Ok, so the console proxy needed to be restarted in order for the
consoleproxy.url.domain
setting to take effect. However, I still can't see the console. In
Chrome, it just shows a frowning face with no error message (not very
useful). In Firefox, at least it tells me the certificate is not trusted
because it is self-signed but it doesn't give me the option to accept it.
It's not an unreasonable expectation to be able to use self-signed SSL
certificates for an internal site. Is there a setting in CloudStack that
allows them to be trusted?
On Fri, May 16, 2014 at 10:38 AM, Ian Young <iyo...@ratespecial.com> wrote:
> The problem appears to be with the console proxy itself. Here are the
> ports that are listening on the public interface, according to an nmap TCP
> scan:
>
> PORT STATE SERVICE
> 80/tcp open http
> 443/tcp closed https
>
> When I logged into the console proxy through the link local address, I
> checked for processes on port 443 and there are none, so obviously an HTTPS
> connection can't be made. There is a Java process listening on port 80 but
> nothing on 443. Is there something in the global settings that will enable
> HTTPS, or is this a bug?
>
> root@v-2-VM:~# netstat -lnp | grep java
> tcp 0 0 0.0.0.0:8001 0.0.0.0:*
> LISTEN 3491/java
> tcp 0 0 0.0.0.0:80 0.0.0.0:*
> LISTEN 3491/java
>
>
> On Thu, May 15, 2014 at 2:53 PM, Ian Young <iyo...@ratespecial.com> wrote:
>
>> I just realized I had to set the consoleproxy.url.domain field to "
>> realhostip.com" but now when I try to view the console, the browser says
>> "The server refused the connection." Does that indicate a problem with the
>> SSL certificate?
>>
>> management-server.log:
>> 2014-05-15 14:43:55,506 DEBUG [c.c.a.t.Request] (catalina-exec-15:null)
>> Seq 1-90898443: Sending { Cmd , MgmtId: 161342909744, via: 1(
>> virthost1.lax.ratespecial.com), Ver: v1, Flags: 100011,
>> [{"com.cloud.agent.api.GetVncPortCommand":{"id":2,"name":"v-2-VM","wait":0}}]
>> }
>> 2014-05-15 14:43:55,563 DEBUG [c.c.a.t.Request]
>> (AgentManager-Handler-5:null) Seq 1-90898443: Processing: { Ans: , MgmtId:
>> 161342909744, via: 1, Ver: v1, Flags: 10,
>> [{"com.cloud.agent.api.GetVncPortAnswer":{"address":"192.168.100.6","port":5901,"result":true,"wait":0}}]
>> }
>> 2014-05-15 14:43:55,563 DEBUG [c.c.a.t.Request] (catalina-exec-15:null)
>> Seq 1-90898443: Received: { Ans: , MgmtId: 161342909744, via: 1, Ver: v1,
>> Flags: 10, { GetVncPortAnswer } }
>> 2014-05-15 14:43:55,563 DEBUG [c.c.s.ConsoleProxyServlet]
>> (catalina-exec-15:null) Port info 192.168.100.6
>> 2014-05-15 14:43:55,563 INFO [c.c.s.ConsoleProxyServlet]
>> (catalina-exec-15:null) Parse host info returned from executing
>> GetVNCPortCommand. host info: 192.168.100.6
>> 2014-05-15 14:43:55,570 DEBUG [c.c.s.ConsoleProxyServlet]
>> (catalina-exec-15:null) Compose console url:
>> https://192-168-100-159.realhostip.com/ajax?token=CsPhU4m_R2ZoLIdXOtjo3y3humnQN20wt5fSPjbZOHtRh7nli7tiq0ZiWUuwCVIn7K0vuegv6oMAAq_vDY4Vr_f7jwoVQDkxAE1vmK9oRhy9pvBVlmAdCer6hlVjXQlwL9oJEQO4thhSDg2qeNji02xuxlSmDilVKnd9U9xiHqIV-PgktrKq3J2GT1EpcpTvhsew5COQ1h3j8M9IM8KLZpYA0dDp7TejMmfgSiQI8ifZSh_nNLyyqBzYvl1XWxSaDIrnj7UsP3JKUq74kdY5Pg
>> 2014-05-15 14:43:55,570 DEBUG [c.c.s.ConsoleProxyServlet]
>> (catalina-exec-15:null) the console url is ::
>> <html><title>v-2-VM</title><frameset><frame src="
>> https://192-168-100-159.realhostip.com/ajax?token=CsPhU4m_R2ZoLIdXOtjo3y3humnQN20wt5fSPjbZOHtRh7nli7tiq0ZiWUuwCVIn7K0vuegv6oMAAq_vDY4Vr_f7jwoVQDkxAE1vmK9oRhy9pvBVlmAdCer6hlVjXQlwL9oJEQO4thhSDg2qeNji02xuxlSmDilVKnd9U9xiHqIV-PgktrKq3J2GT1EpcpTvhsew5COQ1h3j8M9IM8KLZpYA0dDp7TejMmfgSiQI8ifZSh_nNLyyqBzYvl1XWxSaDIrnj7UsP3JKUq74kdY5Pg
