cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Corey, Mike" <mike.co...@sap.com.INVALID>
Subject RE: Console Proxy & SSL
Date Fri, 02 Jul 2021 14:03:11 GMT
Thank you for the help - my issue was resolved when I destroyed and ACS redeployed the console
proxy vm.  I was trying to avoid that by troubleshooting the systemvm itself but am on a time
crunch.

Thanks for clarifying the client/agent log entry as not being part of my issue.



-----Original Message-----
From: Andrija Panic <andrija.panic@gmail.com> 
Sent: Thursday, July 1, 2021 4:22 PM
To: users <users@cloudstack.apache.org>
Subject: Re: Console Proxy & SSL

Hi Mike,

certificate for securing UI and the certificate for securing access to
Console of the VM (i.e. securing HTTPS access from browser to the public IP
of the CPVM/SSVM) are 2 completely different things - and you can/should
use 2 different certificates.

Please read this article - it's very comprehensive and up to date in
regards to the steps - afterwards, I'm happy to answer any additional
questions you might have:
https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/


Your second email - is referring to a cloudstack agent certificate that is
generated by default to secure agent-to-mgmt communication - nothing to do
with the other 2 you are configuring.

Cheers,


On Thu, 1 Jul 2021 at 19:39, Corey, Mike <mike.corey@sap.com.invalid> wrote:

> To help me with troubleshooting, could one of the developers let me know
> where the wildcard certificate is loaded into the ssvm and consolevm?  Is
> there a way to verify the custom wildcard cert I’ve uploaded is where it
> should be? I’m seeing this error in the ACS logs.
>
> Should the CA wildcard certificate issuer & CN be in the “presented these
> certificates” section of log?
>
>
> 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager]
> (pool-13-thread-1:null) (logid:) A client/agent attempting connection from
> address=10.#.#.# has presented these certificate(s):
> Certificate [1] :
> Serial: 85b01fc4f045cf08
>   Not Before:Thu Jul 01 01:03:33 EDT 2021
>   Not After:Fri Jul 01 13:03:33 EDT 2022
>   Signature Algorithm:SHA256withRSA
>   Version:3
>   Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM
>   Issuer DN:CN=ca.cloudstack.apache.org
>   Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]]
> Certificate [2] :
> Serial: 3b2fcee96e685c62
>   Not Before:Mon May 03 00:43:22 EDT 2021
>   Not After:Wed Apr 26 12:43:22 EDT 2051
>   Signature Algorithm:SHA256withRSA
>   Version:3
>   Subject DN:CN=ca.cloudstack.apache.org
>   Issuer DN:CN=ca.cloudstack.apache.org
>   Alternative Names:null
>
> 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager]
> (pool-13-thread-1:null) (logid:) Certificate ownership verification failed
> for client: 10.#.#.#
> 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link]
> (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during
> wrap data: Certificate ownership verification failed for client: 10.#.#.#,
> for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082.
> 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link]
> (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during
> wrap data: Empty server certificate chain, for local
> address=/10.#.#.#:8250, remote address=/10.#.#.##:36084.
>
>
>
>
> From: Corey, Mike <mike.corey@sap.com.INVALID>
> Sent: Thursday, July 1, 2021 10:33 AM
> To: users <users@cloudstack.apache.org>
> Subject: [CAUTION] Console Proxy & SSL
>
> Hi,
>
> I could use some clarification here on TLS/SSL usage.  I’ve secured my ACS
> UI with a CA issued certificate.  This certificate has the FQDN of my ACS
> server as the CN.  The certificate is valid and the Management UI
> connection is secured in the web browser.
>
> I’m now trying to modify the Console Proxy SSL Certificate base on this
> page:
> http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy
>
> I have created the wildcard CA issued certificate as *.<domain name> along
> with the unencrypted key per the steps on above wiki page.
>
> After the changes are made in the UI under Infrastructure – SSL
> Certificates, the consolevm reboots; however it doesn’t appear it is
> loading my CA certificate with the wildcard.
>
> Answer this please --- I should be able to have two separate certificates:
> one for the UI management (FQDN of ACS) and one for console proxy session
> (wildcard).
>
> I had this on the 4.14 lab implementation but unfortunately my build notes
> on this step were poor ☹.
>
>
> Mike Corey
>
> Technology Senior Consultant, IT CS CTW Operation & Virtualization Service
> US
>
> SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United
> States
>
> T +1 610 661 0905, M +1 484 274 2658, E mike.corey@sap.com<mailto:
> mike.corey@sap.com>
>
>
> [cid:image003.png@01D76E64.7F7C0C60]
>
>
>

-- 

Andrija Panić
Mime
View raw message