Sorry for no reply I will check and get back to you. Regards, Jordan
-----Original Message----- From: Дикевич Евгений Александрович <evgeniy.dikev...@becloud.by> Sent: Tuesday, June 22, 2021 6:27 PM To: users@cloudstack.apache.org Subject: RE: [!!Mass Mail]RE: Securing CloudStack [X] This message came from outside your organization HI Thx for the answer but I stuck on early steps) I generate private.key: openssl genrsa -des3 -out private.key 2048 then I generate cert: openssl req -new -key private.key -out certificate.csr convert private key to pkcs8: openssl pkcs8 -topk8 -in private.key -out private.pkcs8.encrypted.key openssl pkcs8 -in private.pkcs8.encrypted.key -out private.pkcs8.key and then I try to add key and cert in ACS UI but have error. Mb I miss smth? -----Original Message----- From: Yordan Kostov [mailto:yord...@nsogroup.com] Sent: Tuesday, June 22, 2021 12:38 PM To: users@cloudstack.apache.org Subject: [!!Mass Mail]RE: Securing CloudStack Hello Evgeniy, I can confirm that these are the steps that work in later ACS versions (tested on 4.15). The only issue with it is the part where it says how to combine the certificate chain: # order - server_key server_cert CA_cert cat myprivatekey.key mycertificate.crt gd_bundle-g2-g1.crt > mycombinedcert.crt Where it actually should be # order - server_crt, CA_SUB_crt, CA_ROOT_crt cat mycertificate.key gd_bundle-g2-g1.crt CA-ROOT.crt > mycombinedcert.crt ACS is using Jetty as certificate management platform. You can take a look at this article how to handle self-signed certs - https://urldefense.com/v3/__http://wiki.eclipse.org/Jetty/Howto/Configure_SSL*Configuring_Jetty__;Iw!!A6UyJA!0CgjfpsBXOaEoCSJ93lin21HvGCNhmthI7yAGXia_grO7Bw4kO1dt3tV99TG0Enl$ I have not done it and to be fair features like ISO upload and console proxy will probably not work for the user even if ACS is properly configured. Certificate should be still verified for the user in some way. If you make it work please let us know, it is in my to-do plan to migrate the Certificate configuration guide into docs.cloudstack.apache.org Best regards, Jordan -----Original Message----- From: Дикевич Евгений Александрович <evgeniy.dikev...@becloud.by> Sent: Tuesday, June 22, 2021 12:19 PM To: users@cloudstack.apache.org Subject: Securing CloudStack [X] This message came from outside your organization Hi All! ACS 4.14.1 Mb someone use self-signed certificates with ACS? I saw article from Shapeblue: https://urldefense.com/v3/__https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/__;!!A6UyJA!3VgftDioHyHM0Te2quEsb7s7sQHP_WSi6NH7cdycSZcumZtsRg2i6RKYYxU-vHNQW6_LCFLA5l1e$ but they use wildcard certificate. Mb someone have valid instructions? Внимание! Это электронное письмо и все прикрепленные к нему файлы являются конфиденциальными и предназначены исключительно для использования лицом (лицами), которому (которым) оно предназначено. Если Вы не являетесь лицом (лицами), которому (которым) предназначено это письмо, не копируйте и не разглашайте его содержимое и удалите это сообщение и все вложения из Вашей почтовой системы. Любое несанкционированное использование, распространение, раскрытие, печать или копирование этого электронного письма и прикрепленных к нему файлов, кроме как лицом (лицами) которому (которым) они предназначены, является незаконным и запрещено. Принимая во внимание, что передача данных посредством Интернет не является безопасной, мы не несем никакой ответственности за любой потенциальный ущерб, причиненный в результате ошибок при передаче данных или этим сообщением и прикрепленными к нему файлами. Attention! This email and all attachments to it are confidential and are intended solely for use by the person (or persons) referred to (mentioned) as the intended recipient (recipients). If you are not the intended recipient of this email, do not copy or disclose its contents and delete the message and any attachments to it from your e-mail system. Any unauthorized use, dissemination, disclosure, printing or copying of this e-mail and files attached to it, except by the intended recipient, is illegal and is prohibited. Taking into account that data transmission via Internet is not secure, we assume no responsibility for any potential damage caused by data transmission errors or this message and the files attached to it. <font size="2"><font color="#D8D8D8">11!</font>