>> "></frame></frameset></html>
>>
>> ssl_access_log:
>> 192.168.100.166 - - [15/May/2014:14:44:55 -0700] "GET
>> /client/console?cmd=access&vm=086b5822-de00-4764-8b05-d8e00657ee54
>> HTTP/1.1" 200 405
>>
>>
>> On Wed, May 14, 2014 at 5:56 PM, Ian Young <iyo...@ratespecial.com>wrote:
>>
>>> Looks like it's still using HTTP, not HTTPS:
>>>
>>> 2014-05-14 17:52:35,812 DEBUG [c.c.a.t.Request] (catalina-exec-20:null)
>>> Seq 1-800529939: Sending { Cmd , MgmtId: 161342909744, via: 1(
>>> virthost1.lax.ratespecial.com), Ver: v1, Flags: 100011,
>>> [{"com.cloud.agent.api.GetVncPortCommand":{"id":6,"name":"i-5-6-VM","wait":0}}]
>>> }
>>> 2014-05-14 17:52:35,861 DEBUG [c.c.a.t.Request]
>>> (AgentManager-Handler-1:null) Seq 1-800529939: Processing: { Ans: ,
>>> MgmtId: 161342909744, via: 1, Ver: v1, Flags: 10,
>>> [{"com.cloud.agent.api.GetVncPortAnswer":{"address":"192.168.100.6","port":5903,"result":true,"wait":0}}]
>>> }
>>> 2014-05-14 17:52:35,861 DEBUG [c.c.a.t.Request] (catalina-exec-20:null)
>>> Seq 1-800529939: Received: { Ans: , MgmtId: 161342909744, via: 1, Ver: v1,
>>> Flags: 10, { GetVncPortAnswer } }
>>> 2014-05-14 17:52:35,861 DEBUG [c.c.s.ConsoleProxyServlet]
>>> (catalina-exec-20:null) Port info 192.168.100.6
>>> 2014-05-14 17:52:35,861 INFO [c.c.s.ConsoleProxyServlet]
>>> (catalina-exec-20:null) Parse host info returned from executing
>>> GetVNCPortCommand. host info: 192.168.100.6
>>> 2014-05-14 17:52:35,865 DEBUG [c.c.s.ConsoleProxyServlet]
>>> (catalina-exec-20:null) Compose console url:
>>> http://192.168.100.159/ajax?token=CsPhU4m_R2ZoLIdXOtjo3y3humnQN20wt5fSPjbZOHtRh7nli7tiq0ZiWUuwCVIn_GSECIK5nC2lBX8cMHvt1_GrmwDVK1PEEAwyueLlgNRgodobz8Lsyv2jEc-mUvMH340AYGt0FyZOuXIA6dunN3yx-bP-vp4rao5Up61eJwOvqFr3PhggNpbq5Up59ObOdYMe2GsBP_3FrL8ZQfBhNBSmViHQ0fKJSyUHDoC9tKlfs2Bb0rPOBxsZeTPfe-hDuaVT-pZxjQXCKM93sujnWw
>>> 2014-05-14 17:52:35,865 DEBUG [c.c.s.ConsoleProxyServlet]
>>> (catalina-exec-20:null) the console url is ::
>>> <html><title>phonesynergy</title><frameset><frame src="
>>> http://192.168.100.159/ajax?token=CsPhU4m_R2ZoLIdXOtjo3y3humnQN20wt5fSPjbZOHtRh7nli7tiq0ZiWUuwCVIn_GSECIK5nC2lBX8cMHvt1_GrmwDVK1PEEAwyueLlgNRgodobz8Lsyv2jEc-mUvMH340AYGt0FyZOuXIA6dunN3yx-bP-vp4rao5Up61eJwOvqFr3PhggNpbq5Up59ObOdYMe2GsBP_3FrL8ZQfBhNBSmViHQ0fKJSyUHDoC9tKlfs2Bb0rPOBxsZeTPfe-hDuaVT-pZxjQXCKM93sujnWw
>>> "></frame></frameset></html>
>>>
>>>
>>> On Wed, May 14, 2014 at 5:41 PM, Ian Young <iyo...@ratespecial.com>wrote:
>>>
>>>> I decided to create my own internal realhostip.com. My DNS servers
>>>> use PowerDNS, not BIND, so the $GENERATE directive was not an option and I
>>>> didn't want to have to populate my DNS servers' databases with a record for
>>>> every possible IP address. Fortunately, I found the following Lua script:
>>>>
>>>> https://github.com/terbolous/powerdns-cloudstack-proxy-dns
>>>>
>>>> I can confirm the Lua script works as expected and my CloudStack server
>>>> can be tricked into believing my internal DNS servers are the authority for
>>>> realhostip.com:
>>>>
>>>> [root@virthost1 ]# dig +short 1-2-3-4.realhostip.com
>>>> 1.2.3.4
>>>>
>>>> I followed this guide and updated the console proxy/SSVM SSL
>>>> certificate with my own *.realhostip.com certificate.
>>>>
>>>>
>>>> http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/latest/systemvm.html#changing-the-console-proxy-ssl-certificate-and-domain
>>>>
>>>> The console proxy restarted but it's still blank when I try to view the
>>>> console. Does the domain have to be something other than
>>>> realhostip.com?
>>>>
>>>
>>>
>>
>
