Re: Console proxy SSL
Hi Jithin, In the end I missed the actual enable global option for the console proxy, once I set that and destroyed the proxy vm, after it was rebuild it works over SSL now :) -- Met vriendelijke groet, Jimmy Huybrechts Van: Jithin Raju Datum: donderdag, 9 november 2023 om 05:12 Aan: users@cloudstack.apache.org Onderwerp: Re: Console proxy SSL Hi Jimmy, The below article might help you, you are using the wildcard certificate right? https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ -Jithin From: Jimmy Huybrechts Date: Wednesday, 8 November 2023 at 9:52 PM To: users@cloudstack.apache.org Subject: Console proxy SSL Hi, So I’ve been setting up SSL for the management host and the console proxy but on the console proxy it’s not working. I uploaded the SSL files over the GUI, made the adjustments in the management server properties file and restarted it. The management server has a valid ssl now. I changed the console domain to my wildcard address so it generates a.b.c.d.(domain) which also works as it’s now reachable, however it still opens it in http but then as a.b.c.d.(domain). The proxy was already destroyed and recreated with the same issue still. How to debug why it doesn’t work? The management server has full ssl. -- Jimmy
Re: Console proxy SSL
Hi Jimmy, The below article might help you, you are using the wildcard certificate right? https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ -Jithin From: Jimmy Huybrechts Date: Wednesday, 8 November 2023 at 9:52 PM To: users@cloudstack.apache.org Subject: Console proxy SSL Hi, So I’ve been setting up SSL for the management host and the console proxy but on the console proxy it’s not working. I uploaded the SSL files over the GUI, made the adjustments in the management server properties file and restarted it. The management server has a valid ssl now. I changed the console domain to my wildcard address so it generates a.b.c.d.(domain) which also works as it’s now reachable, however it still opens it in http but then as a.b.c.d.(domain). The proxy was already destroyed and recreated with the same issue still. How to debug why it doesn’t work? The management server has full ssl. -- Jimmy
Console proxy SSL
Hi, So I’ve been setting up SSL for the management host and the console proxy but on the console proxy it’s not working. I uploaded the SSL files over the GUI, made the adjustments in the management server properties file and restarted it. The management server has a valid ssl now. I changed the console domain to my wildcard address so it generates a.b.c.d.(domain) which also works as it’s now reachable, however it still opens it in http but then as a.b.c.d.(domain). The proxy was already destroyed and recreated with the same issue still. How to debug why it doesn’t work? The management server has full ssl. -- Jimmy
Re: Enable console proxy SSL
awesome, destroying it was the way to make it work, thanks Wei , you saved my life. thanks a lot :) On Fri, Aug 11, 2023 at 11:40 AM Wei ZHOU wrote: > Hi, > > Just destroy it, cloudstack will create a new one. The vm console will be > unavailable until the new CPVM is running (~2 mins) > > -Wei > > On Fri, 11 Aug 2023 at 11:38, Francisco Arencibia Quesada < > arencibia.franci...@gmail.com> wrote: > > > Could you explain to me how to recreate CPVM without risks :) > > thanks > > > > > > On Fri, Aug 11, 2023 at 10:26 AM Wei ZHOU wrote: > > > > > Hi, > > > > > > Which cloudstack version do you use ? > > > > > > It would be good to double check the global settings, certificates (in > > the > > > keystore table), restart management server and recreate CPVM. > > > > > > -Wei > > > > > > On Fri, 11 Aug 2023 at 10:10, Francisco Arencibia Quesada < > > > arencibia.franci...@gmail.com> wrote: > > > > > > > Thanks Wei, I did that before and I still have the same problem, no > way > > > to > > > > open 443 :(, > > > > any other solution? > > > > > > > > Regards > > > > > > > > On Fri, Aug 11, 2023 at 10:00 AM Wei ZHOU > > wrote: > > > > > > > > > Hi, > > > > > > > > > > You may refer to > > > > > https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ > > > > > > > > > > -Wei > > > > > > > > > > On Fri, 11 Aug 2023 at 09:57, Francisco Arencibia Quesada < > > > > > arencibia.franci...@gmail.com> wrote: > > > > > > > > > > > Good morning guys, > > > > > > > > > > > > I have another problem, and I have done kind of everything and > > > nothing > > > > > > works > > > > > > > > > > > > http://123-22-22-44.mydomain.com -current proxy console , port > > 80 > > > > > > https://123-22-22-44.mydomain.com - what i want to achieve , > but I > > > > don't > > > > > > know how to enable port 443 > > > > > > > > > > > > > > > > > > I have enabled SSL in global settings (consoleproxy.sslEnabled) > but > > > > > still, > > > > > > port 80 is open and port 443 is closed. I installed the cert from > > > certs > > > > > > option from the infrastructure section and nothing, can anyone > give > > > me > > > > a > > > > > > hand please. > > > > > > > > > > > > Thanks to all :) > > > > > > Happy Friday > > > > > > > > > > > > > > > > > > -- > > > > > > *Francisco Arencibia Quesada.* > > > > > > *DevOps Engineer* > > > > > > > > > > > > > > > > > > > > > > > -- > > > > *Francisco Arencibia Quesada.* > > > > *DevOps Engineer* > > > > > > > > > > > > > -- > > *Francisco Arencibia Quesada.* > > *DevOps Engineer* > > > -- *Francisco Arencibia Quesada.* *DevOps Engineer*
Re: Enable console proxy SSL
Hi, Just destroy it, cloudstack will create a new one. The vm console will be unavailable until the new CPVM is running (~2 mins) -Wei On Fri, 11 Aug 2023 at 11:38, Francisco Arencibia Quesada < arencibia.franci...@gmail.com> wrote: > Could you explain to me how to recreate CPVM without risks :) > thanks > > > On Fri, Aug 11, 2023 at 10:26 AM Wei ZHOU wrote: > > > Hi, > > > > Which cloudstack version do you use ? > > > > It would be good to double check the global settings, certificates (in > the > > keystore table), restart management server and recreate CPVM. > > > > -Wei > > > > On Fri, 11 Aug 2023 at 10:10, Francisco Arencibia Quesada < > > arencibia.franci...@gmail.com> wrote: > > > > > Thanks Wei, I did that before and I still have the same problem, no way > > to > > > open 443 :(, > > > any other solution? > > > > > > Regards > > > > > > On Fri, Aug 11, 2023 at 10:00 AM Wei ZHOU > wrote: > > > > > > > Hi, > > > > > > > > You may refer to > > > > https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ > > > > > > > > -Wei > > > > > > > > On Fri, 11 Aug 2023 at 09:57, Francisco Arencibia Quesada < > > > > arencibia.franci...@gmail.com> wrote: > > > > > > > > > Good morning guys, > > > > > > > > > > I have another problem, and I have done kind of everything and > > nothing > > > > > works > > > > > > > > > > http://123-22-22-44.mydomain.com -current proxy console , port > 80 > > > > > https://123-22-22-44.mydomain.com - what i want to achieve , but I > > > don't > > > > > know how to enable port 443 > > > > > > > > > > > > > > > I have enabled SSL in global settings (consoleproxy.sslEnabled) but > > > > still, > > > > > port 80 is open and port 443 is closed. I installed the cert from > > certs > > > > > option from the infrastructure section and nothing, can anyone give > > me > > > a > > > > > hand please. > > > > > > > > > > Thanks to all :) > > > > > Happy Friday > > > > > > > > > > > > > > > -- > > > > > *Francisco Arencibia Quesada.* > > > > > *DevOps Engineer* > > > > > > > > > > > > > > > > > > -- > > > *Francisco Arencibia Quesada.* > > > *DevOps Engineer* > > > > > > > > -- > *Francisco Arencibia Quesada.* > *DevOps Engineer* >
Re: Enable console proxy SSL
Could you explain to me how to recreate CPVM without risks :) thanks On Fri, Aug 11, 2023 at 10:26 AM Wei ZHOU wrote: > Hi, > > Which cloudstack version do you use ? > > It would be good to double check the global settings, certificates (in the > keystore table), restart management server and recreate CPVM. > > -Wei > > On Fri, 11 Aug 2023 at 10:10, Francisco Arencibia Quesada < > arencibia.franci...@gmail.com> wrote: > > > Thanks Wei, I did that before and I still have the same problem, no way > to > > open 443 :(, > > any other solution? > > > > Regards > > > > On Fri, Aug 11, 2023 at 10:00 AM Wei ZHOU wrote: > > > > > Hi, > > > > > > You may refer to > > > https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ > > > > > > -Wei > > > > > > On Fri, 11 Aug 2023 at 09:57, Francisco Arencibia Quesada < > > > arencibia.franci...@gmail.com> wrote: > > > > > > > Good morning guys, > > > > > > > > I have another problem, and I have done kind of everything and > nothing > > > > works > > > > > > > > http://123-22-22-44.mydomain.com -current proxy console , port 80 > > > > https://123-22-22-44.mydomain.com - what i want to achieve , but I > > don't > > > > know how to enable port 443 > > > > > > > > > > > > I have enabled SSL in global settings (consoleproxy.sslEnabled) but > > > still, > > > > port 80 is open and port 443 is closed. I installed the cert from > certs > > > > option from the infrastructure section and nothing, can anyone give > me > > a > > > > hand please. > > > > > > > > Thanks to all :) > > > > Happy Friday > > > > > > > > > > > > -- > > > > *Francisco Arencibia Quesada.* > > > > *DevOps Engineer* > > > > > > > > > > > > > -- > > *Francisco Arencibia Quesada.* > > *DevOps Engineer* > > > -- *Francisco Arencibia Quesada.* *DevOps Engineer*
Re: Enable console proxy SSL
I have 4.11.2.0 version , I have restarted management server but again https is closed [image: Screenshot from 2023-08-11 10-28-53.png] On Fri, Aug 11, 2023 at 10:26 AM Wei ZHOU wrote: > Hi, > > Which cloudstack version do you use ? > > It would be good to double check the global settings, certificates (in the > keystore table), restart management server and recreate CPVM. > > -Wei > > On Fri, 11 Aug 2023 at 10:10, Francisco Arencibia Quesada < > arencibia.franci...@gmail.com> wrote: > > > Thanks Wei, I did that before and I still have the same problem, no way > to > > open 443 :(, > > any other solution? > > > > Regards > > > > On Fri, Aug 11, 2023 at 10:00 AM Wei ZHOU wrote: > > > > > Hi, > > > > > > You may refer to > > > https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ > > > > > > -Wei > > > > > > On Fri, 11 Aug 2023 at 09:57, Francisco Arencibia Quesada < > > > arencibia.franci...@gmail.com> wrote: > > > > > > > Good morning guys, > > > > > > > > I have another problem, and I have done kind of everything and > nothing > > > > works > > > > > > > > http://123-22-22-44.mydomain.com -current proxy console , port 80 > > > > https://123-22-22-44.mydomain.com - what i want to achieve , but I > > don't > > > > know how to enable port 443 > > > > > > > > > > > > I have enabled SSL in global settings (consoleproxy.sslEnabled) but > > > still, > > > > port 80 is open and port 443 is closed. I installed the cert from > certs > > > > option from the infrastructure section and nothing, can anyone give > me > > a > > > > hand please. > > > > > > > > Thanks to all :) > > > > Happy Friday > > > > > > > > > > > > -- > > > > *Francisco Arencibia Quesada.* > > > > *DevOps Engineer* > > > > > > > > > > > > > -- > > *Francisco Arencibia Quesada.* > > *DevOps Engineer* > > > -- *Francisco Arencibia Quesada.* *DevOps Engineer*
Re: Enable console proxy SSL
Hi, Which cloudstack version do you use ? It would be good to double check the global settings, certificates (in the keystore table), restart management server and recreate CPVM. -Wei On Fri, 11 Aug 2023 at 10:10, Francisco Arencibia Quesada < arencibia.franci...@gmail.com> wrote: > Thanks Wei, I did that before and I still have the same problem, no way to > open 443 :(, > any other solution? > > Regards > > On Fri, Aug 11, 2023 at 10:00 AM Wei ZHOU wrote: > > > Hi, > > > > You may refer to > > https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ > > > > -Wei > > > > On Fri, 11 Aug 2023 at 09:57, Francisco Arencibia Quesada < > > arencibia.franci...@gmail.com> wrote: > > > > > Good morning guys, > > > > > > I have another problem, and I have done kind of everything and nothing > > > works > > > > > > http://123-22-22-44.mydomain.com -current proxy console , port 80 > > > https://123-22-22-44.mydomain.com - what i want to achieve , but I > don't > > > know how to enable port 443 > > > > > > > > > I have enabled SSL in global settings (consoleproxy.sslEnabled) but > > still, > > > port 80 is open and port 443 is closed. I installed the cert from certs > > > option from the infrastructure section and nothing, can anyone give me > a > > > hand please. > > > > > > Thanks to all :) > > > Happy Friday > > > > > > > > > -- > > > *Francisco Arencibia Quesada.* > > > *DevOps Engineer* > > > > > > > > -- > *Francisco Arencibia Quesada.* > *DevOps Engineer* >
Re: Enable console proxy SSL
