Great - it's like anything in it, restart and it works better... :) Our blog, says like this: https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ (find it in the middle)
But in production, one would usually use a reverse proxy like HaProxy and do SSL termination on this one. cheers On Mon, 24 Feb 2020 at 19:17, Olivier Guin <[email protected]> wrote: > 1) consoleproxy.sslEnabled = false , restart mgmt, destroy CPVM ONLY all > OK ! (UI using HTTP) > 2) consoleproxy.sslEnabled = true , restart mgmt, destroy CPVM ONLY all > OK ! (UI using HTTP) > consoleproxy.sslEnabled Enable SSL for console proxy true > > consoleproxy.url.domain Console proxy url domain *.wayscom.net > > > It's Ok now ! ... but I don't know why :-) > It seems to me that I had already done that > > Anyway thank you for your time Andrija > > Do you know how to switch the UI to https? > Regards, > Olivier > > Le 24/02/2020 à 13:08, Andrija Panic a écrit : > > login inside that linux box (CPVM) and see what's the apache configuration > (ssl or not, netstat / listenting on 443 or not...etc) > always easy to destroy CPVM (after mgmt server was restarted) and see if > it fixes the issue > > For the start, set consoleproxy.sslEnabled=false, restart mgmt, destroy > CPVM and see if plain HTTP works (make sure to use UI using HTTP also, > otherwise you can't load non-SSL iframe) - to see if you are able to run > CPVM fine in general. > > On Mon, 24 Feb 2020 at 16:54, Olivier Guin > <[email protected]> <[email protected]> > wrote: > >> Indeed, >> >> I can't connected to :443 ! >> >> But I don't have any firewall ! >> >> telnet 200.13.142.188 443 ( or 200-13-142-188.wayscom.net) >> Trying 200.13.142.188... >> telnet: connect to address 200.13.142.188: Connection refused >> >> conf ? of cpvm ? >> >> Regards, >> >> Olivier >> Le 24/02/2020 à 12:40, Andrija Panic a écrit : >> >> i.e. telnet 200-13-142-188.wayscom.net 443 >> Connecting To 200-13-142-188.wayscom.net... >> >> I can't connect to port 443 on this IP (from internet) >> >> >> On Mon, 24 Feb 2020 at 16:38, Andrija Panic < [email protected]> >> wrote: >> >>> frame src= >>> "https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxx-Y76j1 >>> <https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxx-Y76j1g> >>> >>> This looks fine ^^^ - it tries to load SSL URL >>> >>> what *exact* problem are you getting? >>> >>> On Mon, 24 Feb 2020 at 16:31, Olivier Guin >>> <[email protected]> <[email protected]> >>> wrote: >>> >>>> Yes, >>>> >>>> consoleproxy.url.domain = *.wayscom.net >>>> consoleproxy.sslEnabled=true >>>> secstorage.ssl.cert.domain= *.wayscom.net >>>> secstorage.encrypt.copy=true >>>> >>>> For consoleproxy.url.domain : >>>> >>>> = *.wayscom.net => 200-13-142-188.wayscom.net from manager ping >>>> OK, from internet ping OK >>>> = console.wayscom.net => 200.13.142.188 from manager ping OK, from >>>> internet ping OK >>>> >>>> 2020-02-24 12:27:06,973 DEBUG [c.c.s.ConsoleProxyServlet] >>>> (qtp1875308878-17:null) (logid:) Port info consoleurl= >>>> https://172.16.11.11/console?uuid=xxxxxxxxxxxx&sessionref=OpaqueRef:xxxxxxxxxx >>>> 2020-02-24 12:27:06,973 INFO [c.c.s.ConsoleProxyServlet] >>>> (qtp1875308878-17:null) (logid:) Parse host info returned from executing >>>> GetVNCPortCommand. host info: consoleurl= >>>> https://172.16.11.11/console?uuid=xxxxxxxxxxxxxxxxxxxxx&sessionref=OpaqueRef:xxxxxxxxx >>>> 2020-02-24 12:27:06,977 DEBUG [c.c.s.ConsoleProxyServlet] >>>> (qtp1875308878-17:null) (logid:) Compose console url: >>>> https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxxxxxxxxx-Y76j1g >>>> 2020-02-24 12:27:06,977 DEBUG [c.c.s.ConsoleProxyServlet] >>>> (qtp1875308878-17:null) (logid:) the console url is :: >>>> <html><title>v-202-VM</title><frameset><frame src= >>>> "https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxx-Y76j1g"; >>>> <https://200-13-142-188.wayscom.net/ajax?token=xxxxxxxxxxxxxxxxx-Y76j1g> >>>> ></frame></frameset></html> >>>> >>>> Error connection ! >>>> >>>> Regards, >>>> Olivier >>>> >>>> >>>> Le 24/02/2020 à 12:04, Andrija Panic a écrit : >>>> >>>> consoleproxy.sslEnabled=true is set in global config ? >>>> (a new thing in 4.11 that is not there in pre-4.11 releases and people >>>> sometimes miss this one) >>>> >>>> Regards, >>>> Andrija >>>> >>>> >>>> On Mon, 24 Feb 2020 at 15:24, Olivier