cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hean Seng <heans...@gmail.com>
Subject Re: Console Proxy & SSL
Date Fri, 02 Jul 2021 02:36:14 GMT
I suggest you just do SSL for console proxy,  and setup another  server
with SSL cert and reverse proxy to your Management server .

On Fri, Jul 2, 2021 at 4:22 AM Andrija Panic <andrija.panic@gmail.com>
wrote:

> Hi Mike,
>
> certificate for securing UI and the certificate for securing access to
> Console of the VM (i.e. securing HTTPS access from browser to the public IP
> of the CPVM/SSVM) are 2 completely different things - and you can/should
> use 2 different certificates.
>
> Please read this article - it's very comprehensive and up to date in
> regards to the steps - afterwards, I'm happy to answer any additional
> questions you might have:
> https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/
>
>
> Your second email - is referring to a cloudstack agent certificate that is
> generated by default to secure agent-to-mgmt communication - nothing to do
> with the other 2 you are configuring.
>
> Cheers,
>
>
> On Thu, 1 Jul 2021 at 19:39, Corey, Mike <mike.corey@sap.com.invalid>
> wrote:
>
> > To help me with troubleshooting, could one of the developers let me know
> > where the wildcard certificate is loaded into the ssvm and consolevm?  Is
> > there a way to verify the custom wildcard cert I’ve uploaded is where it
> > should be? I’m seeing this error in the ACS logs.
> >
> > Should the CA wildcard certificate issuer & CN be in the “presented these
> > certificates” section of log?
> >
> >
> > 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager]
> > (pool-13-thread-1:null) (logid:) A client/agent attempting connection
> from
> > address=10.#.#.# has presented these certificate(s):
> > Certificate [1] :
> > Serial: 85b01fc4f045cf08
> >   Not Before:Thu Jul 01 01:03:33 EDT 2021
> >   Not After:Fri Jul 01 13:03:33 EDT 2022
> >   Signature Algorithm:SHA256withRSA
> >   Version:3
> >   Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM
> >   Issuer DN:CN=ca.cloudstack.apache.org
> >   Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]]
> > Certificate [2] :
> > Serial: 3b2fcee96e685c62
> >   Not Before:Mon May 03 00:43:22 EDT 2021
> >   Not After:Wed Apr 26 12:43:22 EDT 2051
> >   Signature Algorithm:SHA256withRSA
> >   Version:3
> >   Subject DN:CN=ca.cloudstack.apache.org
> >   Issuer DN:CN=ca.cloudstack.apache.org
> >   Alternative Names:null
> >
> > 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager]
> > (pool-13-thread-1:null) (logid:) Certificate ownership verification
> failed
> > for client: 10.#.#.#
> > 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link]
> > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught
> during
> > wrap data: Certificate ownership verification failed for client:
> 10.#.#.#,
> > for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082.
> > 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link]
> > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught
> during
> > wrap data: Empty server certificate chain, for local
> > address=/10.#.#.#:8250, remote address=/10.#.#.##:36084.
> >
> >
> >
> >
> > From: Corey, Mike <mike.corey@sap.com.INVALID>
> > Sent: Thursday, July 1, 2021 10:33 AM
> > To: users <users@cloudstack.apache.org>
> > Subject: [CAUTION] Console Proxy & SSL
> >
> > Hi,
> >
> > I could use some clarification here on TLS/SSL usage.  I’ve secured my
> ACS
> > UI with a CA issued certificate.  This certificate has the FQDN of my ACS
> > server as the CN.  The certificate is valid and the Management UI
> > connection is secured in the web browser.
> >
> > I’m now trying to modify the Console Proxy SSL Certificate base on this
> > page:
> >
> http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy
> >
> > I have created the wildcard CA issued certificate as *.<domain name>
> along
> > with the unencrypted key per the steps on above wiki page.
> >
> > After the changes are made in the UI under Infrastructure – SSL
> > Certificates, the consolevm reboots; however it doesn’t appear it is
> > loading my CA certificate with the wildcard.
> >
> > Answer this please --- I should be able to have two separate
> certificates:
> > one for the UI management (FQDN of ACS) and one for console proxy session
> > (wildcard).
> >
> > I had this on the 4.14 lab implementation but unfortunately my build
> notes
> > on this step were poor ☹.
> >
> >
> > Mike Corey
> >
> > Technology Senior Consultant, IT CS CTW Operation & Virtualization
> Service
> > US
> >
> > SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United
> > States
> >
> > T +1 610 661 0905, M +1 484 274 2658, E mike.corey@sap.com<mailto:
> > mike.corey@sap.com>
> >
> >
> > [cid:image003.png@01D76E64.7F7C0C60]
> >
> >
> >
>
> --
>
> Andrija Panić
>


-- 
Regards,
Hean Seng

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message