I am having a problem related to SSL between the CloudStack Agent and
CloudStack Manager.
Apparently, Ubuntu using openssl-3.0.2 refuses to accept self-signed
certificates.
What should I do? Is there a way to workaround this problem?
Sincerely,
Jorge V
root@host1-kvm:~# systemctl status cloudstack-agent.service
● cloudstack-agent.service - CloudStack Agent
Loaded: loaded (/lib/systemd/system/cloudstack-agent.service; enabled;
> vendor preset: enabled)
Active: active (running) since Fri 2024-06-28 22:55:26 UTC; 52min ago
Docs: http://www.cloudstack.org/
Main PID: 4002 (java)
Tasks: 61 (limit: 77068)
Memory: 301.0M
CPU: 18.480s
CGroup: /system.slice/cloudstack-agent.service
└─4002 /usr/bin/java
> -Djava.io.tmpdir=/usr/share/cloudstack-agent/tmp -Xms256m -Xmx2048m -cp
> "/usr/share/cloudstack-agent/lib/*:/usr/share/cloudstack-agent/plugins/*:/etc/cloud>
> Jun 28 23:48:00 host1-kvm java[4002]: at
> com.cloud.agent.Agent.start(Agent.java:297)
Jun 28 23:48:00 host1-kvm java[4002]: at
> com.cloud.agent.AgentShell.launchNewAgent(AgentShell.java:454)
Jun 28 23:48:00 host1-kvm java[4002]: at
> com.cloud.agent.AgentShell.launchAgentFromClassInfo(AgentShell.java:431)
Jun 28 23:48:00 host1-kvm java[4002]: at
> com.cloud.agent.AgentShell.launchAgent(AgentShell.java:415)
Jun 28 23:48:00 host1-kvm java[4002]: at
> com.cloud.agent.AgentShell.start(AgentShell.java:511)
Jun 28 23:48:00 host1-kvm java[4002]: at
> com.cloud.agent.AgentShell.main(AgentShell.java:541)
*Jun 28 23:48:00 host1-kvm java[4002]: Caused by: java.io.IOException: SSL
> Handshake failed while connecting to host: 10.0.1.1 port: 8250*
Jun 28 23:48:00 host1-kvm java[4002]: at
> com.cloud.utils.nio.NioClient.init(NioClient.java:67)
Jun 28 23:48:00 host1-kvm java[4002]: at
> com.cloud.utils.nio.NioConnection.start(NioConnection.java:95)
Jun 28 23:48:00 host1-kvm java[4002]: ... 6 more
Test using openssl s_client connect.
root@host1-kvm:~# openssl s_client -connect 10.0.1.1:8250
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = ca.cloudstack.apache.org
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = ca.cloudstack.apache.org
*verify error:num=26:unsupported certificate purpose*
verify return:1
depth=0 CN = ca.cloudstack.apache.org
verify return:1
---
Certificate chain
0 s:CN = ca.cloudstack.apache.org
i:CN = ca.cloudstack.apache.org
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 28 09:52:36 2024 GMT; NotAfter: Jun 21 21:52:36 2054 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDTCCAvWgAwIBAgIJANgodhUgiJ1NMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV
BAMMGGNhLmNsb3Vkc3RhY2suYXBhY2hlLm9yZzAgFw0yNDA2MjgwOTUyMzZaGA8y
MDU0MDYyMTIxNTIzNlowIzEhMB8GA1UEAwwYY2EuY2xvdWRzdGFjay5hcGFjaGUu
b3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1qIpgsf847HYtzpY
zBEiQHmMJa3sUlIxo2fn07r0099I7Bo8FL8UXyAtMUdaLyEaAsVh2ze71LmmdG50
XwB3myrGZ4n46U4kOHKCfliEo3JIr18Xu8ppiaeTbFOUdpihzTrGuiF0848wIE7S
QOygqL5cvFCsi1uodZQ/9uX4S7nAocQLxGfLnOMzqfMOs6cJSns9T/vHB+PhQONl
URnNuNx2J2HhiXCS3GTVOlaMQMnOFN5qdvwhCNKSwWzXH7ltaH3+AXnpE7hVvkmb
/wJwfseqJtctVjizH8T1oHXWws0fSFDW8S8Bpb+Op/nZLEETkm6ezPUetgfCRKAF
dU+7BNnWLyO2WGaq9q4hi0DRr0xEIseeW4Mb0fv+/CrGzp/WyJkzcYgENvAwyMss
7Khrbo237gZ9TpRizGyw04dpcMNHeJyLgan6gCPbMqAEVsimjsHkmdjc8a996MoA
WC4/+cJ5aLenEj1sDnHFwLJJegfyBz9GfgoFR/AoWvbIH9zk6JnX+sGdCooJZ69o
qaMz8wtwTcvuVRmi8othlCCVrWion/c77sPwZQUCBnuPomgFTayVbYXAVEovJxMN
YIPeX+BYAc792Kp/hkCAJLbvocFMaTEcPtT8066oJvVsRgxGWLhHEK8atDxBZ3mm
w/meZQ8uSFwHIVqYI0tsGktOTnUCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO
BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCbHnicy/LnSU6Jb3g3zkp+V84vcMA0G
CSqGSIb3DQEBCwUAA4ICAQAakeLtS6St5/Ym8nXgQdoiUuAtY4AyEYQhnajtwQhR
39aEjohHp7GPoiUyjekeEzES9sYYYaSvvC5dSEuuxRVrCpfOpk0uzS+SYCUgl7GE
2f8ST+wJxG4Qw8c/7OP9ha5ZL8Gk2tA3QmpaBR7kjqLYz6C1waQ/KMNtly/WuZPn
cXFBN0IsTFpHqvKpnWq8HPwSTV0BB829n9EBUU4HxWRLOItqPVfEB1NX92a1Vn96
HtK9WoTBnb53kR6rCK9GDR8ggySrOG0vEjimmKzGNsYK2eH+Ch3ljhtudPg8vhax
oNT3x2x5gJbUQtO4KLLJKANBr1psf36W9uxxkCnT9YlEAATr7fYJtyFfu8tF6Lve
QnVIl2cmb8GUROMHx8uOocyrBprzarekw+FIsQzlprUossIFURKryOCpxteYO/JE
zd7QOirQcQessv2AuEz8szMff11kYUALWhd5pbQq45QAe3ruLkDfzaKqYqSbzY8W
j4RCjfVjcK4o4J93fxY1vWkVhNoYdd861/7mRxhZ0H+vX0B8t5EWlLXf2vebdiH+
wkxFhIyySfJZ8CliacKfvPq4W7QIM9cCwgtav26Y4t3VNxdt0pbRjtxodTFzs9Sj
nAU8WXi6gH9TrmZyJWjPl0ey5Qv6y+hjThKcxkkcgfb9TMQHmQWx4eKvUEqYAgaM
bA==
-----END CERTIFICATE-----
subject=CN = ca.cloudstack.apache.org
issuer=CN = ca.cloudstack.apache.org
---
Acceptable client certificate CA names
CN = ca.cloudstack.apache.org
Requested Signature Algorithms:
> ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms:
> ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2205 bytes and written 403 bytes
Verification error: unsupported certificate purpose
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 26 (unsupported certificate purpose)
---
80DB9517987F0000:error:0A000412:SSL routines:ssl3_read_bytes:sslv3 alert
> bad certificate:../ssl/record/rec_layer_s3.c:1584:SSL alert number 42