Thanks Wei, I did that before and I still have the same problem, no way to open 443 :(, any other solution? Regards On Fri, Aug 11, 2023 at 10:00 AM Wei ZHOU wrote: > Hi, > > You may refer to > https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ > > -Wei > > On Fri, 11 Aug 2023 at 09:57, Francisco Arencibia Quesada < > arencibia.franci...@gmail.com> wrote: > > > Good morning guys, > > > > I have another problem, and I have done kind of everything and nothing > > works > > > > http://123-22-22-44.mydomain.com -current proxy console , port 80 > > https://123-22-22-44.mydomain.com - what i want to achieve , but I don't > > know how to enable port 443 > > > > > > I have enabled SSL in global settings (consoleproxy.sslEnabled) but > still, > > port 80 is open and port 443 is closed. I installed the cert from certs > > option from the infrastructure section and nothing, can anyone give me a > > hand please. > > > > Thanks to all :) > > Happy Friday > > > > > > -- > > *Francisco Arencibia Quesada.* > > *DevOps Engineer* > > > -- *Francisco Arencibia Quesada.* *DevOps Engineer*
Re: Enable console proxy SSL
Hi, You may refer to https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ -Wei On Fri, 11 Aug 2023 at 09:57, Francisco Arencibia Quesada < arencibia.franci...@gmail.com> wrote: > Good morning guys, > > I have another problem, and I have done kind of everything and nothing > works > > http://123-22-22-44.mydomain.com -current proxy console , port 80 > https://123-22-22-44.mydomain.com - what i want to achieve , but I don't > know how to enable port 443 > > > I have enabled SSL in global settings (consoleproxy.sslEnabled) but still, > port 80 is open and port 443 is closed. I installed the cert from certs > option from the infrastructure section and nothing, can anyone give me a > hand please. > > Thanks to all :) > Happy Friday > > > -- > *Francisco Arencibia Quesada.* > *DevOps Engineer* >
Enable console proxy SSL
Good morning guys, I have another problem, and I have done kind of everything and nothing works http://123-22-22-44.mydomain.com -current proxy console , port 80 https://123-22-22-44.mydomain.com - what i want to achieve , but I don't know how to enable port 443 I have enabled SSL in global settings (consoleproxy.sslEnabled) but still, port 80 is open and port 443 is closed. I installed the cert from certs option from the infrastructure section and nothing, can anyone give me a hand please. Thanks to all :) Happy Friday -- *Francisco Arencibia Quesada.* *DevOps Engineer*
AW: console proxy ssl offloading
Thx Wie and Nux for your replies. I solved the problem and achieved ssl offloading. Here is what we did: 1. (optional) Add a new internal IP range as a public ip range to your zone and activate SystemVM usage only! We did this because of the offloading the console proxy and ssvm do not need public Ips. Or did we missed something? 2. Edit global setting consoleproxy.url.domain and add FQDN. Edit global setting secstorage.ssl.cert.domain and add FQDN. Edit global setting secstorage.encrypt.copy to true (So created download links will use https instead of http) 3. Destroy consoleproxy and ssvm so both will be recreated with new Ips and new settings. If you do not perform step 1 you do not need to recreate consoleproxy, only ssvm needs to be recreated so new global settings will work. 4. Create FQDNs to your DNS service and point them to Ips outside of CS which will be used by your load balancer. 5. Configure your load balancer and add certificates for FQDNs. Activate SSL offloading to the traffic from load balancer to consoleproxy and ssvm is not being encrypted. This is no security risk in my point of view, because we are talking about internal traffic when you did step 1! To configure the load balancer was kind of difficult, because the documentation is not really good or I was unable to find the needed info. lb-ip1:443 (add certificate) -> consoleproxy:80 lb-ip1:8080 (add certificate) -> consoleproxy:8080 lb-ip2:443 (add certificate) -> ssvm:80 The benefit of this is that you do not need to add any certificate to CS itself and you can control everything related to it via you load balancer. Even you are using only one target (consoleproxy and ssvm). Of cause you can also do the same with the UI. Which would look like this: lb-ip3:80 -> redirect to https lb-ip3:443 (add certificate) -> managementserver:8080 I would like to add more information to the documentation and explain this setup. The docu is already talking about "Set up SSL certificate for specific FQDN and configure load-balancer". I would add more information to this point and add ssl offloading to it. What do you thing? http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a -ssl-certificate-for-the-console-proxy cu Swen -Ursprüngliche Nachricht- Von: Nux Gesendet: Dienstag, 3. Januar 2023 14:44 An: users@cloudstack.apache.org Cc: m...@swen.io Betreff: Re: console proxy ssl offloading See if you can get any inspiration from this guy: https://leo.leung.xyz/wiki/CloudStack#Traefik (that's just the proxying subsection, but best read the whole SSL thing). --- Nux www.nux.ro On 2023-01-02 21:16, m...@swen.io wrote: > Hello everyone, > > > > first of all a happy new year to all of you! :-) > > > > I am doing some kind of PoC and want to use a load balancer in front > of the console proxy and the secondary storage vm to offload ssl > connections. > I do > not get it to work. > > > > I am using a load balancer on a public IP where "console.domain.tld" > (of > cause I am using a working tld!) is referring to via DNS record. I > configured the domain in CS via consoleproxy.url.domain. > > A working certificate is installed on the load balancer and offloading > is active. This means the lb is taking care of port 443 and the > encryption and forwarding the traffic to port 80 on the console proxy > public IP not encrypted. > > I do get the page of the console proxy, but on this page the noVNC is > not loading and the connection failed to the console itself. > > > > Is my setup even possible? Thx for any idea and help! > > > > Cu Swen
Re: console proxy ssl offloading
See if you can get any inspiration from this guy: https://leo.leung.xyz/wiki/CloudStack#Traefik (that's just the proxying subsection, but best read the whole SSL thing). --- Nux www.nux.ro On 2023-01-02 21:16, m...@swen.io wrote: Hello everyone, first of all a happy new year to all of you! :-) I am doing some kind of PoC and want to use a load balancer in front of the console proxy and the secondary storage vm to offload ssl connections. I do not get it to work. I am using a load balancer on a public IP where "console.domain.tld" (of cause I am using a working tld!) is referring to via DNS record. I configured the domain in CS via consoleproxy.url.domain. A working certificate is installed on the load balancer and offloading is active. This means the lb is taking care of port 443 and the encryption and forwarding the traffic to port 80 on the console proxy public IP not encrypted. I do get the page of the console proxy, but on this page the noVNC is not loading and the connection failed to the console itself. Is my setup even possible? Thx for any idea and help! Cu Swen
Re: console proxy ssl offloading
Hi, Have you uploaded the SSL certificate in cloudstack ? You can refer to https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ -Wei On Mon, 2 Jan 2023 at 22:18, wrote: > Hello everyone, > > > > first of all a happy new year to all of you! :-) > > > > I am doing some kind of PoC and want to use a load balancer in front of the > console proxy and the secondary storage vm to offload ssl connections. I do > not get it to work. > > > > I am using a load balancer on a public IP where "console.domain.tld" (of > cause I am using a working tld!) is referring to via DNS record. I > configured the domain in CS via consoleproxy.url.domain. > > A working certificate is installed on the load balancer and offloading is > active. This means the lb is taking care of port 443 and the encryption and > forwarding the traffic to port 80 on the console proxy public IP not > encrypted. > > I do get the page of the console proxy, but on this page the noVNC is not > loading and the connection failed to the console itself. > > > > Is my setup even possible? Thx for any idea and help! > > > > Cu Swen > >
console proxy ssl offloading
Hello everyone, first of all a happy new year to all of you! :-) I am doing some kind of PoC and want to use a load balancer in front of the console proxy and the secondary storage vm to offload ssl connections. I do not get it to work. I am using a load balancer on a public IP where "console.domain.tld" (of cause I am using a working tld!) is referring to via DNS record. I configured the domain in CS via consoleproxy.url.domain. A working certificate is installed on the load balancer and offloading is active. This means the lb is taking care of port 443 and the encryption and forwarding the traffic to port 80 on the console proxy public IP not encrypted. I do get the page of the console proxy, but on this page the noVNC is not loading and the connection failed to the console itself. Is my setup even possible? Thx for any idea and help! Cu Swen
Re: Setting up a DNS Name for console proxy ssl connection
Hi Mevludin, When you upload new ssl certificates, it will overwrite the old ssl certificates. The certificates (root/intermediate/server) are saved in the `keystore` table in cloudstack database. It is not possible to remove ssl certificates via api or on UI. You can remove them by manual DB change. -Wei On Mon, 29 Nov 2021 at 13:24, Mevludin Blazevic wrote: > Hi, > > thanks a lot for your help! I have made the console proxy work with > https. I found out that for some reason our DNS server did not take the > DNS entry for the public IP of the Console Proxy. > > Is there a way to remove a SSL certificate for the Console Proxy/ which > was uploaded over the GUI? I assume if I would upload a new certicate > (new end date) Cloudstack would use the newer one, right? > > Regards > > Mevludin > > Am 26.11.2021 um 10:40 schrieb Rohit Yadav: > > Hi Mevludin, > > > > You need to define the consoleproxy.sslEnabled and > consoleproxy.url.domain global settings and upload the SSL certificate via > Infra -> SSL certificate form. Upon uploading of your certificate the CPVM > should restart/reconfigure. Also make sure that the domain (if not a > wildcard) is resolved to the public IP address of the CPVM. You don't need > any port-specific configuration, but make sure to restart mgmt server after > changing global settings, if necessary destroy the old CPVM after restart. > > > > You can read more here: > https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ > > > > With 4.16, when the consoleproxy.sslEnabled is false but domain is > defined then the CPVM url will open the console proxy url without enforcing > https:// (however the https:// scheme will be enforced is mgmt server is > accessed over https://). This can be used for doing out-of-band SSL > termination, for ex. using a nginx proxy. > > > > > > Regards. > > > > ____ > > From: Mevludin Blazevic > > Sent: Thursday, November 25, 2021 23:56 > > To: users@cloudstack.apache.org > > Subject: Setting up a DNS Name for console proxy ssl connection > > > > Hi all, > > > > is it enough to define just a DNS name for the console proxys public ip > > address for enabling SSL? Let's say you define cpvm.mydomain.com as the > > DNS name for the console proxy and also set this in the configs > > "consoleproxy.url.domain" and "consoleproxy.sslEnabled" and upload an > > appropriate certificate via the GUI, which is not a wildcard > > certificate. When trying to access the console I get a 404 error. Did I > > miss a redirection configuration somewhere from port 8080 to 443 (or > 8443)? > > > > Regards > > > > Mevludin > > > > > > > > > > > > > -- > Mevludin Blazevic, M.Sc. > > University of Koblenz-Landau > Computing Centre (GHRKO) > Universitaetsstrasse 1 > D-56070 Koblenz, Germany > Room A023 > Tel: +49 261/287-1326 > >
Re: Setting up a DNS Name for console proxy ssl connection
