alexandru-bagu opened a new issue #4520: URL: https://github.com/apache/cloudstack/issues/4520
Setting up a test environment from master I had issues adding an xcp-ng host failing without any information. Turns out https://github.com/apache/cloudstack/blob/fb1e903532d943bc98a1a8b95d4499013234a917/plugins/hypervisors/xenserver/src/main/java/com/cloud/hypervisor/xenserver/discoverer/XcpServerDiscoverer.java#L372 is set to output to debug any unknown errors. The stacktrace: ``` ERROR [c.c.h.x.d.XcpServerDiscoverer] (qtp186780379-49:ctx-a9ff61f5 ctx-a4d8e914) (logid:2bc049f8) other exceptions: com.cloud.utils.exception.CloudRuntimeException: Unable to create master connection to host(192.168.100.11) , due to org.apache.xmlrpc.XmlRpcException: Failed to read server's response: Certificates do not conform to algorithm constraints com.cloud.utils.exception.CloudRuntimeException: Unable to create master connection to host(192.168.100.11) , due to org.apache.xmlrpc.XmlRpcException: Failed to read server's response: Certificates do not conform to algorithm constraints at com.cloud.hypervisor.xenserver.resource.XenServerConnectionPool.getConnect(XenServerConnectionPool.java:168) at com.cloud.hypervisor.xenserver.discoverer.XcpServerDiscoverer.find(XcpServerDiscoverer.java:215) at com.cloud.resource.ResourceManagerImpl.discoverHostsFull(ResourceManagerImpl.java:767) ... ``` Without any debug flags on the stacktrace looks like this: ``` WARN [c.c.r.ResourceManagerImpl] (qtp561469384-298:ctx-39d175c2 ctx-6647769a) (logid:d6ca3eee) Unable to find the server resources at http://192.168.100.11 INFO [c.c.u.e.CSExceptionErrorCode] (qtp561469384-298:ctx-39d175c2 ctx-6647769a) (logid:d6ca3eee) Could not find exception: com.cloud.exception.DiscoveryException in error code list for exceptions WARN [o.a.c.a.c.a.h.AddHostCmd] (qtp561469384-298:ctx-39d175c2 ctx-6647769a) (logid:d6ca3eee) Exception: com.cloud.exception.DiscoveryException: Unable to add the host at com.cloud.resource.ResourceManagerImpl.discoverHostsFull(ResourceManagerImpl.java:826) ... ``` Notice it says "ERROR" at the begining. That is because I changed it to log.error so I could actually see the error. The obvious solution would be to enable DEBUG when something fails but considering this operation scarcely done why even use debug for logging such errors. By default the DEBUG flag is not set and setting it is not trivial necessarily. "Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=192.168.100.11. Usage was tls server" Oddly enough on Windows with AdoptOpenJDK build I did not get any errors, so I assume some jdk builds have different constraints for certificates. Also running mvn jetty:run -X does not actually show the debug stacktrace, but it does show tons of other debug lines. Odd. The solution is to regenerate the xcp-ng certificate after the key size is changed. Steps to do on xcp-ng server: 1. modify /opt/xensource/libexec/generate_ssl_cert; find line with "openssl genrsa" and change the 3rd parameter to be anything more than (or equal to) 1024. 2048 or 4096 is better. 2. move the previous certificate and keep it as a backup: mv /etc/xensource/xapi-ssl.pem /etc/xensource/xapi-ssl.pem.bak 3. regenerate certificate: /opt/xensource/libexec/generate_ssl_cert /etc/xensource/xapi-ssl.pem $(hostname -f) && service xapi restart ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
