol()
File "/usr/local/lib/python3.10/site-packages/hpilo.py", line 278, in _detect_protocol
header, data = self._communicate(b'', ILO_HTTP, save=False)
File "/usr/local/lib/python3.10/site-packages/hpilo.py", line 406, in _communicate
sock = self._get_socket()
File "/usr/local/lib/python3.10/site-packages/hpilo.py", line 403, in _get_socket
raise IloCommunicationError("Cannot establish ssl session with %s:%d: %s" % (self.hostname, self.port, str(exc)))
hpilo.IloCommunicationError: Cannot establish ssl session with ilo2.local.dns:443: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)
`
The text was updated successfully, but these errors were encountered: