Switching from the realhostip.com certificate to a commercial certificate caused some grief. It was eventually sorted out, so if others run into this issue, maybe this could be useful.
We have a dev instance of cloudplatform 4.3.0.x. After uploading the CA root and intermediate certs and the signed cert and key through the GUI, the cloudstack management service was restarted. The logs would eventually generate this: /var/log/cloudstack/management/management-server.log ... 2014-11-21 15:41:43,543 WARN [c.c.k.KeystoreManagerImpl] (AgentConnectTaskPool-4:ctx-f0b9d488) Unable to build keystore for CPVMCertificate due to CertificateException 2014-11-21 15:41:43,544 ERROR [c.c.c.AgentHookBase] (AgentConnectTaskPool-4:ctx-f0b9d488) Could not find and construct a valid SSL certificate Attempts to access the console with the suspect certs through a web browser would show something like this: 10-10-2-3.mysubdomain.domain.edu uses an invalid security certificate. The certificate is only valid for the following names: *.realhostip.com, realhostip.com (Error code: ssl_error_bad_cert_domain) My Root and intermediate certs were bad. I eventually manually imported them to the mysql db table cloud.keystore. This fixed the issue. I had uploaded the CA root and intermediate certs using the UploadCustomCertificate API using a non-standard url encoding script. It seems the plus signs (+) in the certs were translated to actual spaces (%20). When the management server was restarted, it couldn't use the CA certs that were imported and appears to have defaulted back to using the realhostip.com cert. In the mysql keystore table, the broken cert looked something like: -----BEGIN CERTIFICATE----- MIIF TCCA GgAwIBAgIQRy DQ oVGGn4XoWQCkY ... .. vs: -----BEGIN CERTIFICATE----- MIIF+TCCA+GgAwIBAgIQRy+DQ+oVGGn4XoWQCkY ... ... In the end, it was much easier to cut-n-paste the actual certs into the mysql table: mysql> update keystore set certificate = '-----BEGIN CERTIFICATE----- '> ... '> -----END CERTIFICATE-----' where id =3 and name = 'intermediate2'; These references were helpful too: Implementation details and troubleshooting - uploading custom domain certificate instead of using realhostip.com https://cwiki.apache.org/confluence/display/CLOUDSTACK/Implementation+details+and+troubleshooting+-+uploading+custom+domain+certificate+instead+of+using+realhostip.com Misc notes https://www.marshut.net/iqxhwn/changing-the-ssl-certificate-for-my-own-realhostip.html The keystore table looks something like this: mysql> select * from cloud.keystore \G; id: 1 name = CPVMCertificate certificate: ----BEGIN CERTIFICATE---- ... ...-----END CERTIFICATE----- key: ... seq: NULL id: 2 name: root certificate: key: NULL seq: 0 id: 3 name: intermediate2 certificate: ... key: NULL seq: 2 id: 4 name: intermediate1 certificate: ... key: NULL seq: 1 --
