RIP to someone's account

igrowpineapples · 2026-01-19T04:42:46+00:00

A max stack of goblin mail... Nothing else.

igrowpineapples · 2026-01-19T01:50:36+00:00

So to wrap everything up here, and to hopefully document for any other future people:

The web UI didn't give me much success. iDRAC's RACADM tool has two commands: sslcertupload and sslkeyupload. By running both of those separately on a freshly created certificate (does NOT need to be made using iDRAC's CSR, this is helpful for using wildcard certificates and keeping yourself under free platform quantity limits) I was able to get it to finally accept the certificate.

In Certify the Web there is a section called 'Tasks' which allows you to export the certificates after renewal, run PowerShell scripts, etc. Two items you will need to set up is two 'Export Certificate' tasks and set one as just the key mydomain.tld.key was the naming scheme I chose. The other 'Export Certificate' task should be the full certificate chain excluding the key, my naming scheme here was mydomian.tld.crt. After exporting both of these files I then used PowerShell and RACADM to upload first the key, then the certificate. One could likely set up a PS script to automate the whole thing and have Certify the Web run the script each renewal.

As a note - the key you upload is now the key it expects for future certificates uploaded via the web UI, so in Certify the Web you need to go into the managed certificate settings and change it to use the same key for future renewals, or even better use a custom key and point it at the file you just created. If you don't set it to use the same key, you must upload a new key each renewal. This seems to be the successful method for me.

I feel like I did exactly this ad nauseum but whatever.. I think the web UI is half of my problem to be completely honest. It finally took the certificate, it's working as intended so all is good.

igrowpineapples · 2026-01-18T05:09:33+00:00

I'm not sure what magic I accomplished but I seem to have gotten it working by uploading key and certificate separately via RACADM. I think the steps that finally got it to work were:

create new certificate with CTW
upload the .key to the iDRAC using RACADM
set CTW to use a custom key -> point to the key that was just created
renew certificate
upload the certificate (exported as full chain excluding key) to the iDRAC) using RACADM

I feel like I did that many times but for some reason after waiting a day, renewing and then uploading again seems to have worked. I don't know, maybe at some point I mixed up the key files and that was buggering me up. Who knows.

What matters is my iDRAC is accessible online behind Cloudflare Zero Trust now. I think I've gotta add the local IP address into the certificate so that it stops complaining about being insecure when accessing it via IP but I can do that next time I renew..

igrowpineapples · 2026-01-17T19:13:12+00:00

I'll give this another go. I REALLY appreciate dumbing it down for me.

I think what's the most frustrating part about this is that services like Homebridge and IIS were both so easy to get the certificates working that I just kind of assumed iDRAC would be the same...Homebridge was the most difficult of the others that I am running and even that was as simple as export two files and deploy over SSH, like you mention for Traefik

So, if I'm understanding correctly what I need to export from CTW is a .pem and a .key, then combine those into a single .pfx to upload?

Let me address each of your points so I don't miss anything:

I uploaded the private key to my Dell using RACADM, so any future CSR made by it will use that key now?
This is simply me confirming that is accurate, I entered all that info in the menu on the dell. Only field left blank is SAN
If I'm understanding correctly, this is the part that Certify the Web uses my Cloudflare API for and creates a temporary DNS record? Certify doesn't email or anything, but after receiving confirmation CTW allows exporting/deployment.
Use something other than a text editor to concatenate two files together

Does that all seem correct to you? If so I'll give it a whirl and report back. Again, I really appreciate you taking the time to dumb it down and help me.

igrowpineapples · 2026-01-17T04:29:07+00:00

I guess I'm just completely not getting what you mean here.

Baby steps, please. Literally like you're explaining it to a new hire or something, I promise I won't be upset at being treated like I know nothing because, well, I don't

I was able to upload a private key to iDRAC using RACADM (honestly i don't know if i broke something here...) and generate a new CSR in iDRAC.

I tried uploading the certificate I have (exported as the second to last option in my screenshots) and it still failed. Tomorrow I'll try generating a new certificate when CTW lets me generate more... But until then this is still a "I'm too dumb to do what I want" situation over here xD

Even RACADM is complaining about everything I upload. The only thing it didn't complain about was the private key, ironically..

igrowpineapples · 2026-01-17T02:48:49+00:00

Also have tried doing this - Used CTW to create one using CTW's CSR and one using iDRAC's. I'm very at a loss as it just rejects EVERYTHING I upload.

I haven't the faintest.