Guin >>>> <[email protected]> <[email protected]> >>>> wrote: >>>> >>>>> Hello, >>>>> I am trying to set up ssl on systemvm. >>>>> I was able to migrate without problem from version 4.10 to version >>>>> 4.13 but since impossible to set up the ssl correctly on my ssvm / cpvm? >>>>> I follow the documentation ( >>>>> http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html) >>>>> as well as (https://www.shapeblue.com/securing-cloudstack-4-11-with- >>>>> https-tls /). >>>>> GUI process: cloudstack indicates that the certificate is OK, the cpvm >>>>> and ssvm restarts correctly but still without ssl? >>>>> How to check where it doesn't work ? >>>>> What would be the points to check ? >>>>> A priori things have changed since 4.11 ! >>>>> Best regards >>>>> >>>>> Olivier Guin >>>>> >>>>> >>>>> >>>>> *Olivier GUIN* >>>>> >>>>> >>>>> >>>>> TL. 0594 31 02 44 >>>>> [image: ARIAS Informatique] >>>>> >>>>> 513 ZI Collery 5 >>>>> *97300 CAYENNE* >>>>> *www.ariasnet.com* <http://www.ariasnet.com/> >>>>> >>>>> This message and any attachments (the "message") is intended solely >>>>> for the intended addressees and is confidential. >>>>> If you receive this message in error,or are not the intended >>>>> recipient(s), please delete it and any copies from your systems and >>>>> immediately notify the sender. Any unauthorized view, use that does not >>>>> comply with its purpose, >>>>> dissemination or disclosure, either whole or partial, is prohibited. >>>>> Since the internet cannot guarantee the integrity of this message which >>>>> may >>>>> not be reliable, ARIAS Informatique shall not be liable for the message if >>>>> modified, changed or falsified. >>>>> Do not print this message unless it is necessary, consider the >>>>> environment. >>>>> >>>>> >>>>> ---------------------------------------------------------------------------------------------------------------------------------- >>>>> >>>>> Ce message et toutes les pieces jointes (ci-apres le "message") sont >>>>> etablis a l'intention exclusive de ses destinataires et sont >>>>> confidentiels. >>>>> Si vous recevez ce message par erreur ou s'il ne vous est pas destine, >>>>> merci de le detruire ainsi que toute copie de votre systeme et d'en >>>>> avertir >>>>> immediatement l'expediteur. Toute lecture non autorisee, toute utilisation >>>>> de ce message qui n'est pas conforme a sa destination, toute diffusion ou >>>>> toute publication, totale ou partielle, est interdite. L'Internet ne >>>>> permettant pas d'assurer l'integrite de ce message electronique >>>>> susceptible >>>>> d'alteration, ARIAS Informatique decline(nt) toute responsabilite au titre >>>>> de ce message dans l'hypothese ou il aurait ete modifie, deforme ou >>>>> falsifie. >>>>> N'imprimez ce message que si necessaire, pensez a l'environnement. >>>>> >>>> >>>> >>>> -- >>>> >>>> Andrija Panić >>>> >>>> >>>> >>>> *Olivier GUIN* >>>> >>>> >>>> >>>> TL. 0594 31 02 44 >>>> [image: ARIAS Informatique] >>>> >>>> 513 ZI Collery 5 >>>> *97300 CAYENNE* >>>> *www.ariasnet.com* <http://www.ariasnet.com/> >>>> >>>> This message and any attachments (the "message") is intended solely for >>>> the intended addressees and is confidential. >>>> If you receive this message in error,or are not the intended >>>> recipient(s), please delete it and any copies from your systems and >>>> immediately notify the sender. Any unauthorized view, use that does not >>>> comply with its purpose, >>>> dissemination or disclosure, either whole or partial, is prohibited. >>>> Since the internet cannot guarantee the integrity of this message which may >>>> not be reliable, ARIAS Informatique shall not be liable for the message if >>>> modified, changed or falsified. >>>> Do not print this message unless it is necessary, consider the >>>> environment. >>>> >>>> >>>> ---------------------------------------------------------------------------------------------------------------------------------- >>>> >>>> Ce message et toutes les pieces jointes (ci-apres le "message") sont >>>> etablis a l'intention exclusive de ses destinataires et sont >>>> confidentiels. >>>> Si vous recevez ce message par erreur ou s'il ne vous est pas destine, >>>> merci de le detruire ainsi que toute copie de votre systeme et d'en avertir >>>> immediatement l'expediteur. Toute lecture non