weizhouapache commented on PR #7728: URL: https://github.com/apache/cloudstack/pull/7728#issuecomment-1758315842
> Sure, @weizhouapache > As informed in this PR's description, here are the tests and results: > > With `ca.plugin.root.auth.strictness` turned on and `management.network.cidr` configured to the MGMT network. I changed the default network in one of my env's MS and restarted ACS. > Without this PR's changes, handshake errors between MSs started to show in the logs. > ``` > 2023-07-06 14:23:48,647 DEBUG [o.a.c.c.p.RootCACustomTrustManager] (pool-75-thread-1:null) (logid:) A client/agent attempting connection from address=192.168.201.151 has presented these certificate(s): > Certificate [1] : > Serial: ea4d6d28ad1c0362 > Not Before:Thu Jul 06 02:22:13 UTC 2023 > Not After:Sat Jun 28 14:22:13 UTC 2053 > Signature Algorithm:SHA256withRSA > Version:3 > Subject DN:CN=cloudstack-lab-management-2 > Issuer DN:CN=ca.cloudstack.apache.org > Alternative Names:[[7, 172.16.200.151], [7, fe80:0:0:0:c05d:54ff:feca:1b42], [2, cloudstack-lab-management-2]] > Certificate [2] : > Serial: def004b8c96b8a99 > Not Before:Fri Oct 08 05:25:17 UTC 2021 > Not After:Sun Oct 01 17:25:17 UTC 2051 > Signature Algorithm:SHA256withRSA > Version:3 > Subject DN:CN=ca.cloudstack.apache.org > Issuer DN:CN=ca.cloudstack.apache.org > Alternative Names:null > 2023-07-06 14:23:48,655 ERROR [o.a.c.c.p.RootCACustomTrustManager] (pool-75-thread-1:null) (logid:) Certificate ownership verification failed for client: 192.168.201.151 > 2023-07-06 14:23:48,657 ERROR [c.c.u.n.Link] (AgentManager-SSLHandshakeHandler-3:null) (logid:) SSL error caught during wrap data: Certificate ownership verification failed for client: 192.168.201.151, for local address=/192.168.201.150:8250, remote address=/192.168.201.151:58284. > ``` > With this PR's changes, the communication between MSs returned to normal. > ``` > 2023-07-06 14:34:30,180 DEBUG [o.a.c.c.p.RootCACustomTrustManager] (pool-40-thread-1:null) (logid:) A client/agent attempting connection from address=192.168.201.151 has presented these certificate(s): > Certificate [1] : > Serial: d41eb113b05c84da > Not Before:Thu Jul 06 02:34:06 UTC 2023 > Not After:Sat Jun 28 14:34:06 UTC 2053 > Signature Algorithm:SHA256withRSA > Version:3 > Subject DN:CN=cloudstack-lab-management-2 > Issuer DN:CN=ca.cloudstack.apache.org > Alternative Names:[[7, 172.16.200.151], [7, fe80:0:0:0:c05d:54ff:feca:1b42], [7, 192.168.201.151], [2, cloudstack-lab-management-2]] > Certificate [2] : > Serial: def004b8c96b8a99 > Not Before:Fri Oct 08 05:25:17 UTC 2021 > Not After:Sun Oct 01 17:25:17 UTC 2051 > Signature Algorithm:SHA256withRSA > Version:3 > Subject DN:CN=ca.cloudstack.apache.org > Issuer DN:CN=ca.cloudstack.apache.org > Alternative Names:null > 2023-07-06 14:34:30,196 DEBUG [o.a.c.c.p.RootCACustomTrustManager] (pool-40-thread-1:null) (logid:) Client/agent connection from ip=192.168.201.151 has been validated and trusted. > ``` Thanks @JoaoJandre Looks very good -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
