[GitHub] [cloudstack] VincentHermes commented on issue #4199: HTTPS does not initiate
VincentHermes commented on issue #4199: URL: https://github.com/apache/cloudstack/issues/4199#issuecomment-654885550 @rhtyd We tried these certificate combinations: * Key - Server Cert - Intermediate Cert - RootCA * Key - Server Cert - Intermediate Cert * Key - Server Cert - RootCA * Key - Server Cert Only the server cert doesn't work of course because generating the keystore requires a fitting key. None of these worked however. The creation of the Self Signed happened like that: `openssl genrsa -out selfsigned.key 2048` `openssl req -new -key selfsigned.key -out selfsigned.csr` `openssl x509 -req -days 3650 -in selfsigned.csr -signkey selfsigned.key -out selfsigned.crt` `cat selfsigned.key selfsigned.crt > selfsignedcombined.crt` `openssl pkcs12 -in selfsignedcombined.crt -export -out selfsignedcombined.pkcs12` `keytool -importkeystore -srckeystore selfsignedcombined.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/cloudstack/management/selfsignedcombined.pkcs12 -deststoretype pkcs12` And after editing `server.properties` it launched HTTPS with that self signed cert. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [cloudstack] VincentHermes commented on issue #4199: HTTPS does not initiate
VincentHermes commented on issue #4199: URL: https://github.com/apache/cloudstack/issues/4199#issuecomment-654841256 After additional investigation with our very capable colleague we seem to have found the error, but are not able to solve it. There is an exception on jetty regarding keystores: `Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the` `base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or` `org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)` `at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)` ` ` `KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory` Starting with `jetty-9.4.23.v20191118` the usage of `SslContextFactory` is deprecated and `SslContextFactory.Server` must be used instead. The embedded Version in CS 4.14 is `jetty-9.4.26.v20200117`. I think this is the root of our HTTPS Issue. We are not able to solve this but we are using an Apache Proxy now, which however does not allow to upload from local but that's another story. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org