Hi, thanks a lot for your help! I have made the console proxy work with https. I found out that for some reason our DNS server did not take the DNS entry for the public IP of the Console Proxy. Is there a way to remove a SSL certificate for the Console Proxy/ which was uploaded over the GUI? I assume if I would upload a new certicate (new end date) Cloudstack would use the newer one, right? Regards Mevludin Am 26.11.2021 um 10:40 schrieb Rohit Yadav: Hi Mevludin, You need to define the consoleproxy.sslEnabled and consoleproxy.url.domain global settings and upload the SSL certificate via Infra -> SSL certificate form. Upon uploading of your certificate the CPVM should restart/reconfigure. Also make sure that the domain (if not a wildcard) is resolved to the public IP address of the CPVM. You don't need any port-specific configuration, but make sure to restart mgmt server after changing global settings, if necessary destroy the old CPVM after restart. You can read more here: https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ With 4.16, when the consoleproxy.sslEnabled is false but domain is defined then the CPVM url will open the console proxy url without enforcing https:// (however the https:// scheme will be enforced is mgmt server is accessed over https://). This can be used for doing out-of-band SSL termination, for ex. using a nginx proxy. Regards. From: Mevludin Blazevic Sent: Thursday, November 25, 2021 23:56 To: users@cloudstack.apache.org Subject: Setting up a DNS Name for console proxy ssl connection Hi all, is it enough to define just a DNS name for the console proxys public ip address for enabling SSL? Let's say you define cpvm.mydomain.com as the DNS name for the console proxy and also set this in the configs "consoleproxy.url.domain" and "consoleproxy.sslEnabled" and upload an appropriate certificate via the GUI, which is not a wildcard certificate. When trying to access the console I get a 404 error. Did I miss a redirection configuration somewhere from port 8080 to 443 (or 8443)? Regards Mevludin -- Mevludin Blazevic, M.Sc. University of Koblenz-Landau Computing Centre (GHRKO) Universitaetsstrasse 1 D-56070 Koblenz, Germany Room A023 Tel: +49 261/287-1326
Re: Setting up a DNS Name for console proxy ssl connection
Hi Mevludin, You need to define the consoleproxy.sslEnabled and consoleproxy.url.domain global settings and upload the SSL certificate via Infra -> SSL certificate form. Upon uploading of your certificate the CPVM should restart/reconfigure. Also make sure that the domain (if not a wildcard) is resolved to the public IP address of the CPVM. You don't need any port-specific configuration, but make sure to restart mgmt server after changing global settings, if necessary destroy the old CPVM after restart. You can read more here: https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ With 4.16, when the consoleproxy.sslEnabled is false but domain is defined then the CPVM url will open the console proxy url without enforcing https:// (however the https:// scheme will be enforced is mgmt server is accessed over https://). This can be used for doing out-of-band SSL termination, for ex. using a nginx proxy. Regards. From: Mevludin Blazevic Sent: Thursday, November 25, 2021 23:56 To: users@cloudstack.apache.org Subject: Setting up a DNS Name for console proxy ssl connection Hi all, is it enough to define just a DNS name for the console proxys public ip address for enabling SSL? Let's say you define cpvm.mydomain.com as the DNS name for the console proxy and also set this in the configs "consoleproxy.url.domain" and "consoleproxy.sslEnabled" and upload an appropriate certificate via the GUI, which is not a wildcard certificate. When trying to access the console I get a 404 error. Did I miss a redirection configuration somewhere from port 8080 to 443 (or 8443)? Regards Mevludin
Setting up a DNS Name for console proxy ssl connection
Hi all, is it enough to define just a DNS name for the console proxys public ip address for enabling SSL? Let's say you define cpvm.mydomain.com as the DNS name for the console proxy and also set this in the configs "consoleproxy.url.domain" and "consoleproxy.sslEnabled" and upload an appropriate certificate via the GUI, which is not a wildcard certificate. When trying to access the console I get a 404 error. Did I miss a redirection configuration somewhere from port 8080 to 443 (or 8443)? Regards Mevludin
RE: Console Proxy & SSL
Thank you for the help - my issue was resolved when I destroyed and ACS redeployed the console proxy vm. I was trying to avoid that by troubleshooting the systemvm itself but am on a time crunch. Thanks for clarifying the client/agent log entry as not being part of my issue. -Original Message- From: Andrija Panic Sent: Thursday, July 1, 2021 4:22 PM To: users Subject: Re: Console Proxy & SSL Hi Mike, certificate for securing UI and the certificate for securing access to Console of the VM (i.e. securing HTTPS access from browser to the public IP of the CPVM/SSVM) are 2 completely different things - and you can/should use 2 different certificates. Please read this article - it's very comprehensive and up to date in regards to the steps - afterwards, I'm happy to answer any additional questions you might have: https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ Your second email - is referring to a cloudstack agent certificate that is generated by default to secure agent-to-mgmt communication - nothing to do with the other 2 you are configuring. Cheers, On Thu, 1 Jul 2021 at 19:39, Corey, Mike wrote: > To help me with troubleshooting, could one of the developers let me know > where the wildcard certificate is loaded into the ssvm and consolevm? Is > there a way to verify the custom wildcard cert I’ve uploaded is where it > should be? I’m seeing this error in the ACS logs. > > Should the CA wildcard certificate issuer & CN be in the “presented these > certificates” section of log? > > > 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager] > (pool-13-thread-1:null) (logid:) A client/agent attempting connection from > address=10.#.#.# has presented these certificate(s): > Certificate [1] : > Serial: 85b01fc4f045cf08 > Not Before:Thu Jul 01 01:03:33 EDT 2021 > Not After:Fri Jul 01 13:03:33 EDT 2022 > Signature Algorithm:SHA256withRSA > Version:3 > Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM > Issuer DN:CN=ca.cloudstack.apache.org > Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]] > Certificate [2] : > Serial: 3b2fcee96e685c62 > Not Before:Mon May 03 00:43:22 EDT 2021 > Not After:Wed Apr 26 12:43:22 EDT 2051 > Signature Algorithm:SHA256withRSA > Version:3 > Subject DN:CN=ca.cloudstack.apache.org > Issuer DN:CN=ca.cloudstack.apache.org > Alternative Names:null > > 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager] > (pool-13-thread-1:null) (logid:) Certificate ownership verification failed > for client: 10.#.#.# > 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link] > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during > wrap data: Certificate ownership verification failed for client: 10.#.#.#, > for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082. > 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link] > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during > wrap data: Empty server certificate chain, for local > address=/10.#.#.#:8250, remote address=/10.#.#.##:36084. > > > > > From: Corey, Mike > Sent: Thursday, July 1, 2021 10:33 AM > To: users > Subject: [CAUTION] Console Proxy & SSL > > Hi, > > I could use some clarification here on TLS/SSL usage. I’ve secured my ACS > UI with a CA issued certificate. This certificate has the FQDN of my ACS > server as the CN. The certificate is valid and the Management UI > connection is secured in the web browser. > > I’m now trying to modify the Console Proxy SSL Certificate base on this > page: > http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy > > I have created the wildcard CA issued certificate as *. along > with the unencrypted key per the steps on above wiki page. > > After the changes are made in the UI under Infrastructure – SSL > Certificates, the consolevm reboots; however it doesn’t appear it is > loading my CA certificate with the wildcard. > > Answer this please --- I should be able to have two separate certificates: > one for the UI management (FQDN of ACS) and one for console proxy session > (wildcard). > > I had this on the 4.14 lab implementation but unfortunately my build notes > on this step were poor ☹. > > > Mike Corey > > Technology Senior Consultant, IT CS CTW Operation & Virtualization Service > US > > SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United > States > > T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com mike.co...@sap.com> > > > [cid:image003.png@01D76E64.7F7C0C60] > > > -- Andrija Panić
Re: Console Proxy & SSL
I suggest you just do SSL for console proxy, and setup another server with SSL cert and reverse proxy to your Management server . On Fri, Jul 2, 2021 at 4:22 AM Andrija Panic wrote: > Hi Mike, > > certificate for securing UI and the certificate for securing access to > Console of the VM (i.e. securing HTTPS access from browser to the public IP > of the CPVM/SSVM) are 2 completely different things - and you can/should > use 2 different certificates. > > Please read this article - it's very comprehensive and up to date in > regards to the steps - afterwards, I'm happy to answer any additional > questions you might have: > https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ > > > Your second email - is referring to a cloudstack agent certificate that is > generated by default to secure agent-to-mgmt communication - nothing to do > with the other 2 you are configuring. > > Cheers, > > > On Thu, 1 Jul 2021 at 19:39, Corey, Mike > wrote: > > > To help me with troubleshooting, could one of the developers let me know > > where the wildcard certificate is loaded into the ssvm and consolevm? Is > > there a way to verify the custom wildcard cert I’ve uploaded is where it > > should be? I’m seeing this error in the ACS logs. > > > > Should the CA wildcard certificate issuer & CN be in the “presented these > > certificates” section of log? > > > > > > 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager] > > (pool-13-thread-1:null) (logid:) A client/agent attempting connection > from > > address=10.#.#.# has presented these certificate(s): > > Certificate [1] : > > Serial: 85b01fc4f045cf08 > > Not Before:Thu Jul 01 01:03:33 EDT 2021 > > Not After:Fri Jul 01 13:03:33 EDT 2022 > > Signature Algorithm:SHA256withRSA > > Version:3 > > Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM > > Issuer DN:CN=ca.cloudstack.apache.org > > Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]] > > Certificate [2] : > > Serial: 3b2fcee96e685c62 > > Not Before:Mon May 03 00:43:22 EDT 2021 > > Not After:Wed Apr 26 12:43:22 EDT 2051 > > Signature Algorithm:SHA256withRSA > > Version:3 > > Subject DN:CN=ca.cloudstack.apache.org > > Issuer DN:CN=ca.cloudstack.apache.org > > Alternative Names:null > > > > 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager] > > (pool-13-thread-1:null) (logid:) Certificate ownership verification > failed > > for client: 10.#.#.# > > 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link] > > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught > during > > wrap data: Certificate ownership verification failed for client: > 10.#.#.#, > > for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082. > > 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link] > > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught > during > > wrap data: Empty server certificate chain, for local > > address=/10.#.#.#:8250, remote address=/10.#.#.##:36084. > > > > > > > > > > From: Corey, Mike > > Sent: Thursday, July 1, 2021 10:33 AM > > To: users > > Subject: [CAUTION] Console Proxy & SSL > > > > Hi, > > > > I could use some clarification here on TLS/SSL usage. I’ve secured my > ACS > > UI with a CA issued certificate. This certificate has the FQDN of my ACS > > server as the CN. The certificate is valid and the Management UI > > connection is secured in the web browser. > > > > I’m now trying to modify the Console Proxy SSL Certificate base on this > > page: > > > http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy > > > > I have created the wildcard CA issued certificate as *. > along > > with the unencrypted key per the steps on above wiki page. > > > > After the changes are made in the UI under Infrastructure – SSL > > Certificates, the consolevm reboots; however it doesn’t appear it is > > loading my CA certificate with the wildcard. > > > > Answer this please --- I should be able to have two separate > certificates: > > one for the UI management (FQDN of ACS) and one for console proxy session > > (wildcard). > > > > I had this on the 4.14 lab implementation but unfortunately my build > notes > > on this step were poor ☹. > > > > > > Mike Corey > > > > Technology Senior Consultant, IT CS CTW Operation & Virtualization > Service > > US > > > > SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United > > States > > > > T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com > mike.co...@sap.com> > > > > > > [cid:image003.png@01D76E64.7F7C0C60] > > > > > > > > -- > > Andrija Panić > -- Regards, Hean Seng
Re: Console Proxy & SSL
