UPDATE: @yordan Sir - you made my day! It is working.
What i've done: - Checking the initial certificates for additonal blanks (even if this shouldn't bother - but safety first.... :-D) - Stick to the nameing convention for the keystore.pkcs12 - literally I scipped the automatic redirect part, as this is currently handled by my firewall. Also i didn't changend port-numbers. Nevertheless it works! So thank you once again Am Mo., 20. Sept. 2021 um 20:55 Uhr schrieb vas...@gmx.de <vas...@gmx.de>: > Hi everyone, sorry for getting back with quiet a delay. > > Short update: > Seems i got at least as far to secure SSVM and CPVM with the certificates > needed. But thats another topic :-D > > @wei > Thanks for your advice, as said above i am currently "done" with points 1 > & 3 of your setup list. will take a look into a suitable nginx > configuration i guess. My last attemps ended with a "to many redirects" > error - i am not to much into the webserver business at all.... > > @Yordan > Thanks for sharing this. I took a look into that, but sadly i didn't found > a different approach in all the things i have tried until now. > I guess i will take a look into the certificates again, as i could imagine > that something went wrong while writing them into the keystore... Will keep > you updated. > > Am Fr., 17. Sept. 2021 um 14:33 Uhr schrieb Yordan Kostov < > yord...@nsogroup.com>: > >> Hi, >> >> I do remember having issues with the steps in Shapeblue guide. >> Eventually I threw some notes for a future guide you can check >> here -> >> https://github.com/dredknight/cloud_scripts/blob/master/CloudStack-Xen/ACS-ssl-gui-guide.sh >> I hope that helps. >> >> Best regards, >> Jordan >> >> -----Original Message----- >> From: Wei ZHOU <ustcweiz...@gmail.com> >> Sent: Thursday, September 16, 2021 10:20 PM >> To: users <users@cloudstack.apache.org>; vas...@gmx.de >> Subject: Re: Problems setting up HTTPS on CS Managementserver GUI / >> recommadations relizing >> >> >> [X] This message came from outside your organization >> >> >> Hi, >> >> afaik the most common setup is >> (1) start (multiple) cloudstack management server with port 8080 >> (2) setup a reverse proxy (nginx/pfsense/haproxy, etc) which supports SSL >> termination and transparent LB. >> (3) upload ssl certificate in cloudstack GUI, and enable SSL for >> cloudsack console proxy and secondary storage. >> >> -Wei >> >> >> On Tue, 14 Sept 2021 at 19:19, vas...@gmx.de <vas...@gmx.de> wrote: >> >> > Hi, >> > >> > at the moment I am trying to setting up https - access for the >> > management server with my own certificates. Sadly i wasn't successfull >> until now. >> > OS: Ubuntu 20.04 >> > Standard Cloudstack >> > Basically i was following the documentation ( >> > >> > https://urldefense.com/v3/__http://docs.cloudstack.apache.org/en/lates >> > t/installguide/optional_installation.html*ssl-optional__;Iw!!A6UyJA!0d >> > TT8fqOaTGELyheFRnbrYw22T34WaEoPMbmxwezYicKr808oddMvJAwxkY7LIC7IuZy3pTq >> > DCm-$ >> > ) >> > as well as following guide from shapeblue ( >> > https://urldefense.com/v3/__https://www.shapeblue.com/securing-cloudst >> > >> ack-4-11-with-https-tls/__;!!A6UyJA!0dTT8fqOaTGELyheFRnbrYw22T34WaEoPMbmxwezYicKr808oddMvJAwxkY7LIC7IuZy3n-PQYEK$ >> ) for setting up https for the GUI. >> > >> > At the moment i am stuck, as i didn't really have clue where and how >> > to proceed onwards, as i am not finding any problems, warinings or >> > errors in the cloudstack log's. >> > Usage of netstat shows, that currently no service is listening on port >> > 8443. >> > >> > Which leads me to a assumption that i maybe messed up >> > access-priviledges for the actual keystore-file, as the >> > server.properties noted sais, that the https configuration will only >> > be used when the keystorefile exists and is readable by the >> managementserver. >> > Therefore which permissions are normally used for the keystore to be >> > accessed by the management server? >> > >> > As the documentation states, that more or less every site has it's own >> > practices on providing webservices to actual users, i would like to >> > ask for some experiences with different appoaches? >> > Till now i "stumbled" over some ways the set up a reverseproxy based >> > on nginx / apache "in front" of the actual CS-Management WebServer, >> > which shall take care of the certificate handling. Another idea i have >> > read on a side would be to "by pass" the CS-Management Webserver, >> > targetting directly to the "root"-volume. Which seems to be a aventures >> appoach... >> > >> > So i am highly interested in your approaches and experiences >> > regardning this topic. >> > >> > Thanks in advance! >> > >> >
