Re: [PR] Add MGMT IP in management.network.cidr as alternate name in their self-signed certificate [cloudstack]

[via GitHub]

JoaoJandre commented on PR #7728:
URL: https://github.com/apache/cloudstack/pull/7728#issuecomment-1758014842

   Sure, @weizhouapache 
   As informed in this PR's description, here are the tests and results:
   
   With `ca.plugin.root.auth.strictness` turned on and 
`management.network.cidr` configured to the MGMT network. I changed the default 
network in one of my env's MS and restarted ACS. 
   Without this PR's changes, handshake errors between MSs started to show in 
the logs. 
   ```
   2023-07-06 14:23:48,647 DEBUG [o.a.c.c.p.RootCACustomTrustManager] 
(pool-75-thread-1:null) (logid:) A client/agent attempting connection from 
address=192.168.201.151 has presented these certificate(s):
   Certificate [1] :
    Serial: ea4d6d28ad1c0362
     Not Before:Thu Jul 06 02:22:13 UTC 2023
     Not After:Sat Jun 28 14:22:13 UTC 2053
     Signature Algorithm:SHA256withRSA
     Version:3
     Subject DN:CN=cloudstack-lab-management-2
     Issuer DN:CN=ca.cloudstack.apache.org
     Alternative Names:[[7, 172.16.200.151], [7, 
fe80:0:0:0:c05d:54ff:feca:1b42], [2, cloudstack-lab-management-2]]
   Certificate [2] :
    Serial: def004b8c96b8a99
     Not Before:Fri Oct 08 05:25:17 UTC 2021
     Not After:Sun Oct 01 17:25:17 UTC 2051
     Signature Algorithm:SHA256withRSA
     Version:3
     Subject DN:CN=ca.cloudstack.apache.org
     Issuer DN:CN=ca.cloudstack.apache.org
     Alternative Names:null
   2023-07-06 14:23:48,655 ERROR [o.a.c.c.p.RootCACustomTrustManager] 
(pool-75-thread-1:null) (logid:) Certificate ownership verification failed for 
client: 192.168.201.151
   2023-07-06 14:23:48,657 ERROR [c.c.u.n.Link] 
(AgentManager-SSLHandshakeHandler-3:null) (logid:) SSL error caught during wrap 
data: Certificate ownership verification failed for client: 192.168.201.151, 
for local address=/192.168.201.150:8250, remote address=/192.168.201.151:58284.
   ```
   With this PR's changes, the communication between MSs returned to normal.
   ```
   2023-07-06 14:34:30,180 DEBUG [o.a.c.c.p.RootCACustomTrustManager] 
(pool-40-thread-1:null) (logid:) A client/agent attempting connection from 
address=192.168.201.151 has presented these certificate(s):
   Certificate [1] :
    Serial: d41eb113b05c84da
     Not Before:Thu Jul 06 02:34:06 UTC 2023
     Not After:Sat Jun 28 14:34:06 UTC 2053
     Signature Algorithm:SHA256withRSA
     Version:3
     Subject DN:CN=cloudstack-lab-management-2
     Issuer DN:CN=ca.cloudstack.apache.org
     Alternative Names:[[7, 172.16.200.151], [7, 
fe80:0:0:0:c05d:54ff:feca:1b42], [7, 192.168.201.151], [2, 
cloudstack-lab-management-2]]
   Certificate [2] :
    Serial: def004b8c96b8a99
     Not Before:Fri Oct 08 05:25:17 UTC 2021
     Not After:Sun Oct 01 17:25:17 UTC 2051
     Signature Algorithm:SHA256withRSA
     Version:3
     Subject DN:CN=ca.cloudstack.apache.org
     Issuer DN:CN=ca.cloudstack.apache.org
     Alternative Names:null
   2023-07-06 14:34:30,196 DEBUG [o.a.c.c.p.RootCACustomTrustManager] 
(pool-40-thread-1:null) (logid:) Client/agent connection from 
ip=192.168.201.151 has been validated and trusted.
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org