Hi Mike, certificate for securing UI and the certificate for securing access to Console of the VM (i.e. securing HTTPS access from browser to the public IP of the CPVM/SSVM) are 2 completely different things - and you can/should use 2 different certificates. Please read this article - it's very comprehensive and up to date in regards to the steps - afterwards, I'm happy to answer any additional questions you might have: https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ Your second email - is referring to a cloudstack agent certificate that is generated by default to secure agent-to-mgmt communication - nothing to do with the other 2 you are configuring. Cheers, On Thu, 1 Jul 2021 at 19:39, Corey, Mike wrote: > To help me with troubleshooting, could one of the developers let me know > where the wildcard certificate is loaded into the ssvm and consolevm? Is > there a way to verify the custom wildcard cert I’ve uploaded is where it > should be? I’m seeing this error in the ACS logs. > > Should the CA wildcard certificate issuer & CN be in the “presented these > certificates” section of log? > > > 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager] > (pool-13-thread-1:null) (logid:) A client/agent attempting connection from > address=10.#.#.# has presented these certificate(s): > Certificate [1] : > Serial: 85b01fc4f045cf08 > Not Before:Thu Jul 01 01:03:33 EDT 2021 > Not After:Fri Jul 01 13:03:33 EDT 2022 > Signature Algorithm:SHA256withRSA > Version:3 > Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM > Issuer DN:CN=ca.cloudstack.apache.org > Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]] > Certificate [2] : > Serial: 3b2fcee96e685c62 > Not Before:Mon May 03 00:43:22 EDT 2021 > Not After:Wed Apr 26 12:43:22 EDT 2051 > Signature Algorithm:SHA256withRSA > Version:3 > Subject DN:CN=ca.cloudstack.apache.org > Issuer DN:CN=ca.cloudstack.apache.org > Alternative Names:null > > 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager] > (pool-13-thread-1:null) (logid:) Certificate ownership verification failed > for client: 10.#.#.# > 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link] > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during > wrap data: Certificate ownership verification failed for client: 10.#.#.#, > for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082. > 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link] > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during > wrap data: Empty server certificate chain, for local > address=/10.#.#.#:8250, remote address=/10.#.#.##:36084. > > > > > From: Corey, Mike > Sent: Thursday, July 1, 2021 10:33 AM > To: users > Subject: [CAUTION] Console Proxy & SSL > > Hi, > > I could use some clarification here on TLS/SSL usage. I’ve secured my ACS > UI with a CA issued certificate. This certificate has the FQDN of my ACS > server as the CN. The certificate is valid and the Management UI > connection is secured in the web browser. > > I’m now trying to modify the Console Proxy SSL Certificate base on this > page: > http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy > > I have created the wildcard CA issued certificate as *. along > with the unencrypted key per the steps on above wiki page. > > After the changes are made in the UI under Infrastructure – SSL > Certificates, the consolevm reboots; however it doesn’t appear it is > loading my CA certificate with the wildcard. > > Answer this please --- I should be able to have two separate certificates: > one for the UI management (FQDN of ACS) and one for console proxy session > (wildcard). > > I had this on the 4.14 lab implementation but unfortunately my build notes > on this step were poor ☹. > > > Mike Corey > > Technology Senior Consultant, IT CS CTW Operation & Virtualization Service > US > > SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United > States > > T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com mike.co...@sap.com> > > > [cid:image003.png@01D76E64.7F7C0C60] > > > -- Andrija Panić
RE: Console Proxy & SSL
To help me with troubleshooting, could one of the developers let me know where the wildcard certificate is loaded into the ssvm and consolevm? Is there a way to verify the custom wildcard cert I’ve uploaded is where it should be? I’m seeing this error in the ACS logs. Should the CA wildcard certificate issuer & CN be in the “presented these certificates” section of log? 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager] (pool-13-thread-1:null) (logid:) A client/agent attempting connection from address=10.#.#.# has presented these certificate(s): Certificate [1] : Serial: 85b01fc4f045cf08 Not Before:Thu Jul 01 01:03:33 EDT 2021 Not After:Fri Jul 01 13:03:33 EDT 2022 Signature Algorithm:SHA256withRSA Version:3 Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM Issuer DN:CN=ca.cloudstack.apache.org Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]] Certificate [2] : Serial: 3b2fcee96e685c62 Not Before:Mon May 03 00:43:22 EDT 2021 Not After:Wed Apr 26 12:43:22 EDT 2051 Signature Algorithm:SHA256withRSA Version:3 Subject DN:CN=ca.cloudstack.apache.org Issuer DN:CN=ca.cloudstack.apache.org Alternative Names:null 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager] (pool-13-thread-1:null) (logid:) Certificate ownership verification failed for client: 10.#.#.# 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link] (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during wrap data: Certificate ownership verification failed for client: 10.#.#.#, for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082. 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link] (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during wrap data: Empty server certificate chain, for local address=/10.#.#.#:8250, remote address=/10.#.#.##:36084. From: Corey, Mike Sent: Thursday, July 1, 2021 10:33 AM To: users Subject: [CAUTION] Console Proxy & SSL Hi, I could use some clarification here on TLS/SSL usage. I’ve secured my ACS UI with a CA issued certificate. This certificate has the FQDN of my ACS server as the CN. The certificate is valid and the Management UI connection is secured in the web browser. I’m now trying to modify the Console Proxy SSL Certificate base on this page: http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy I have created the wildcard CA issued certificate as *. along with the unencrypted key per the steps on above wiki page. After the changes are made in the UI under Infrastructure – SSL Certificates, the consolevm reboots; however it doesn’t appear it is loading my CA certificate with the wildcard. Answer this please --- I should be able to have two separate certificates: one for the UI management (FQDN of ACS) and one for console proxy session (wildcard). I had this on the 4.14 lab implementation but unfortunately my build notes on this step were poor ☹. Mike Corey Technology Senior Consultant, IT CS CTW Operation & Virtualization Service US SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United States T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com<mailto:mike.co...@sap.com> [cid:image003.png@01D76E64.7F7C0C60]
Console Proxy & SSL
Hi, I could use some clarification here on TLS/SSL usage. I’ve secured my ACS UI with a CA issued certificate. This certificate has the FQDN of my ACS server as the CN. The certificate is valid and the Management UI connection is secured in the web browser. I’m now trying to modify the Console Proxy SSL Certificate base on this page: http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy I have created the wildcard CA issued certificate as *. along with the unencrypted key per the steps on above wiki page. After the changes are made in the UI under Infrastructure – SSL Certificates, the consolevm reboots; however it doesn’t appear it is loading my CA certificate with the wildcard. Answer this please --- I should be able to have two separate certificates: one for the UI management (FQDN of ACS) and one for console proxy session (wildcard). I had this on the 4.14 lab implementation but unfortunately my build notes on this step were poor ☹. Mike Corey Technology Senior Consultant, IT CS CTW Operation & Virtualization Service US SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United States T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com [cid:image003.png@01D76E64.7F7C0C60]
Re: SSVM and CPVM agent unable to start after console proxy SSL certificate update
The issue, most probably, is due to different SSL provider or different names used for the certificates - I've seen this in past. I would *strongly* suggest, removing all relevant records from the cloud.keystore table (all records related to the domain you are using - that probably means indeed ALL records from the table...) Then upload the SSL and it's intermediate/Root certificates again, i.e. from scratch. restart mgmt, and ensure SSVM/CPVM are destroyed Best, On Mon, 28 Dec 2020 at 11:43, Rohit Yadav wrote: > Hi, > > Can you try to manually start the cloud service, for example: "service > cloud start" and tail/share the logs which may explain why the java process > is not running. > If that does not work, you may also try to validate/verify the > certificates (including any chain/intermediate certificates) you've > uploaded and destroy the old CPVM/SSVM. > > For more information on SSL certificate setup, you may read this > 4.11-specific blog > https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ which > I think is applicable for 4.9 as well. > > > Regards. > > > From: Cloud List > Sent: Saturday, December 26, 2020 09:42 > To: users@cloudstack.apache.org ; dev < > d...@cloudstack.apache.org> > Subject: SSVM and CPVM agent unable to start after console proxy SSL > certificate update > > Hi, > > Merry Christmas to all. > > We are using Cloudstack with KVM hypervisor. Since our console proxy SSL > certificate has expired, we updated our new SSL certificate using below > method: > > > http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/4.9/systemvm.html#using-a-ssl-certificate-for-the-console-proxy > > We have done the above method in the past years without any issues, however > this time round, both the SSVM and CPVM agents are not able to start after > the update. > > The state for both VMs are up but agents are in "disconnected" state. We > are still able to login to the SSVM, and found out that the cloud service > is not running. > > root@s-4200-VM:~# service cloud status > CloudStack cloud service is not running > > Tried to start the service: > > root@s-4200-VM:~# service cloud start > Starting CloudStack cloud service (type=secstorage) Success > > But the service is not started: > > root@s-4200-VM:~# service cloud status > CloudStack cloud service is not running > > Below is the logs from /var/log/cloud.log: > > = > Sat Dec 26 03:45:04 UTC 2020 Executing cloud-early-config > Sat Dec 26 03:45:04 UTC 2020 Detected that we are running inside kvm guest > Sat Dec 26 03:45:04 UTC 2020 Found a non empty cmdline file. Will now exit > the loop and proceed with configuration. > Sat Dec 26 03:45:04 UTC 2020 Patching cloud service > Sat Dec 26 03:45:10 UTC 2020 Updating log4j-cloud.xml > Sat Dec 26 03:45:10 UTC 2020 Setting up secondary storage system vm > Sat Dec 26 03:45:10 UTC 2020 checking that eth0 has IP > Sat Dec 26 03:45:11 UTC 2020 waiting for eth0 interface setup with ip > timer=0 > Sat Dec 26 03:45:11 UTC 2020 checking that eth1 has IP > Sat Dec 26 03:45:11 UTC 2020 checking that eth2 has IP > Sat Dec 26 03:45:20 UTC 2020 checking that eth3 has IP > Sat Dec 26 03:45:20 UTC 2020 Successfully setup storage network with > STORAGE_IP:10.19.22.67, STORAGE_NETMASK:255.255.240.0, STORAGE_CIDR: > Sat Dec 26 03:45:20 UTC 2020 Setting up route of RFC1918 space to > 10.19.16.1 > Sat Dec 26 03:45:20 UTC 2020 Setting up apache web server > Sat Dec 26 03:45:20 UTC 2020 setting up apache2 for post upload of > volume/template > Sat Dec 26 03:45:20 UTC 2020 rewrite rules already exist in file > /etc/apache2/sites-available/default-ssl > Sat Dec 26 03:45:20 UTC 2020 adding cors rules to file: > /etc/apache2/sites-available/default-ssl > Sat Dec 26 03:45:21 UTC 2020 cloud: disable rp_filter > Sat Dec 26 03:45:21 UTC 2020 disable rpfilter > Sat Dec 26 03:45:21 UTC 2020 cloud: enable_fwding = 0 > Sat Dec 26 03:45:21 UTC 2020 enable_fwding = 0 > Sat Dec 26 03:45:21 UTC 2020 Enable service haproxy = 0 > Sat Dec 26 03:45:21 UTC 2020 Processors = 1 Enable service = 0 > Sat Dec 26 03:45:21 UTC 2020 Enable service dnsmasq = 0 > Sat Dec 26 03:45:21 UTC 2020 Enable service cloud-passwd-srvr = 0 > Sat Dec 26 03:45:21 UTC 2020 Enable service cloud = 1 > = > > Result of /usr/local/cloud/systemvm/ssvm-check.sh: > > = > root@s-4200-VM:/var/log# /usr/local/cloud/systemvm/ssvm-check.sh > > First DNS server is 8.8.8.8 > PING 8.8.8.8 (8.8.8.8): 48 data bytes > 56 bytes from 8.8.8.8: icmp_seq=0 ttl=122 time=0.531 ms > 56 bytes from 8.8.8.8: icmp_seq=1 ttl=122 time=0.6
Re: SSVM and CPVM agent unable to start after console proxy SSL certificate update