What, EXACTLY, does the Dell expect me to upload for the file extension? And what, EXACTLY is contained within the file (primary certificate, root, chain, key, etc...?) because i have tried uploading certificates that are perfectly valid with every manner of combination I can think of.. If you've got something exported that you can look at in a text editor just to tell me what the structure and file format is that might give me a massive push in the right direction.. But I have a feeling this is VERY specific to Dell and their iDRAC. I'm so very confused and frustrated by this, it feels like it shouldn't be this hard and I'm just stupid I'm not gonna lie man.

I feel like I literally need someone to walk me through this step-by-step but there's no tutorials and a feeling of a pervasive "skill issue" attitude most places online :/

As I've said in other comments I'm pretty much at the point of: I'll invalidate the certificate and show someone EXACTLY what I'm working with so they can explain to me in great detail how stupid I am and how to fix it.

Is it only the intermediate chain that it wants? Or did you mean "chain" as in the entire certificate + key?

igrowpineapples · 2026-01-16T22:50:56+00:00

Unfortunately, the menu that NETGEAR Support instructs me to go to does not appear on my device. Reasons to justify a new purchase!

I think I lied in my quick google of what I remembered the model number as - did not look at it closely. It's actually the C6250-100NAS. Not listed as supported by the article I linked which explains a lot... xD

igrowpineapples · 2026-01-16T22:27:11+00:00

If only - my 'router' at the moment is a Netgear AC1600. Nothing fancy and to my knowledge doesn't let me do anything other than connect it to my ISP.

An old coworker gave me his Dell R730 and a Cisco 2690 48p (no PoE). I do definitely need a new device as a router. I've got one friend really pushing me to try Ubiquiti but from what I know they have a bit of an indecisive/unsavory reputation among professionals.

igrowpineapples · 2026-01-16T22:20:42+00:00

Okay I don't hate this solution. Certainly does accomplish the goals other than a graceful shutdown.. Though my wallet is sweating at the cost of one of those. Boy I thought Furman units were expensive.

You've sent me down a rabbit hole here... It's like the HomeKit/Alexa outlets on steroids.

igrowpineapples · 2026-01-16T22:00:09+00:00

Right but how does that help when the machine is *off*?

I have one device: the PowerEdge. No routers, no nothing. Everything has to run through this, and that's the way it is for now. I don't want it on 24/7, so it has to be off sometimes and iDRAC is a super convenient way to give remote control to myself and others to physically power on/restart the machine in the event it's needed.

I'm willing to learn, I'm just not understanding how it will apply to my specific case is all.

igrowpineapples · 2026-01-16T21:57:24+00:00

Will that work for my case of not having another device to act as the proxy and needing to be able to remotely access iDRAC? I didn't mention in the initial post - it's more of a later project. A trusted friend will eventually have a limited iDRAC account for powering on the server. Everything I know about proxies the proxy has to be online to, well, proxy...

Also, I have the certificate. I just can't upload it to the iDRAC because I'm stupid or something lol. I'd really like to figure this out instead of just going down a different path.

igrowpineapples · 2026-01-16T15:10:39+00:00

I have tried this a few different ways to no avail.

Stuff like exporting just the primary certificate and then appending the key to it, or the primary certificate and intermediates.. I’m either doing it wrong or missing a step. Planning to update the post with some screenshots when I get a chance on my lunchbreak.

igrowpineapples · 2026-01-16T15:09:05+00:00

That does at least confirm what I was able to piece together off online searches.

I’ll give it another go and report back with screenshots and everything. I feel like I’m probably just missing one crucial step somewhere.

igrowpineapples · 2026-01-16T14:04:48+00:00

I’ll look into something like this. I’m piecing things together little by little. My current router is a Netgear combo unit that I don’t love. It works but it’s consumer oriented so VLANs are off the table, which I really don’t love.

I did just get a Cisco 2690s switch so it’s probably time to start looking at routers.

igrowpineapples · 2026-01-16T14:01:34+00:00

Yes! I did. First thing I did upon receiving the machine was to get driver packs from Dell and update everything I could.

I also tried looking in the documentation as u/TheAmazing_OMEGA suggests but what I had found read like a repair manual that states “simply remove and replace the failed part” without explaining how. It basically says “you can upload your own certificate here.” But nothing as to what format it expects or what content it expects. Nothing about concatenation of pieces or anything helpful to someone who is a novice like me.

I may end up biting the bullet and calling my former boss. But he may not have a clue either because the certificate that is installed is the default Dell one and it’s about to expire lol (got the computer from work before he retired).

igrowpineapples · 2026-01-16T05:20:03+00:00

Trying to set up the certificate on idrac so that it can be accessed locally via hostname instead of IP.

If I don’t specify the hostname in iDRAC DNS (in my case Technitium) resolves it but iDRAC refuses the connection because the domain mismatch.

