[GitHub] [cloudstack] VincentHermes opened a new issue #4199: HTTPS does not initiate

[GitBox]

VincentHermes opened a new issue #4199:
URL: https://github.com/apache/cloudstack/issues/4199


   #### ISSUE TYPE
    * Other / HTTPS
   
   #### COMPONENT NAME
    * Webserver
   
   #### CLOUDSTACK VERSION
    * 4.14
   
   #### CONFIGURATION
    * server.properties:
   `https.enable=true`
   `https.port=8443`
   `https.keystore=/etc/cloudstack/management/thecurrentkeystore.pkcs12`
   `https.keystore.password=currentkeystorepassword`
   
    * Firewall disabled
   
   
   
   #### OS / ENVIRONMENT
    * CentOS7
    * MGMT Server on VMWare
    * Cloudstack 4.14
    * Java 11
    * OpenSSL 1.0.2k-fips
   
   
   #### SUMMARY
    We are not able to access the 4.14 Webserver over HTTPS after upgrading 
from a functioning 4.13. The Webserver seems to not send anything back. If we 
curl the https it just loads infinitely:
   `# curl -v https://localhost:8443/client`
   `* About to connect() to localhost port 8443 (#0)`
   `*   Trying ::1...`
   `* Connected to localhost (::1) port 8443 (#0)`
   `* Initializing NSS with certpath: sql:/etc/pki/nssdb`
   `*   CAfile: /etc/pki/tls/certs/ca-bundle.crt`
   `  CApath: none`
   `....(waits)`
   
   Previous investigations regarding networking etc can be seen here:
   
https://lists.apache.org/thread.html/r50fa6f94dae308a598eb2eeb738f4325e29814d8da83de8558bccfb2%40%3Cusers.cloudstack.apache.org%3E
   
   _Using a self-signed certificate actually works, only when using an adequate 
certificate (wildcard in our case) it stops functioning_
   
   
   
   #### Commands used:
   _Combine Files_
   `cat key.key servercert.crt intermediate.crt root.crt > combined.crt`
   
   _Create Keystore_
   `openssl pkcs12 -in combined.crt -export -out combined.pkcs12`
   
   _Import Keystore_
   `keytool -importkeystore -srckeystore combined.pkcs12 -srcstoretype PKCS12 
-destkeystore /etc/cloudstack/management/combined.pkcs12 -deststoretype pkcs12`
   
   _Then change https.keystore= and https.keystore.password= accordingly and 
restart cloudstack-management_
   
   
   
   #### Logs found:
   `2020-06-29 12:01:02,052 INFO  [o.e.j.s.h.ContextHandler] (main:null) 
(logid:) Started 
o.e.j.w.WebAppContext@311bf055{/client,file:///usr/share/cloudstack-management/webapp/,AVAILABLE}{/usr/share/cloudstack-management/webapp}`
   `2020-06-29 12:01:02,053 INFO  [o.e.j.s.h.ContextHandler] (main:null) 
(logid:) Started o.e.j.s.h.MovedContextHandler@451001e5{/,null,AVAILABLE}`
   `2020-06-29 12:01:02,076 INFO  [o.e.j.s.AbstractConnector] (main:null) 
(logid:) Started ServerConnector@6f46426d{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}`
   `2020-06-29 12:01:02,090 INFO  [o.e.j.u.s.SslContextFactory] (main:null) 
(logid:) x509=X509@25c6abfa(1,h=[our acual domain name],w=[our domain name 
again]) for 
SslContextFactory@4991c0f7[provider=null,keyStore=file:///etc/cloudstack/management/combined.pkcs12,trustStore=null]`
   
   
   
   #### Things tried:
   
   * Tested Firefox, Chrome, Edge, IE
   * Cache cleared / Private Mode
   * Multiple Client Systems
   * Numerous combinations of key-cert-intermediate-root when generating the 
pkcs12
   * Keystore only with key and server certificate without any CA's
   * Different Certificate Vendors (2 different Wildcard Certificates, Sectigo 
and Digicert/RapidSSL)
   * Generated Certificate via internal Domains Certificate Authority
   * Checked all certificate combinations via certutil in Windows Powershell
   * Changed keystore password to minimal ones without special characters (e.g. 
123456)
   * Changed the `https.port` to any other Port in `server.properties`
   * Switched back to java-1.8.0 - of course management server failed to start
   * Uploaded certificate chain via 8080 Web GUI - Found working combination of 
cert-intermediate-root to work with by opening console proxy in separate window 
and checking certificate validity
   * Definitely working combination (for firefox) gets the same outcome when 
being used as pkcs12
   * Updating to a newer Openssl Version fails because its the newest for 
CentOS7
   * Just in case it has an impact - Outcommented `jdk.tls.disabledAlgorithms` 
in `java.security.ciphers` 
   
   #### Further Investigations:
   * If we change the keystore password to nonsense it makes no difference
   * If we change the keystore name or path to nonsense it almost instantly 
says that the Website is unreachable and does not load infinitely and curl says 
Connection Refused
   * Fresh Install shows the same behaviour
   
   
   
   
   
   #### STEPS TO REPRODUCE
   * Install Cloudstack 4.14 on CentOS7 (No need to configure Infrastructure)
   * Create Keystore and configure HTTPS
   * Try to get https://mymgmtserver.mydomain.de:8443/client to respond
   
   
   #### EXPECTED RESULTS
   * A response from 8443 as it has been before the upgrade or at least an SSL 
error regarding a wrong certificate
   
   #### ACTUAL RESULTS
   * Webserver not responding / loading forever no matter what certificate is 
used
   * Actually it isn't really "not responding" as it is in fact trying to 
communicate but nothing happens
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org