Hi, Can you try to manually start the cloud service, for example: "service cloud start" and tail/share the logs which may explain why the java process is not running. If that does not work, you may also try to validate/verify the certificates (including any chain/intermediate certificates) you've uploaded and destroy the old CPVM/SSVM. For more information on SSL certificate setup, you may read this 4.11-specific blog https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ which I think is applicable for 4.9 as well. Regards. From: Cloud List Sent: Saturday, December 26, 2020 09:42 To: users@cloudstack.apache.org ; dev Subject: SSVM and CPVM agent unable to start after console proxy SSL certificate update Hi, Merry Christmas to all. We are using Cloudstack with KVM hypervisor. Since our console proxy SSL certificate has expired, we updated our new SSL certificate using below method: http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/4.9/systemvm.html#using-a-ssl-certificate-for-the-console-proxy We have done the above method in the past years without any issues, however this time round, both the SSVM and CPVM agents are not able to start after the update. The state for both VMs are up but agents are in "disconnected" state. We are still able to login to the SSVM, and found out that the cloud service is not running. root@s-4200-VM:~# service cloud status CloudStack cloud service is not running Tried to start the service: root@s-4200-VM:~# service cloud start Starting CloudStack cloud service (type=secstorage) Success But the service is not started: root@s-4200-VM:~# service cloud status CloudStack cloud service is not running Below is the logs from /var/log/cloud.log: = Sat Dec 26 03:45:04 UTC 2020 Executing cloud-early-config Sat Dec 26 03:45:04 UTC 2020 Detected that we are running inside kvm guest Sat Dec 26 03:45:04 UTC 2020 Found a non empty cmdline file. Will now exit the loop and proceed with configuration. Sat Dec 26 03:45:04 UTC 2020 Patching cloud service Sat Dec 26 03:45:10 UTC 2020 Updating log4j-cloud.xml Sat Dec 26 03:45:10 UTC 2020 Setting up secondary storage system vm Sat Dec 26 03:45:10 UTC 2020 checking that eth0 has IP Sat Dec 26 03:45:11 UTC 2020 waiting for eth0 interface setup with ip timer=0 Sat Dec 26 03:45:11 UTC 2020 checking that eth1 has IP Sat Dec 26 03:45:11 UTC 2020 checking that eth2 has IP Sat Dec 26 03:45:20 UTC 2020 checking that eth3 has IP Sat Dec 26 03:45:20 UTC 2020 Successfully setup storage network with STORAGE_IP:10.19.22.67, STORAGE_NETMASK:255.255.240.0, STORAGE_CIDR: Sat Dec 26 03:45:20 UTC 2020 Setting up route of RFC1918 space to 10.19.16.1 Sat Dec 26 03:45:20 UTC 2020 Setting up apache web server Sat Dec 26 03:45:20 UTC 2020 setting up apache2 for post upload of volume/template Sat Dec 26 03:45:20 UTC 2020 rewrite rules already exist in file /etc/apache2/sites-available/default-ssl Sat Dec 26 03:45:20 UTC 2020 adding cors rules to file: /etc/apache2/sites-available/default-ssl Sat Dec 26 03:45:21 UTC 2020 cloud: disable rp_filter Sat Dec 26 03:45:21 UTC 2020 disable rpfilter Sat Dec 26 03:45:21 UTC 2020 cloud: enable_fwding = 0 Sat Dec 26 03:45:21 UTC 2020 enable_fwding = 0 Sat Dec 26 03:45:21 UTC 2020 Enable service haproxy = 0 Sat Dec 26 03:45:21 UTC 2020 Processors = 1 Enable service = 0 Sat Dec 26 03:45:21 UTC 2020 Enable service dnsmasq = 0 Sat Dec 26 03:45:21 UTC 2020 Enable service cloud-passwd-srvr = 0 Sat Dec 26 03:45:21 UTC 2020 Enable service cloud = 1 = Result of /usr/local/cloud/systemvm/ssvm-check.sh: = root@s-4200-VM:/var/log# /usr/local/cloud/systemvm/ssvm-check.sh First DNS server is 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 48 data bytes 56 bytes from 8.8.8.8: icmp_seq=0 ttl=122 time=0.531 ms 56 bytes from 8.8.8.8: icmp_seq=1 ttl=122 time=0.676 ms --- 8.8.8.8 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.531/0.604/0.676/0.073 ms Good: Can ping DNS server Good: DNS resolves download.cloud.com ERROR: NFS is not currently mounted Try manually mounting from inside the VM NFS server is X.X.201.1 PING X.X.201.1 (X.X.201.1): 48 data bytes 56 bytes from X.X.201.1: icmp_seq=0 ttl=255 time=0.463 ms 56 bytes from X.X.201.1: icmp_seq=1 ttl=255 time=0.482 ms --- X.X.201.1 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.463/0.473/0.482/0.000 ms Good: Can ping nfs server Management server is 10.237.3.8. Checking connectivity. Good: Can connect to management server port 8250 ERROR: Java process not running. Try restarting the SSVM. root@s-4200-VM:/var/log# = The
Re: SSVM and CPVM agent unable to start after console proxy SSL certificate update
Probably try destroying them once? Any warn or error message in mgt logs or ssvm /var/log/messages? Sent from my iPhone > On 26-Dec-2020, at 5:12 AM, Cloud List wrote: > > Hi, > > Merry Christmas to all. > > We are using Cloudstack with KVM hypervisor. Since our console proxy SSL > certificate has expired, we updated our new SSL certificate using below > method: > > http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/4.9/systemvm.html#using-a-ssl-certificate-for-the-console-proxy > > We have done the above method in the past years without any issues, however > this time round, both the SSVM and CPVM agents are not able to start after > the update. > > The state for both VMs are up but agents are in "disconnected" state. We > are still able to login to the SSVM, and found out that the cloud service > is not running. > > root@s-4200-VM:~# service cloud status > CloudStack cloud service is not running > > Tried to start the service: > > root@s-4200-VM:~# service cloud start > Starting CloudStack cloud service (type=secstorage) Success > > But the service is not started: > > root@s-4200-VM:~# service cloud status > CloudStack cloud service is not running > > Below is the logs from /var/log/cloud.log: > > = > Sat Dec 26 03:45:04 UTC 2020 Executing cloud-early-config > Sat Dec 26 03:45:04 UTC 2020 Detected that we are running inside kvm guest > Sat Dec 26 03:45:04 UTC 2020 Found a non empty cmdline file. Will now exit > the loop and proceed with configuration. > Sat Dec 26 03:45:04 UTC 2020 Patching cloud service > Sat Dec 26 03:45:10 UTC 2020 Updating log4j-cloud.xml > Sat Dec 26 03:45:10 UTC 2020 Setting up secondary storage system vm > Sat Dec 26 03:45:10 UTC 2020 checking that eth0 has IP > Sat Dec 26 03:45:11 UTC 2020 waiting for eth0 interface setup with ip > timer=0 > Sat Dec 26 03:45:11 UTC 2020 checking that eth1 has IP > Sat Dec 26 03:45:11 UTC 2020 checking that eth2 has IP > Sat Dec 26 03:45:20 UTC 2020 checking that eth3 has IP > Sat Dec 26 03:45:20 UTC 2020 Successfully setup storage network with > STORAGE_IP:10.19.22.67, STORAGE_NETMASK:255.255.240.0, STORAGE_CIDR: > Sat Dec 26 03:45:20 UTC 2020 Setting up route of RFC1918 space to 10.19.16.1 > Sat Dec 26 03:45:20 UTC 2020 Setting up apache web server > Sat Dec 26 03:45:20 UTC 2020 setting up apache2 for post upload of > volume/template > Sat Dec 26 03:45:20 UTC 2020 rewrite rules already exist in file > /etc/apache2/sites-available/default-ssl > Sat Dec 26 03:45:20 UTC 2020 adding cors rules to file: > /etc/apache2/sites-available/default-ssl > Sat Dec 26 03:45:21 UTC 2020 cloud: disable rp_filter > Sat Dec 26 03:45:21 UTC 2020 disable rpfilter > Sat Dec 26 03:45:21 UTC 2020 cloud: enable_fwding = 0 > Sat Dec 26 03:45:21 UTC 2020 enable_fwding = 0 > Sat Dec 26 03:45:21 UTC 2020 Enable service haproxy = 0 > Sat Dec 26 03:45:21 UTC 2020 Processors = 1 Enable service = 0 > Sat Dec 26 03:45:21 UTC 2020 Enable service dnsmasq = 0 > Sat Dec 26 03:45:21 UTC 2020 Enable service cloud-passwd-srvr = 0 > Sat Dec 26 03:45:21 UTC 2020 Enable service cloud = 1 > = > > Result of /usr/local/cloud/systemvm/ssvm-check.sh: > > = > root@s-4200-VM:/var/log# /usr/local/cloud/systemvm/ssvm-check.sh > > First DNS server is 8.8.8.8 > PING 8.8.8.8 (8.8.8.8): 48 data bytes > 56 bytes from 8.8.8.8: icmp_seq=0 ttl=122 time=0.531 ms > 56 bytes from 8.8.8.8: icmp_seq=1 ttl=122 time=0.676 ms > --- 8.8.8.8 ping statistics --- > 2 packets transmitted, 2 packets received, 0% packet loss > round-trip min/avg/max/stddev = 0.531/0.604/0.676/0.073 ms > Good: Can ping DNS server > > Good: DNS resolves download.cloud.com > > ERROR: NFS is not currently mounted > Try manually mounting from inside the VM > NFS server is X.X.201.1 > PING X.X.201.1 (X.X.201.1): 48 data bytes > 56 bytes from X.X.201.1: icmp_seq=0 ttl=255 time=0.463 ms > 56 bytes from X.X.201.1: icmp_seq=1 ttl=255 time=0.482 ms > --- X.X.201.1 ping statistics --- > 2 packets transmitted, 2 packets received, 0% packet loss > round-trip min/avg/max/stddev = 0.463/0.473/0.482/0.000 ms > Good: Can ping nfs server > > Management server is 10.237.3.8. Checking connectivity. > Good: Can connect to management server port 8250 > > ERROR: Java process not running. Try restarting the SSVM. > root@s-4200-VM:/var/log# > = > > The result is OK except the NFS test, but we checked the IP address is not > correct
SSVM and CPVM agent unable to start after console proxy SSL certificate update
Hi, Merry Christmas to all. We are using Cloudstack with KVM hypervisor. Since our console proxy SSL certificate has expired, we updated our new SSL certificate using below method: http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/4.9/systemvm.html#using-a-ssl-certificate-for-the-console-proxy We have done the above method in the past years without any issues, however this time round, both the SSVM and CPVM agents are not able to start after the update. The state for both VMs are up but agents are in "disconnected" state. We are still able to login to the SSVM, and found out that the cloud service is not running. root@s-4200-VM:~# service cloud status CloudStack cloud service is not running Tried to start the service: root@s-4200-VM:~# service cloud start Starting CloudStack cloud service (type=secstorage) Success But the service is not started: root@s-4200-VM:~# service cloud status CloudStack cloud service is not running Below is the logs from /var/log/cloud.log: = Sat Dec 26 03:45:04 UTC 2020 Executing cloud-early-config Sat Dec 26 03:45:04 UTC 2020 Detected that we are running inside kvm guest Sat Dec 26 03:45:04 UTC 2020 Found a non empty cmdline file. Will now exit the loop and proceed with configuration. Sat Dec 26 03:45:04 UTC 2020 Patching cloud service Sat Dec 26 03:45:10 UTC 2020 Updating log4j-cloud.xml Sat Dec 26 03:45:10 UTC 2020 Setting up secondary storage system vm Sat Dec 26 03:45:10 UTC 2020 checking that eth0 has IP Sat Dec 26 03:45:11 UTC 2020 waiting for eth0 interface setup with ip timer=0 Sat Dec 26 03:45:11 UTC 2020 checking that eth1 has IP Sat Dec 26 03:45:11 UTC 2020 checking that eth2 has IP Sat Dec 26 03:45:20 UTC 2020 checking that eth3 has IP Sat Dec 26 03:45:20 UTC 2020 Successfully setup storage network with STORAGE_IP:10.19.22.67, STORAGE_NETMASK:255.255.240.0, STORAGE_CIDR: Sat Dec 26 03:45:20 UTC 2020 Setting up route of RFC1918 space to 10.19.16.1 Sat Dec 26 03:45:20 UTC 2020 Setting up apache web server Sat Dec 26 03:45:20 UTC 2020 setting up apache2 for post upload of volume/template Sat Dec 26 03:45:20 UTC 2020 rewrite rules already exist in file /etc/apache2/sites-available/default-ssl Sat Dec 26 03:45:20 UTC 2020 adding cors rules to file: /etc/apache2/sites-available/default-ssl Sat Dec 26 03:45:21 UTC 2020 cloud: disable rp_filter Sat Dec 26 03:45:21 UTC 2020 disable rpfilter Sat Dec 26 03:45:21 UTC 2020 cloud: enable_fwding = 0 Sat Dec 26 03:45:21 UTC 2020 enable_fwding = 0 Sat Dec 26 03:45:21 UTC 2020 Enable service haproxy = 0 Sat Dec 26 03:45:21 UTC 2020 Processors = 1 Enable service = 0 Sat Dec 26 03:45:21 UTC 2020 Enable service dnsmasq = 0 Sat Dec 26 03:45:21 UTC 2020 Enable service cloud-passwd-srvr = 0 Sat Dec 26 03:45:21 UTC 2020 Enable service cloud = 1 = Result of /usr/local/cloud/systemvm/ssvm-check.sh: = root@s-4200-VM:/var/log# /usr/local/cloud/systemvm/ssvm-check.sh First DNS server is 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 48 data bytes 56 bytes from 8.8.8.8: icmp_seq=0 ttl=122 time=0.531 ms 56 bytes from 8.8.8.8: icmp_seq=1 ttl=122 time=0.676 ms --- 8.8.8.8 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.531/0.604/0.676/0.073 ms Good: Can ping DNS server Good: DNS resolves download.cloud.com ERROR: NFS is not currently mounted Try manually mounting from inside the VM NFS server is X.X.201.1 PING X.X.201.1 (X.X.201.1): 48 data bytes 56 bytes from X.X.201.1: icmp_seq=0 ttl=255 time=0.463 ms 56 bytes from X.X.201.1: icmp_seq=1 ttl=255 time=0.482 ms --- X.X.201.1 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.463/0.473/0.482/0.000 ms Good: Can ping nfs server Management server is 10.237.3.8. Checking connectivity. Good: Can connect to management server port 8250 ERROR: Java process not running. Try restarting the SSVM. root@s-4200-VM:/var/log# = The result is OK except the NFS test, but we checked the IP address is not correct (X.X.201.1 which is the public IP address of the gateway rather than the actual NFS server IP). We tested mounting to the actual NFS server and it works fine. Have tried stopping and starting back the SSVM and the issue still persists. Anyone can help to advice how we can resolve the problem? Looking forward to your reply, thank you. -ip- <http://www.avg.com/email-signature?utm_medium=email_source=link_campaign=sig-email_content=webmail> Virus-free. www.avg.com <http://www.avg.com/email-signature?utm_medium=email_source=link_campaign=sig-email_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
Re: Console Proxy SSL Error
I had the exact same issue Konstantinos, but by URL encoding the
certificates they all were accepted and then functioned correctly.