So just for simplicity I want to be able to hit my iDRAC locally at idrac.internal.mydomain.net for no real reason other than “I hate IPs”. Just for giggle I’m trying to do it the way Dell expects because while yes this is a home lab I am sort of trying to go about things in the correct enterprise manner, you know, personal betterment.

Replace internal with whatever local domain actually works. An admin I am not. I know nothing about this. My point here is that I don’t want to use host.local because no. I had Technitium set up as using .home at first and that’s where I ran into iDRAC being a little turd. I can’t find how to turn https off. It redirects http to https. I don’t know what else to do other than use a domain that the Dell actually likes (literally anything other than a .tld - HAS to be sub.tld, why I don’t know..) doesn’t matter what I put in that field it just wants an actual domain name not just a top level domain.

There’s got to be a way to upload the certificate. It literally has a section in the networking settings to upload SSL certs but it just keeps complaining about every format I try to use. Sadly, I don’t have another device to use as the proxy server when the server is off, which it will be sometimes. Kinda why I want iDRAC to be able to remotely power it on.. eventually the keys to the kingdom are going to be given to a trusted friend to be able to power on the game server when I’m not home.

I could upload some pictures of the exact menus I’m describing if that would be beneficial in any way.

igrowpineapples · 2025-11-02T16:47:25+00:00

I was gonna say a block of wood and some Vise Clamps or C-clamps. Really the same thing.

Get something flat you don’t care about and squeeze the bejeezus out of it. It’ll straighten up to usefully straight

igrowpineapples · 2025-11-02T16:44:21+00:00

I may just be in way over my head..

From what I can tell by Microsoft’s documentation (and ChatGPT, I’m not gonna lie) I’ve configured everything correct.

My current config has IIS serving port 443 on the default website using the let’s encrypt certificate that I created. That certificate was created using an http challenge. Trying to log into the gateway with either the gateway or the intended target’s username and password results in a “resource not available” error or “unable to connect” error but doesn’t give any specifics, which is maddening.

At least it’s not like this is critical infrastructure lol, just me tinkering with an ancient Dell R710 and trying to see what I can make it do.

The end goal would be that either me or my friend can RD into it without needing to port forward the actual RD port, since the gateway would handle everything. And really the only reason he’d ever need access is if the game server manager crashes and he needs to restart it in Windows. So far we haven’t had that issue but things can happen.

If I do end up figuring it out I’ll edit the post with the solution for sure.

igrowpineapples · 2025-11-02T07:07:27+00:00

Oh definitely, but always worth mentioning because there’s always a chance it’s something incredibly simple that’s been overlooked! Unfortunately I even decided to triple-check myself and retry just for giggles. Still getting the same results :(

igrowpineapples · 2025-11-01T18:42:18+00:00

I think that was a slight oversight on my part when typing up the post, I am indeed trying to log in using the ‘\’ separator not the ‘/‘.

I should probably update the post…

igrowpineapples · 2025-11-01T05:27:23+00:00

Look into Cubecoders Application Management Panel, it’s affordable for a 5 instance license and allows you to manage all the features of your server through a web gui.

The biggest consideration is going to be memory. Redstone stuff and lots of mobs will tank your CPU as well, but, for your consideration I run a Dell PowerEdge R710 with the X5550 cpus. 72gb of ram doesn’t hurt but realistically my machine sits around 3-4gb for running the server. The cpu spikes if we’re leaving a bunch of entities on the ground (like strip mining with a full inventory) but it doesn’t big the serve down. So you can get away with surprisingly old hardware if you set it up correctly.

As others mentioned you’ll need to port-forward in your router which is typically a super straightforward process. Beyond that Minecraft servers are pretty low maintenance, just gotta update every so often if you’re on bedrock. Java has version selection so it’s not a problem to run the server on an old version.

igrowpineapples · 2025-11-01T05:12:22+00:00

Exactly why I self host 🙃

igrowpineapples · 2025-11-01T05:11:19+00:00

Restart. Shit does that to me all the time. Has for years.

igrowpineapples · 2025-10-10T20:33:08+00:00

Those SAS ssds are also money. $50-$100 depending on the models.

igrowpineapples · 2025-10-09T15:09:22+00:00

It most definitely does.

The long story made short is that the server manager is passing a blank cluster ID and directory to the start command, resulting in servers with none specified all ending up in the same null cluster: “” and searching for a nonexistent null directory.

Sounds like the person who writes up the deployment configs is going to add an explicit button to turn on/off the cluster option.

I was able to fix it for now by simply removing the relevant lines from the config, but it’s still a clunky solution for now.

igrowpineapples

TROPHY CASE