ipmitool Error: SSL Certificate Cannot Be Verified (29395917, 29480162)

When using ipmitool to remotely access a service processor over the network, you might receive the following error if you do not specify a supported ipmitool interface. For example:

# ipmitool -U root -H 192.0.2.16 -P password1 power status
 
Host '192.0.2.16' SSL certificate cannot be verified
 
issuer= /C=US/ST=California/L=Redwood Shores/O=Oracle America,
Inc/OU=Oracle Integrated Lights Out Manager/CN=ORACLESP-1603NM107W
 
SHA256 fingerprint:
4e:ae:97:e3:c5:84:3f:ce:4f:4a:26:0a:3e:a5:ba:73:b9:bc:87:2d:c8:43:87:26:d6:28:
78:87:fa:62:eb:0c
 
Unable to connect with 192.0.2.16

Oracle Hardware Management Pack for Solaris 11.4 uses TLS encryption support with SSL certificate checking with ipmitool by default. When remotely accessing a service processor over the network you should always use the most secure interface. The orcltls interface (the default) is the most secure interface to use and requires an SSL certificate obtained from the target service processor be configured on the host. Configuring a certificate on the host is described in the "Service Processor Access" section in the for the fwupdate, ilomconfig and ubiosconfig commands.

Note:

Oracle recommends using SSL public key infrastructure on your network. Note that a --no-cert-check option is available for use with the ipmitool -I orcltls interface to bypass certificate validation in a safe network environment. However, use of this option makes the TLS connections vulnerable to man-in-the-middle attacks.

Certificate validation is not performed when using ipmitool with the lan or lanplus interfaces. However, unless you have a safe network environment, use of these interfaces leaves connections vulnerable to man-in-the-middle attacks.

For additional information on using ipmitool, refer to the man page.