- Ian
On Tue, May 6, 2014 at 10:29 AM, Konstantinos Karampogias
konstantinos.karampog...@centralway.com wrote:
I was also able to upload the root certificate and the intermediate
certificate using exactly
the script in this link
http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html
I was not able to put my certificate and private key using the script,
but i did it through the cloudstack web interface.
A tip is to use api to get the error, for example when i was failing i
was getting the error
cs job query cfa55630-6a76-4128-a759-469224ddee4f -e cs3-admin
accountid : 40ed3d8c-cae2-11e3-8f1a-001e67a0a266
userid : 40ed6f44-cae2-11e3-8f1a-001e67a0a266
cmd :
org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd
jobstatus : 2
jobprocstatus : 0
jobresultcode : 530
jobresulttype : object
jobresult :errorcode : 530
errortext : Failed to pass certificate validation check
created : 2014-05-06T15:47:52+0200
jobid : cfa55630-6a76-4128-a759-469224ddee4f
when i succeeded i got
$ cs job query 686d4d71-94da-4b27-9629-9067793147fa -e cs3-admin
accountid : 40ed3d8c-cae2-11e3-8f1a-001e67a0a266
userid : 40ed6f44-cae2-11e3-8f1a-001e67a0a266
cmd :
org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd
jobstatus : 1
jobprocstatus : 0
jobresultcode : 0
jobresulttype : object
jobresult :customcertificate : {message=Certificate has been
updated, we will stop all running console proxy VMs and secondary
storage VMs to propagate the new certificate, please give a few
minutes for console access service to be up again}
created : 2014-05-06T15:56:31+0200
jobid : 686d4d71-94da-4b27-9629-9067793147fa
After you verify that all keys are there, verify also the console
proxy is being restarted.
On Tue, May 6, 2014 at 1:21 PM, Ian Service iserv...@ts2.ca wrote:
I was able to get it all to work using the API.
I followed Chip's advice
http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html
The difference is is that I'm using my own CloudStack API wrapper in PHP
and the certificates and private key needed to be url encoded twice (once
for normal URL transmission and once before that for transmission into
the
system) before they would be pushed out correctly to the system VMs. I
also replaced all newlines with \r\n and trimmed off the white space from
beginning and end of the strings for good measure.
Before I discovered that, the certificates would look like they had been
imported correctly in the database but were being prevented from being
used
on the Java end of things.
- Ian
On Tue, May 6, 2014 at 2:17 AM, Gopala Krishnan gopkris2...@gmail.com
wrote:
Yes... I have changed manually id in keystore tables.
1 for root cert
2 for intermediate CA
3 for certificate
On Tue, May 6, 2014 at 10:47 AM, Amogh Vasekar
amogh.vase...@citrix.com
wrote:
Can you please outline the steps in uploading intermediate and root
certificates? Specifically, was the id parameter set (1 for root, 2
for
intermediate_ca_1 etc..)
Amogh
On 5/5/14 10:10 PM, Gopala Krishnan gopkris2...@gmail.com wrote:
Amogh,
Yes.. I am used Cloudstack 4.2 and uploaded root and intermediate CA
certificate as per order. But still not console accessible.
Any idea?
On Sat, May 3, 2014 at 11:58 PM, Amogh Vasekar
amogh.vase...@citrix.comwrote:
Hi,
Which version are you on? Also, did you upload the root and
intermediate
certificates (if any)?
Amogh
On 5/3/14 3:38 AM, Gopala Krishnan gopkris2...@gmail.com
wrote:
Hi,
I have tried to change realhostip.com for console proxy. I have
created
SSL
certificate with wildcard SSL and updated as per the cloudstack
document.
http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/l
a
test/systemvm.html#console-proxy
Its not working.. I have done the following steps.
Purchased SSL certificate for my domain *.hostname.com and
updated
the
certificate via the cloudstack UI.
Infrastructure - SSL certificate
Pasted the certificate
Pasted the Key
DNS domain = hostname.com
Once completed, I have optimized the global settings
consoleproxy.url.domain = hostname.com
When I click console for VM, It shows certificate trusted errors.
May I
know what I done wrong??
--
Gopala Krishnan.S
Mobile : +91 9865709094 / +91 9994874447
*cPanel KnowledgeBase http://www.cpanelkb.net/*
*Linux Server Admin Tools* http://www.gnutoolbox.com
--
Gopala Krishnan.S
Re: Console Proxy SSL Error
Yes... I have changed manually id in keystore tables. 1 for root cert 2 for intermediate CA 3 for certificate On Tue, May 6, 2014 at 10:47 AM, Amogh Vasekar amogh.vase...@citrix.comwrote: Can you please outline the steps in uploading intermediate and root certificates? Specifically, was the id parameter set (1 for root, 2 for intermediate_ca_1 etc..) Amogh On 5/5/14 10:10 PM, Gopala Krishnan gopkris2...@gmail.com wrote: Amogh, Yes.. I am used Cloudstack 4.2 and uploaded root and intermediate CA certificate as per order. But still not console accessible. Any idea? On Sat, May 3, 2014 at 11:58 PM, Amogh Vasekar amogh.vase...@citrix.comwrote: Hi, Which version are you on? Also, did you upload the root and intermediate certificates (if any)? Amogh On 5/3/14 3:38 AM, Gopala Krishnan gopkris2...@gmail.com wrote: Hi, I have tried to change realhostip.com for console proxy. I have created SSL certificate with wildcard SSL and updated as per the cloudstack document. http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/l a test/systemvm.html#console-proxy Its not working.. I have done the following steps. Purchased SSL certificate for my domain *.hostname.com and updated the certificate via the cloudstack UI. Infrastructure - SSL certificate Pasted the certificate Pasted the Key DNS domain = hostname.com Once completed, I have optimized the global settings consoleproxy.url.domain = hostname.com When I click console for VM, It shows certificate trusted errors. May I know what I done wrong?? -- Gopala Krishnan.S Mobile : +91 9865709094 / +91 9994874447 *cPanel KnowledgeBase http://www.cpanelkb.net/* *Linux Server Admin Tools* http://www.gnutoolbox.com -- Gopala Krishnan.S Mobile : +91 9865709094 / +91 9994874447 *cPanel KnowledgeBase http://www.cpanelkb.net/* *Linux Server Admin Tools* http://www.gnutoolbox.com -- Gopala Krishnan.S Mobile : +91 9865709094 / +91 9994874447 *cPanel KnowledgeBase http://www.cpanelkb.net/* *Linux Server Admin Tools* http://www.gnutoolbox.com
Re: Console Proxy SSL Error
I was able to get it all to work using the API. I followed Chip's advice http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html The difference is is that I'm using my own CloudStack API wrapper in PHP and the certificates and private key needed to be url encoded twice (once for normal URL transmission and once before that for transmission into the system) before they would be pushed out correctly to the system VMs. I also replaced all newlines with \r\n and trimmed off the white space from beginning and end of the strings for good measure. Before I discovered that, the certificates would look like they had been imported correctly in the database but were being prevented from being used on the Java end of things. - Ian On Tue, May 6, 2014 at 2:17 AM, Gopala Krishnan gopkris2...@gmail.comwrote: Yes... I have changed manually id in keystore tables. 1 for root cert 2 for intermediate CA 3 for certificate On Tue, May 6, 2014 at 10:47 AM, Amogh Vasekar amogh.vase...@citrix.com wrote: Can you please outline the steps in uploading intermediate and root certificates? Specifically, was the id parameter set (1 for root, 2 for intermediate_ca_1 etc..) Amogh On 5/5/14 10:10 PM, Gopala Krishnan gopkris2...@gmail.com wrote: Amogh, Yes.. I am used Cloudstack 4.2 and uploaded root and intermediate CA certificate as per order. But still not console accessible. Any idea? On Sat, May 3, 2014 at 11:58 PM, Amogh Vasekar amogh.vase...@citrix.comwrote: Hi, Which version are you on? Also, did you upload the root and intermediate certificates (if any)? Amogh On 5/3/14 3:38 AM, Gopala Krishnan gopkris2...@gmail.com wrote: Hi, I have tried to change realhostip.com for console proxy. I have created SSL certificate with wildcard SSL and updated as per the cloudstack document. http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/l a test/systemvm.html#console-proxy Its not working.. I have done the following steps. Purchased SSL certificate for my domain *.hostname.com and updated the certificate via the cloudstack UI. Infrastructure - SSL certificate Pasted the certificate Pasted the Key DNS domain = hostname.com Once completed, I have optimized the global settings consoleproxy.url.domain = hostname.com When I click console for VM, It shows certificate trusted errors. May I know what I done wrong?? -- Gopala Krishnan.S Mobile : +91 9865709094 / +91 9994874447 *cPanel KnowledgeBase http://www.cpanelkb.net/* *Linux Server Admin Tools* http://www.gnutoolbox.com -- Gopala Krishnan.S Mobile : +91 9865709094 / +91 9994874447 *cPanel KnowledgeBase http://www.cpanelkb.net/* *Linux Server Admin Tools* http://www.gnutoolbox.com -- Gopala Krishnan.S Mobile : +91 9865709094 / +91 9994874447 *cPanel KnowledgeBase http://www.cpanelkb.net/* *Linux Server Admin Tools* http://www.gnutoolbox.com
Re: Console Proxy SSL Error
I was also able to upload the root certificate and the intermediate
certificate using exactly
the script in this link
http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html
I was not able to put my certificate and private key using the script,
but i did it through the cloudstack web interface.
A tip is to use api to get the error, for example when i was failing i
was getting the error
cs job query cfa55630-6a76-4128-a759-469224ddee4f -e cs3-admin
accountid : 40ed3d8c-cae2-11e3-8f1a-001e67a0a266
userid : 40ed6f44-cae2-11e3-8f1a-001e67a0a266
cmd :
org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd
jobstatus : 2
jobprocstatus : 0
jobresultcode : 530
jobresulttype : object
jobresult :errorcode : 530
errortext : Failed to pass certificate validation check
created : 2014-05-06T15:47:52+0200
jobid : cfa55630-6a76-4128-a759-469224ddee4f
when i succeeded i got
$ cs job query 686d4d71-94da-4b27-9629-9067793147fa -e cs3-admin
accountid : 40ed3d8c-cae2-11e3-8f1a-001e67a0a266
userid : 40ed6f44-cae2-11e3-8f1a-001e67a0a266
cmd :
org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd
jobstatus : 1
jobprocstatus : 0
jobresultcode : 0
jobresulttype : object
jobresult :customcertificate : {message=Certificate has been
updated, we will stop all running console proxy VMs and secondary
storage VMs to propagate the new certificate, please give a few
minutes for console access service to be up again}
created : 2014-05-06T15:56:31+0200
jobid : 686d4d71-94da-4b27-9629-9067793147fa
After you verify that all keys are there, verify also the console
proxy is being restarted.
On Tue, May 6, 2014 at 1:21 PM, Ian Service iserv...@ts2.ca wrote:
I was able to get it all to work using the API.
I followed Chip's advice
http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html
The difference is is that I'm using my own CloudStack API wrapper in PHP
and the certificates and private key needed to be url encoded twice (once
for normal URL transmission and once before that for transmission into the
system) before they would be pushed out correctly to the system VMs. I
also replaced all newlines with \r\n and trimmed off the white space from
beginning and end of the strings for good measure.
Before I discovered that, the certificates would look like they had been
imported correctly in the database but were being prevented from being used
on the Java end of things.
- Ian
On Tue, May 6, 2014 at 2:17 AM, Gopala Krishnan gopkris2...@gmail.comwrote:
Yes... I have changed manually id in keystore tables.
1 for root cert
2 for intermediate CA
3 for certificate
On Tue, May 6, 2014 at 10:47 AM, Amogh Vasekar amogh.vase...@citrix.com
wrote:
Can you please outline the steps in uploading intermediate and root
certificates? Specifically, was the id parameter set (1 for root, 2 for
intermediate_ca_1 etc..)
Amogh
On 5/5/14 10:10 PM, Gopala Krishnan gopkris2...@gmail.com wrote:
Amogh,
Yes.. I am used Cloudstack 4.2 and uploaded root and intermediate CA
certificate as per order. But still not console accessible.
Any idea?
On Sat, May 3, 2014 at 11:58 PM, Amogh Vasekar
amogh.vase...@citrix.comwrote:
Hi,
Which version are you on? Also, did you upload the root and
intermediate
certificates (if any)?
Amogh
On 5/3/14 3:38 AM, Gopala Krishnan gopkris2...@gmail.com wrote:
Hi,
I have tried to change realhostip.com for console proxy. I have
created
SSL
certificate with wildcard SSL and updated as per the cloudstack
document.
http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/l
a
test/systemvm.html#console-proxy
Its not working.. I have done the following steps.
