You should be able to use CSR to sign with CA directly, you would need a
wildcard cert with conforming hostname - should be in the instructions.
Regards
ilya
On 9/24/14, 6:40 AM, France wrote:
I went down the route with custom DNS service (already working) and custom
certificate, because it feels safer than rolling out my RPM packages.
So, the instructions
(https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name#ProceduretoReplacerealhostip.comwithYourOwnDomainName-HowtogeneratemycustomrootCAandcertificate?)
point me to creating an intermediate certificate, which i do not think is
required.
If I am my own CA, why should i create an intermediate certificate and sign
with that to complicate things? I guess i could sign my CSR with CA directly.
Can’t I?
Then just use the GUI and no API calls, to add the certificate, the key and
domain info. As long as i keep secstorage.encrypt.copy to false, all shoud
work. Right?
Regards,
F.
On 20 Sep 2014, at 21:17, Amogh Vasekar <[email protected]> wrote:
ConsoleProxyInfo and ConsoleProxyManagerImpl.assignProxy has the relevant
code to generate the URL for accessing console.
The ConsoleProxyServlet handles the requests, and might be a good starting
point if you wish to change the code.
Amogh
On 9/20/14 12:01 PM, "France" <[email protected]> wrote:
Hi Amogh,
thank you for your suggestions and instructions on disabling.
We will not run a wildcard DNS resolver on certain subdomain as required
for this option.
Once ACS supports single domain for console proxy access, we shall enable
https once again with our signed/bought certificate.
In the mean time, we either have to move to http from https making access
to whole admin interface insecure or hack the code to display a link to
console instead of iframe.
I would rather go for the latter option. Does anyone who is following
this, know where is the code for that iframe link?
Thank you.
F.
On 20 Sep 2014, at 20:33, Amogh Vasekar <[email protected]> wrote:
Hi,
I believe this is by design for SSL - a user would see a HTTPS site
thinking everything is secure and encrypted, only to realize later that
some part is in fact insecure. Hence, instead of trying to circumvent
the
security mechanism, you can try the steps at :
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Repla
ce
+realhostip.com+with+Your+Own+Domain+Name#ProceduretoReplacerealhostip.co
mw
ithYourOwnDomainName-HowtogeneratemycustomrootCAandcertificate?
This would help create your own certificate chain. The downside being
your
users would need to add the custom root CA in the browser (a practice
followed by many companies for internal network), or simply accept the
security warning the first time they access your domain.
Please note that this would still need a publicly resolvable domain (or
add the mappings directly in /etc/hosts if it is more convenient)
Thanks,
Amogh
On 9/20/14 11:22 AM, "France" <[email protected]> wrote:
It worked for us. Well kind of.
The problem is now, that we have https for default admin interface,
while
console opens as iframe to http content and browsers such as firefox
will
not load content, because it is not on https.
They call it: "Mixed Content Blocking Enabled²:
https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled
-i
n-firefox-23/
Do you have any recommendations what to do in order to get around this?
We will not buy a wildcard certificate, because it is to expensive for
us.
Regards,
F.
On 20 Sep 2014, at 15:21, France <[email protected]> wrote:
I will just empty these two fields in global config:
secstorage.ssl.cert.domain
consoleproxy.url.domain
restart CS and restart the console proxy..
Š and hope for the best. :-)
If you do not hear from me on this, then this worked and others can do
it too.
Regards,
F.
On 20 Sep 2014, at 15:16, Aldis Gerhards <[email protected]> wrote:
We got the same problem. It seemed like a bug :) we downgraded back
to
4.3.0 because pf this issue.
Sent from my iPhone
On 2014. gada 20. sept., at 15:39, France <[email protected]>
wrote:
Hi guys,
how do we disable realhostip.com service with its certificates on
ACS
4.3.1, to get consoleproxy working without ties to realhostip.com
service?
We are happy with HTTP only for now.
Regards,
F.
