Overview
On some Dell PowerEdge servers, the iDRAC web interface (HTTP/HTTPS) may return 400 Bad Request and become inaccessible. The root cause is the HostHeaderCheck security feature rejecting requests when the HTTP Host header does not match the iDRAC’s configured hostname. This guide shows a secure fix (preferred) and a temporary workaround, using racadm from the installed OS or via direct SSH to iDRAC.
If you are deploying iDRAC across Netrouting bare metal dedicated servers, use the secure method to keep your management plane hardened.
Before You Start
- Ensure you can access the host OS (or have SSH access to iDRAC).
- Confirm the intended iDRAC DNS name (e.g.,
idrac01.example.com) resolves to the iDRAC IP.
- Install
racadm on the host OS if you’ll run commands locally.
Secure Fix (Recommended): Configure the Correct Hostname
This preserves iDRAC’s header validation by setting a matching ManualDNSEntry. Replace $hostname with your iDRAC’s actual FQDN (e.g., idrac01.example.com).
Option A — racadm from the Installed OS
racadm set idrac.webserver.ManualDNSEntry $hostname # optional: restart iDRAC web to apply
Option B — SSH Directly Into iDRAC
ssh root@<idrac-ip> set idrac.webserver.ManualDNSEntry $hostname # optional: restart iDRAC web to apply
Verify
- Confirm DNS:
dig +short $hostname returns the iDRAC IP.
- Browse to
https://$hostname/. The web UI should load normally.
Temporary Workaround (Not Recommended): Disable HostHeaderCheck
Only use this to regain access quickly if you cannot fix DNS or hostname immediately. Disabling HostHeaderCheck weakens protection against certain Host header–based attacks. Re-enable it after setting the correct hostname.
Option A — racadm from the Installed OS
racadm set idrac.webserver.HostHeaderCheck 0 # optional
Option B — SSH Directly Into iDRAC
ssh root@<idrac-ip> racadm set idrac.webserver.HostHeaderCheck 1
Re-enable Later (after hostname/DNS is correct)
racadm set idrac.webserver.HostHeaderCheck 1 # or via SSH: # racadm set idrac.webserver.hostheadercheck 1 # in SSH session
Troubleshooting Tips
- DNS mismatch: Ensure the A/AAAA record for
$hostname points to the iDRAC IP used for management.
- Certificate warnings: If using HTTPS with a custom cert, update CN/SAN to include
$hostname.
- Browser cache: Clear cache or try an incognito window after changes.
- No racadm in OS: Use the SSH method directly on iDRAC.
Related Resources
Summary
If your iDRAC web UI shows 400 Bad Request, keep security intact by setting idrac.webserver.ManualDNSEntry to the correct hostname (with matching DNS). Only disable HostHeaderCheck as a temporary measure, then re-enable it once hostname/DNS is corrected. This approach maintains a hardened management plane across your Netrouting dedicated servers.
Oct 02, 2024