Purchased SSL certificate for my domain *.hostname.com and updated
the
certificate via the cloudstack UI.
Infrastructure - SSL certificate
Pasted the certificate
Pasted the Key
DNS domain = hostname.com
Once completed, I have optimized the global settings
consoleproxy.url.domain = hostname.com
When I click console for VM, It shows certificate trusted errors.
May I
know what I done wrong??
--
Gopala Krishnan.S
Mobile : +91 9865709094 / +91 9994874447
*cPanel KnowledgeBase http://www.cpanelkb.net/*
*Linux Server Admin Tools* http://www.gnutoolbox.com
--
Gopala Krishnan.S
Mobile : +91 9865709094 / +91 9994874447
*cPanel KnowledgeBase http://www.cpanelkb.net/*
*Linux Server Admin Tools* http://www.gnutoolbox.com
--
Gopala Krishnan.S
Mobile : +91 9865709094 / +91 9994874447
*cPanel KnowledgeBase http://www.cpanelkb.net/*
*Linux Server Admin Tools* http://www.gnutoolbox.com
--
Centralway Factory AG | Konstantinos Karampogias, DevOps | LinkedIn |
+ 41 44 578
Re: Console Proxy SSL Error
Amogh, Yes.. I am used Cloudstack 4.2 and uploaded root and intermediate CA certificate as per order. But still not console accessible. Any idea? On Sat, May 3, 2014 at 11:58 PM, Amogh Vasekar amogh.vase...@citrix.comwrote: Hi, Which version are you on? Also, did you upload the root and intermediate certificates (if any)? Amogh On 5/3/14 3:38 AM, Gopala Krishnan gopkris2...@gmail.com wrote: Hi, I have tried to change realhostip.com for console proxy. I have created SSL certificate with wildcard SSL and updated as per the cloudstack document. http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/la test/systemvm.html#console-proxy Its not working.. I have done the following steps. Purchased SSL certificate for my domain *.hostname.com and updated the certificate via the cloudstack UI. Infrastructure - SSL certificate Pasted the certificate Pasted the Key DNS domain = hostname.com Once completed, I have optimized the global settings consoleproxy.url.domain = hostname.com When I click console for VM, It shows certificate trusted errors. May I know what I done wrong?? -- Gopala Krishnan.S Mobile : +91 9865709094 / +91 9994874447 *cPanel KnowledgeBase http://www.cpanelkb.net/* *Linux Server Admin Tools* http://www.gnutoolbox.com -- Gopala Krishnan.S Mobile : +91 9865709094 / +91 9994874447 *cPanel KnowledgeBase http://www.cpanelkb.net/* *Linux Server Admin Tools* http://www.gnutoolbox.com
Re: Console Proxy SSL Error
Can you please outline the steps in uploading intermediate and root certificates? Specifically, was the id parameter set (1 for root, 2 for intermediate_ca_1 etc..) Amogh On 5/5/14 10:10 PM, Gopala Krishnan gopkris2...@gmail.com wrote: Amogh, Yes.. I am used Cloudstack 4.2 and uploaded root and intermediate CA certificate as per order. But still not console accessible. Any idea? On Sat, May 3, 2014 at 11:58 PM, Amogh Vasekar amogh.vase...@citrix.comwrote: Hi, Which version are you on? Also, did you upload the root and intermediate certificates (if any)? Amogh On 5/3/14 3:38 AM, Gopala Krishnan gopkris2...@gmail.com wrote: Hi, I have tried to change realhostip.com for console proxy. I have created SSL certificate with wildcard SSL and updated as per the cloudstack document. http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/l a test/systemvm.html#console-proxy Its not working.. I have done the following steps. Purchased SSL certificate for my domain *.hostname.com and updated the certificate via the cloudstack UI. Infrastructure - SSL certificate Pasted the certificate Pasted the Key DNS domain = hostname.com Once completed, I have optimized the global settings consoleproxy.url.domain = hostname.com When I click console for VM, It shows certificate trusted errors. May I know what I done wrong?? -- Gopala Krishnan.S Mobile : +91 9865709094 / +91 9994874447 *cPanel KnowledgeBase http://www.cpanelkb.net/* *Linux Server Admin Tools* http://www.gnutoolbox.com -- Gopala Krishnan.S Mobile : +91 9865709094 / +91 9994874447 *cPanel KnowledgeBase http://www.cpanelkb.net/* *Linux Server Admin Tools* http://www.gnutoolbox.com
Console Proxy SSL Error
Hi, I have tried to change realhostip.com for console proxy. I have created SSL certificate with wildcard SSL and updated as per the cloudstack document. http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/latest/systemvm.html#console-proxy Its not working.. I have done the following steps. Purchased SSL certificate for my domain *.hostname.com and updated the certificate via the cloudstack UI. Infrastructure - SSL certificate Pasted the certificate Pasted the Key DNS domain = hostname.com Once completed, I have optimized the global settings consoleproxy.url.domain = hostname.com When I click console for VM, It shows certificate trusted errors. May I know what I done wrong?? -- Gopala Krishnan.S Mobile : +91 9865709094 / +91 9994874447 *cPanel KnowledgeBase http://www.cpanelkb.net/* *Linux Server Admin Tools* http://www.gnutoolbox.com
Re: Console Proxy SSL Error
Hi, Which version are you on? Also, did you upload the root and intermediate certificates (if any)? Amogh On 5/3/14 3:38 AM, Gopala Krishnan gopkris2...@gmail.com wrote: Hi, I have tried to change realhostip.com for console proxy. I have created SSL certificate with wildcard SSL and updated as per the cloudstack document. http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/la test/systemvm.html#console-proxy Its not working.. I have done the following steps. Purchased SSL certificate for my domain *.hostname.com and updated the certificate via the cloudstack UI. Infrastructure - SSL certificate Pasted the certificate Pasted the Key DNS domain = hostname.com Once completed, I have optimized the global settings consoleproxy.url.domain = hostname.com When I click console for VM, It shows certificate trusted errors. May I know what I done wrong?? -- Gopala Krishnan.S Mobile : +91 9865709094 / +91 9994874447 *cPanel KnowledgeBase http://www.cpanelkb.net/* *Linux Server Admin Tools* http://www.gnutoolbox.com
Console Proxy SSL Certificate
Hello everybody, After I generate a new 2048-bit private key and generate a new certificate CSR, do I need purchase a Certificate SSL? Or may I do a Certificate SSL self signed? Thanks, Paulo.
Re: Console Proxy SSL Certificate
Self-signed is fine, just need to store it in the keystone as described on https://cwiki.apache.org/confluence/display/CLOUDSTACK/Enabling+SSL+in+the+CloudStack+UI On Nov 5, 2013, at 10:05 AM, Paulo Ricardo paulor...@gmail.com wrote: Hello everybody, After I generate a new 2048-bit private key and generate a new certificate CSR, do I need purchase a Certificate SSL? Or may I do a Certificate SSL self signed? Thanks, Paulo.
Console Proxy SSL
Greetings, We just completed a clean install of 4.1.0. I was able to successfully upload a custom certificate for use by the console proxy machines in our old 4.0.1 environment, but now I cannot get it to work for the life of me in 4.1.0. The UI just says failed to update, as usual. I also tried to upload via API, and the error I get is below: errorcode = 530 errortext = Command failed due to Internal Server Error I have confirmed that the certificate and key are in the proper format, as was used in our 4.0.1 environment. Thanks in advance for any light you can shed on this! -WPR
Re: Console Proxy SSL
On Fri, Jun 21, 2013 at 08:33:44AM -0400, Billy Ramsay wrote: Greetings, We just completed a clean install of 4.1.0. I was able to successfully upload a custom certificate for use by the console proxy machines in our old 4.0.1 environment, but now I cannot get it to work for the life of me in 4.1.0. The UI just says failed to update, as usual. I also tried to upload via API, and the error I get is below: errorcode = 530 errortext = Command failed due to Internal Server Error I have confirmed that the certificate and key are in the proper format, as was used in our 4.0.1 environment. Thanks in advance for any light you can shed on this! -WPR What do you see in the management server logs and / or API logs during the upload process?
RE: Console Proxy SSL
Greetings,
We just completed a clean install of 4.1.0. I was able to successfully
upload a custom certificate for use by the console proxy machines in
our old
4.0.1 environment, but now I cannot get it to work for the life of me
in 4.1.0.
The UI just says failed to update, as usual. I also tried to upload
via API, and the error I get is below:
errorcode = 530
errortext = Command failed due to Internal Server Error
I have confirmed that the certificate and key are in the proper
format, as was used in our 4.0.1 environment.
Thanks in advance for any light you can shed on this!
-WPR
What do you see in the management server logs and / or API logs during the
upload process?
Absolutely nothing in either when I do it from the UI. I did a tail -f on
one monitor while I tried to upload via the UI on another.
When I do it from cloudmonkey I get the output at the bottom (sanitized,
including cert).
Thanks for looking into this!
API log:
2013-06-21 09:22:27,560 INFO [cloud.api.ApiServer] (catalina-exec-21:null)
(userId=2 accountId=2 sessionId=null) 74.122.165.7 -- GET
apiKey=xcertifi
cate=-BEGIN+CERTIFICATE-%5CnMIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsx
JDAiBgNVBAcTG1ZhbGlDZXJ0%5CnIFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNl
cnQsIEluYy4xNTAz%5CnBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
QXV0aG9y%5CnaXR5MSvd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG%
5Cn9w0BCQEWEWlusrtjrjrsthjsrthrthrth4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy%5CnNjAwMT
k1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y%5CnazEXMBUGA1UECh
MOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs%5CnYXNzIDIgUG9sarjrtjhrst
hrsthsrtjhrsthaXR5MSEwHwYDVQQDExhodHRw%5CnOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBg
kqhkiG9w0BCQEWEWluZm9AdmFsaWNl%5CncnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ
KBgQDOOnHK5avIWZJV16vY%5CndA757tn2VUdZZUsrthsrthsrthsrthsrthsthUGJ7SVCCSRrCl
6zfN1SLUzm1NZ9%5CnWlmpZdRJEy0kTRxQb7XBhVQ7%2FnHk01xC%2BYDgkRoKWzk2Z%2FM%2FVX
wbP7RfZHM047QS%5Cnv4dk%2BNoS%2FzcnwbNDu%2B97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUA
A4GBADt%2FUG9v%5CnUJSZSWI4OB9L%2BKXIPqeCgfYrx%2BjFzug6EILLGACOTb2oWH%2BheQC1
u%2BmNr0HZDzTu%5CnIYEZoDJJKPTEjlbVUjP9UNV%2BmWwD5MlM%2FMtsq2azSiGM5bUMMj4Qss
xsodyamEwC%5CnW%2FPOuZ6lcg5Ktz885hZo%2BL7tdEy8W9ViH0Pd%5Cn-END+CERTIFICA
TE-command=uploadCustomCertificatedomainsuffix=domain.comid=1name=ro
otresponse=jsonsignature=CTlxx0YM%2FwfxPTR%2Fxx0%3D 200 {
uploadcustomcertificateresponse :
{jobid:5c293efd-dd23-4766-8e96-4a03e6a5f29e} }
2013-06-21 09:22:29,613 INFO [cloud.api.ApiServer] (catalina-exec-19:null)
(userId=2 accountId=2 sessionId=null) 74.122.165.7 -- GET
apiKey=command=quer
yAsyncJobResultjobid=5c293efd-dd23-4766-8e96-4a03e6a5f29eresponse=jsonsig
nature=YcxqT%2BmxxtqjMDyww%3D 200 {
queryasyncjobresultresponse :
{accountid:92562526-d9a9-11e2-a93b-b6bd483074cc,userid:9256e632-d9a9-
11e2-a93b-b6bd483074cc,cmd:org.apache.cloudstack.api.command.admin.resou
rce.UploadCustomCertificateCmd,jobstatus:2,jobprocstatus:0,jobresultco
de:530,jobresulttype:object,jobresult:{errorcode:530,errortext:C
ommand failed due to Internal Server
Error},created:2013-06-21T09:22:27-0400,jobid:5c293efd-dd23-4766-8e9
6-4a03e6a5f29e} }
Mgmt log:
2013-06-21 09:30:07,423 DEBUG [cloud.api.ApiServlet] (catalina-exec-20:null)
===START=== 74.122.165.7 -- GET
apiKey=x
certificate=-BEGIN+CERTIFICATE-%5CnMIIC5zCCAlACAQEwDQYJKoZIhvcN
AQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0%5CnIFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UE
ChMOVmFsaUNlcnQsIEluYy4xNTAz%5CnBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZh
bGlkYXRpb24gQXV0aG9y%5CnaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8x
IDAeBgkqhkiG%5Cn9w0BCQEWEWluZmxx
xx5MDYy%5CnNjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y%
5CnazEXMBUTLFZhbGlDZXJ0IENs%
5CnYXNzIDIgUG9saWN5xxxYDVQQDExho
dHRw%5CnOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl%5Cn
cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOnHK5avIWZJV16vY%5CndA757tn2
VUethETHehehAEHa5e6qw4uWU5koe6WQTVCCSRrCl6zfN1SLUzm1NZ9%5CnWlmpZdRJEy0kTRxQb
7XBhVQ7%2FnHk01xC%2BYDgkRoKWzk2Z%2FM%2FVXwbP7RfZHM047QS%5Cnv4dk%2BNoS%2Fzcnw
bNDu%2B97bi5GBADt%2FUG9v%5CnUJSZSWI4
OB9L%2BKXIPqeCgfYrx%2BjFzug6EILLGACOTb2oWH%2BheQC1u%2BmNr0HZDzTu%5CnIYEZoDJJ
KPTEjlbVUjP9UNV%2BmWwD5MlM%2FMtsq2azSiGM5bUMMj4QssxsodyamEwC%5CnW%2FPOuZ6lcg
5Ktz885hZo%2BL7tdEy8W9ViH0Pd%5Cn-END+CERTIFICATE-command=uploadCust
omCertificatedomainsuffix=domain.comid=1name=rootresponse=jsonsignature
=CTM%2FTR%2Fck0%3D
2013-06-21 09:30:07,467 DEBUG [cloud.async.AsyncJobManagerImpl]
(catalina-exec-20:null) submit async job-14, details: AsyncJobVO
RE: Console Proxy SSL
You are getting a NPE in your management server logs -
/***
Unexpected exception while executing
org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd
java.lang.NullPointerException
at
com.cloud.server.ManagementServerImpl.uploadCertificate(ManagementServerImpl
.java:2818)
/
Perhaps you should raise a bug in this case.
