In 4.8 - to make sure you are NOT hitting the improper SSL chain build, after the MGMT server restart, you could grep for following line in the MGMT logs
"Could not find and construct a valid SSL certificate" but in 4.11 (master) I can't find this by searching within the repo...strange... On Mon, 9 Jul 2018 at 23:35, Andrija Panic <andrija.pa...@gmail.com> wrote: > HI Andrei, > > I will share my setup, ACS 4.8 though - we also had "similar" issue from > 4.5 going forward to 4.8 - there was some settings that needed to be on > (for whatever reason), hope this will help > > consoleproxy.url.domain *.consoleproxy.net (yes we did buy that one > :D ) > secstorage.ssl.cert.domain *.consoleproxy.net > secstorage.encrypt.copy true (I believe it was this one change > required !) > > (Sorry if this was not helpful, I know you are fighting with 4.11) > > Anyhow, I would suggest examining keystore DB for the records, to see if > they are still correct and in correct sequence - since you say that CPVM is > not listening on 443 - seems like SSL chain issue maybe. > > Cheers > > > > > > On Mon, 9 Jul 2018 at 18:23, Andrei Mikhailovsky <and...@arhont.com.invalid> > wrote: > >> Hi Ivan, >> >> I have recreated the CPVM, but that didn't help. The SSL cert + chain has >> been uploaded a few years ago and was working just fine up to the upgrade >> to 4.11.1.0. >> >> So, the issue must be somewhere else I guess. >> >> Andrei >> >> ----- Original Message ----- >> > From: "Ivan Kudryavtsev" <kudryavtsev...@bw-sw.com> >> > To: "users" <users@cloudstack.apache.org> >> > Sent: Monday, 9 July, 2018 17:13:42 >> > Subject: Re: Broken guest vm consoles after upgrading to 4.11.1.0 >> >> > Try recreatin CPVM, it worked for me. I haven't met such problem with >> wrong >> > ports... Have you uploaded SSL chain to ACS? >> > >> > пн, 9 июл. 2018 г., 23:05 Andrei Mikhailovsky <and...@arhont.com.invalid >> >: >> > >> >> Ivan, thanks. >> >> >> >> I have found this option and changed from the default False value to >> True. >> >> Restarted the management server and the CPVM. I can now see that the >> >> generated link has changed to the IP address + domain (inf the form of >> >> x-x-x-x.domain.com). However, this did not solve the problem as it is >> >> trying to connect over port 443. The CPVM is not listening on that >> port, >> >> only on port 80. So, it is not really helping me. >> >> >> >> Andrei >> >> >> >> ----- Original Message ----- >> >> > From: "Ivan Kudryavtsev" <kudryavtsev...@bw-sw.com> >> >> > To: "users" <users@cloudstack.apache.org> >> >> > Sent: Monday, 9 July, 2018 11:40:07 >> >> > Subject: Re: Broken guest vm consoles after upgrading to 4.11.1.0 >> >> >> >> > Hey, Andrei. There is a parameter ib global vars about SSL and CPVM >> which >> >> > fixes it. Don't remember the name, but met it as well as you. I >> suppose >> >> > it's a bug. >> >> > >> >> > пн, 9 июл. 2018 г., 17:35 Andrei Mikhailovsky >> <and...@arhont.com.invalid >> >> >: >> >> > >> >> >> Hello everyone, >> >> >> >> >> >> I have upgraded ACS from 4.11.0.0 to 4.11.1.0 over the weekend and >> have >> >> >> noticed that after performing all the usual stuff, like upgrading >> >> virtual >> >> >> routers and recreating console proxy / ssvm I have lost access to >> the vm >> >> >> consoles (both guest vms and system vms). I have performed the >> creation >> >> of >> >> >> host keys by clicking the button in ACS Gui. All hosts seems to have >> >> done >> >> >> this successfully with the Status changing from Unsecure to Up. The >> >> console >> >> >> access worked just fine prior to 4.11.1.0 upgrade. >> >> >> >> >> >> When I click on the Console button, a new browser window pops up. >> The >> >> page >> >> >> is empty. Inspecting the source I get the following (modified a bit >> to >> >> save >> >> >> space and replaced the domain name): >> >> >> >> >> >> >> >> >> >> >> >> <html><title>VM-Name</title><frameset><frame >> >> >> src="http://*.DOMAIN.com/ajax?token=qxXZQlpCi7xa-o8XgJM6Z_fb<MORE >> >> >> STUFF HERE>“></frame></frameset></html> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> Looking at the above, it is obvious that the *.DOMAIN.com is not >> valid. >> >> If >> >> >> I copy the URL and change the *.DOMAIN.com to the public IP address >> of >> >> the >> >> >> console proxy, I get access to the console just fine. >> >> >> >> >> >> Cheers >> >> >> >> >> >> >> >> >> >> > > > -- > > Andrija Panić > -- Andrija Panić
