Hello,
I confirm this issue. The keystore used by the Java instance of SSVM
have only the custom certs inside (root, realhostip, cross, intermed and
cpvmcertificat).
So when the SSVM try to download a HTTPS url, the JVM cannot validate
the SSL signs.
I've posted the PR 1555 to fix this. I've tested this patch with success
on my test installation.
Milamber
https://github.com/apache/cloudstack/pull/1555
On 20/05/2016 12:47, Aurélien wrote:
Hello,
In fact, yes, and everything inside CloudStack is working fine (I can
connect to CPVM correctly, the right certificate is presented, etc).
The only problem with this procedure is that the certificates you
upload are put in a custom keystore. This keystore contains only the
key, chain and root certificate uploaded via the API.
When a custom keystore is provided, the default keystore (ie, the one
containing generally trusted root CAs included in common browsers) is
not loaded, and thus the only root CA that would be trusted is the one
corresponding to the uploaded wildcard. In my case, I want users to be
able to add templates hosted on HTTPS servers, which present SSL
certificates from various root CAs.
I think the contents of the “realhostip” keystore should be:
- contents the default keystore
- and, additionnally uploaded cert, chain, root and key.
Best regards,
Aurélien
On Fri, May 20, 2016 at 11:28 AM, Abhinandan Prateek
<abhinandan.prat...@shapeblue.com> wrote:
Have you followed the procedure documented here
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name
On 19/05/16, 11:01 PM, "Aurélien" <footp...@gmail.com> wrote:
Hello,
I’m investigating an issue on CloudStack 4.8.0, which is I believe
well described in
https://issues.apache.org/jira/browse/CLOUDSTACK-1475.
I’m trying to add my ISO from, for example:
https://releases.rancher.com/os/latest/rancheros.iso
The problem is that I’m using a custom SSL certificate, and because of
this, the java instance on the SSVM (and CPVM) is started with a
custom keystore; doing so also overrides the default certificate trust
store, and the traditional certificate validation mechanisms, so I get
the error (sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target).
Would il be possible and advisable to add the contents of the default
certificate store (Option 2 in
https://issues.apache.org/jira/browse/CLOUDSTACK-1475?focusedCommentId=14537734&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14537734)
to the custom store when a custom SSL certificate is activated ?
If so (i’m relatively new to CloudStack’s code) where should I peek in
the System VM to add the custom import commands ?
Is there any existing issue you are aware of that addresses this issue
? In my opinion, if there isn’t, we should open one.
What do you think ?
Thanks !
Best regards,
--
Aurélien Guillaume
abhinandan.prat...@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