Thanks,
Pranav
-Original Message-
From: Billy Ramsay [mailto:bram...@dynamicquest.com]
Sent: Friday, June 21, 2013 7:07 PM
To: users@cloudstack.apache.org
Subject: RE: Console Proxy SSL
Greetings,
We just completed a clean install of 4.1.0. I was able to
successfully upload a custom certificate for use by the console proxy
machines in our old
4.0.1 environment, but now I cannot get it to work for the life of me
in 4.1.0.
The UI just says failed to update, as usual. I also tried to upload
via API, and the error I get is below:
errorcode = 530
errortext = Command failed due to Internal Server Error
I have confirmed that the certificate and key are in the proper
format, as was used in our 4.0.1 environment.
Thanks in advance for any light you can shed on this!
-WPR
What do you see in the management server logs and / or API logs during
the
upload process?
Absolutely nothing in either when I do it from the UI. I did a tail -f on one
monitor while I tried to upload via the UI on another.
When I do it from cloudmonkey I get the output at the bottom (sanitized,
including cert).
Thanks for looking into this!
API log:
2013-06-21 09:22:27,560 INFO [cloud.api.ApiServer] (catalina-exec-21:null)
(userId=2 accountId=2 sessionId=null) 74.122.165.7 -- GET
apiKey=xcertifi
cate=-BEGIN+CERTIFICATE-%5CnMIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsx
JDAiBgNVBAcTG1ZhbGlDZXJ0%5CnIFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNl
cnQsIEluYy4xNTAz%5CnBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
QXV0aG9y%5CnaXR5MSvd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG%
5Cn9w0BCQEWEWlusrtjrjrsthjsrthrthrth4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy%5CnNjAwMT
k1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y%5CnazEXMBUGA1UECh
MOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs%5CnYXNzIDIgUG9sarjrtjhrst
hrsthsrtjhrsthaXR5MSEwHwYDVQQDExhodHRw%5CnOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBg
kqhkiG9w0BCQEWEWluZm9AdmFsaWNl%5CncnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ
KBgQDOOnHK5avIWZJV16vY%5CndA757tn2VUdZZUsrthsrthsrthsrthsrthsthUGJ7SVCCSRrCl
6zfN1SLUzm1NZ9%5CnWlmpZdRJEy0kTRxQb7XBhVQ7%2FnHk01xC%2BYDgkRoKWzk2Z%2FM%2FVX
wbP7RfZHM047QS%5Cnv4dk%2BNoS%2FzcnwbNDu%2B97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUA
A4GBADt%2FUG9v%5CnUJSZSWI4OB9L%2BKXIPqeCgfYrx%2BjFzug6EILLGACOTb2oWH%2BheQC1
u%2BmNr0HZDzTu%5CnIYEZoDJJKPTEjlbVUjP9UNV%2BmWwD5MlM%2FMtsq2azSiGM5bUMMj4Qss
xsodyamEwC%5CnW%2FPOuZ6lcg5Ktz885hZo%2BL7tdEy8W9ViH0Pd%5Cn-END+CERTIFICA
TE-command=uploadCustomCertificatedomainsuffix=domain.comid=1name=ro
otresponse=jsonsignature=CTlxx0YM%2FwfxPTR%2Fxx0%3D 200 {
uploadcustomcertificateresponse :
{jobid:5c293efd-dd23-4766-8e96-4a03e6a5f29e} }
2013-06-21 09:22:29,613 INFO [cloud.api.ApiServer] (catalina-exec-19:null)
(userId=2 accountId=2 sessionId=null) 74.122.165.7 -- GET
apiKey=command=quer
yAsyncJobResultjobid=5c293efd-dd23-4766-8e96-4a03e6a5f29eresponse=jsonsig
nature=YcxqT%2BmxxtqjMDyww%3D 200 { queryasyncjobresultresponse :
{accountid:92562526-d9a9-11e2-a93b-b6bd483074cc,userid:9256e632-d9a9-
11e2-a93b-b6bd483074cc,cmd:org.apache.cloudstack.api.command.admin.resou
rce.UploadCustomCertificateCmd,jobstatus:2,jobprocstatus:0,jobresultco
de:530,jobresulttype:object,jobresult:{errorcode:530,errortext:C
ommand failed due to Internal Server
Error},created:2013-06-21T09:22:27-0400,jobid:5c293efd-dd23-4766-8e9
6-4a03e6a5f29e} }
Mgmt log:
2013-06-21 09:30:07,423 DEBUG [cloud.api.ApiServlet] (catalina-exec-20:null)
===START=== 74.122.165.7 -- GET
apiKey=x
certificate=-BEGIN+CERTIFICATE-%5CnMIIC5zCCAlACAQEwDQYJKoZIhvcN
AQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0%5CnIFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UE
ChMOVmFsaUNlcnQsIEluYy4xNTAz%5CnBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZh
bGlkYXRpb24gQXV0aG9y%5CnaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8x
IDAeBgkqhkiG%5Cn9w0BCQEWEWluZmxx
xx5MDYy%5CnNjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y%
5CnazEXMBUTLFZhbGlDZXJ0IENs%
5CnYXNzIDIgUG9saWN5xxxYDVQQDExho
dHRw%5CnOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl%5Cn
RE: Console Proxy SSL
Thanks for catching that!
Is there anyway to get around the API call for this? During my research on
this issue, I found a few references to folks who had inserted the certs
directly into the database, bypassing the API when they could not get it to
work. Is this feasible? I was hoping to use 4.1.0 for an impending
deployment next week, and this is the last roadblock.
Thanks again!
-WPR
-Original Message-
From: Pranav Saxena [mailto:pranav.sax...@citrix.com]
Sent: Friday, June 21, 2013 9:41 AM
To: users@cloudstack.apache.org
Subject: RE: Console Proxy SSL
You are getting a NPE in your management server logs -
/***
Unexpected exception while executing
org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd
java.lang.NullPointerException
at
com.cloud.server.ManagementServerImpl.uploadCertificate(ManagementServerImpl
.java:2818)
/
Perhaps you should raise a bug in this case.
Thanks,
Pranav
-Original Message-
From: Billy Ramsay [mailto:bram...@dynamicquest.com]
Sent: Friday, June 21, 2013 7:07 PM
To: users@cloudstack.apache.org
Subject: RE: Console Proxy SSL
Greetings,
We just completed a clean install of 4.1.0. I was able to
successfully upload a custom certificate for use by the console proxy
machines in our old
4.0.1 environment, but now I cannot get it to work for the life of me
in 4.1.0.
The UI just says failed to update, as usual. I also tried to upload
via API, and the error I get is below:
errorcode = 530
errortext = Command failed due to Internal Server Error
I have confirmed that the certificate and key are in the proper
format, as was used in our 4.0.1 environment.
Thanks in advance for any light you can shed on this!
-WPR
What do you see in the management server logs and / or API logs during
the
upload process?
Absolutely nothing in either when I do it from the UI. I did a tail -f on
one monitor while I tried to upload via the UI on another.
When I do it from cloudmonkey I get the output at the bottom (sanitized,
including cert).
Thanks for looking into this!
API log:
2013-06-21 09:22:27,560 INFO [cloud.api.ApiServer] (catalina-exec-21:null)
(userId=2 accountId=2 sessionId=null) 74.122.165.7 -- GET
apiKey=xcertifi
cate=-BEGIN+CERTIFICATE-%5CnMIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsx
JDAiBgNVBAcTG1ZhbGlDZXJ0%5CnIFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNl
cnQsIEluYy4xNTAz%5CnBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
QXV0aG9y%5CnaXR5MSvd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG%
5Cn9w0BCQEWEWlusrtjrjrsthjsrthrthrth4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy%5CnNjAwMT
k1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y%5CnazEXMBUGA1UECh
MOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs%5CnYXNzIDIgUG9sarjrtjhrst
hrsthsrtjhrsthaXR5MSEwHwYDVQQDExhodHRw%5CnOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBg
kqhkiG9w0BCQEWEWluZm9AdmFsaWNl%5CncnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ
KBgQDOOnHK5avIWZJV16vY%5CndA757tn2VUdZZUsrthsrthsrthsrthsrthsthUGJ7SVCCSRrCl
6zfN1SLUzm1NZ9%5CnWlmpZdRJEy0kTRxQb7XBhVQ7%2FnHk01xC%2BYDgkRoKWzk2Z%2FM%2FVX
wbP7RfZHM047QS%5Cnv4dk%2BNoS%2FzcnwbNDu%2B97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUA
A4GBADt%2FUG9v%5CnUJSZSWI4OB9L%2BKXIPqeCgfYrx%2BjFzug6EILLGACOTb2oWH%2BheQC1
u%2BmNr0HZDzTu%5CnIYEZoDJJKPTEjlbVUjP9UNV%2BmWwD5MlM%2FMtsq2azSiGM5bUMMj4Qss
xsodyamEwC%5CnW%2FPOuZ6lcg5Ktz885hZo%2BL7tdEy8W9ViH0Pd%5Cn-END+CERTIFICA
TE-command=uploadCustomCertificatedomainsuffix=domain.comid=1name=ro
otresponse=jsonsignature=CTlxx0YM%2FwfxPTR%2Fxx0%3D 200 {
uploadcustomcertificateresponse :
{jobid:5c293efd-dd23-4766-8e96-4a03e6a5f29e} }
2013-06-21 09:22:29,613 INFO [cloud.api.ApiServer] (catalina-exec-19:null)
(userId=2 accountId=2 sessionId=null) 74.122.165.7 -- GET
apiKey=command=quer
yAsyncJobResultjobid=5c293efd-dd23-4766-8e96-4a03e6a5f29eresponse=jsonsig
nature=YcxqT%2BmxxtqjMDyww%3D 200 {
queryasyncjobresultresponse :
{accountid:92562526-d9a9-11e2-a93b-b6bd483074cc,userid:9256e632-d9a9-
11e2-a93b-b6bd483074cc,cmd:org.apache.cloudstack.api.command.admin.resou
rce.UploadCustomCertificateCmd,jobstatus:2,jobprocstatus:0,jobresultco
de:530,jobresulttype:object,jobresult:{errorcode:530,errortext:C
ommand failed due to Internal Server
Error},created:2013-06-21T09:22:27-0400,jobid:5c293efd-dd23-4766-8e9
6-4a03e6a5f29e} }
Mgmt log:
2013-06-21 09:30:07,423 DEBUG [cloud.api.ApiServlet] (catalina-exec-20:null)
===START=== 74.122.165.7 -- GET
apiKey=x
certificate=-BEGIN+CERTIFICATE-%5CnMIIC5zCCAlACAQEwDQYJKoZIhvcN
AQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0%5CnIFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UE