autorisee, toute utilisation >>>> de ce message qui n'est pas conforme a sa destination, toute diffusion ou >>>> toute publication, totale ou partielle, est interdite. L'Internet ne >>>> permettant pas d'assurer l'integrite de ce message electronique susceptible >>>> d'alteration, ARIAS Informatique decline(nt) toute responsabilite au titre >>>> de ce message dans l'hypothese ou il aurait ete modifie, deforme ou >>>> falsifie. >>>> N'imprimez ce message que si necessaire, pensez a l'environnement. >>>> >>> >>> >>> -- >>> >>> Andrija Panić >>> >> >> >> -- >> >> Andrija Panić >> >> >> >> *Olivier GUIN* >> >> >> >> TL. 0594 31 02 44 >> [image: ARIAS Informatique] >> >> 513 ZI Collery 5 >> *97300 CAYENNE* >> *www.ariasnet.com* <http://www.ariasnet.com/> >> >> This message and any attachments (the "message") is intended solely for >> the intended addressees and is confidential. >> If you receive this message in error,or are not the intended >> recipient(s), please delete it and any copies from your systems and >> immediately notify the sender. Any unauthorized view, use that does not >> comply with its purpose, >> dissemination or disclosure, either whole or partial, is prohibited. >> Since the internet cannot guarantee the integrity of this message which may >> not be reliable, ARIAS Informatique shall not be liable for the message if >> modified, changed or falsified. >> Do not print this message unless it is necessary, consider the >> environment. >> >> >> ---------------------------------------------------------------------------------------------------------------------------------- >> >> Ce message et toutes les pieces jointes (ci-apres le "message") sont >> etablis a l'intention exclusive de ses destinataires et sont confidentiels. >> Si vous recevez ce message par erreur ou s'il ne vous est pas destine, >> merci de le detruire ainsi que toute copie de votre systeme et d'en avertir >> immediatement l'expediteur. Toute lecture non autorisee, toute utilisation >> de ce message qui n'est pas conforme a sa destination, toute diffusion ou >> toute publication, totale ou partielle, est interdite. L'Internet ne >> permettant pas d'assurer l'integrite de ce message electronique susceptible >> d'alteration, ARIAS Informatique decline(nt) toute responsabilite au titre >> de ce message dans l'hypothese ou il aurait ete modifie, deforme ou >> falsifie. >> N'imprimez ce message que si necessaire, pensez a l'environnement. >> > > > -- > > Andrija Panić > > > > *Olivier GUIN* > > > > TL. 0594 31 02 44 > [image: ARIAS Informatique] > > 513 ZI Collery 5 > *97300 CAYENNE* > *www.ariasnet.com* <http://www.ariasnet.com/> > > This message and any attachments (the "message") is intended solely for > the intended addressees and is confidential. > If you receive this message in error,or are not the intended recipient(s), > please delete it and any copies from your systems and immediately notify > the sender. Any unauthorized view, use that does not comply with its > purpose, > dissemination or disclosure, either whole or partial, is prohibited. Since > the internet cannot guarantee the integrity of this message which may not > be reliable, ARIAS Informatique shall not be liable for the message if > modified, changed or falsified. > Do not print this message unless it is necessary, consider the environment. > > > ---------------------------------------------------------------------------------------------------------------------------------- > > Ce message et toutes les pieces jointes (ci-apres le "message") sont > etablis a l'intention exclusive de ses destinataires et sont confidentiels. > Si vous recevez ce message par erreur ou s'il ne vous est pas destine, > merci de le detruire ainsi que toute copie de votre systeme et d'en avertir > immediatement l'expediteur. Toute lecture non autorisee, toute utilisation > de ce message qui n'est pas conforme a sa destination, toute diffusion ou > toute publication, totale ou partielle, est interdite. L'Internet ne > permettant pas d'assurer l'integrite de ce message electronique susceptible > d'alteration, ARIAS Informatique decline(nt) toute responsabilite au titre > de ce message dans l'hypothese ou il aurait ete modifie, deforme ou > falsifie. > N'imprimez ce message que si necessaire, pensez a l'environnement. > -- Andrija Panić
