cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Corey, Mike" <>
Subject RE: Console Proxy & SSL
Date Thu, 01 Jul 2021 17:38:48 GMT
To help me with troubleshooting, could one of the developers let me know where the wildcard
certificate is loaded into the ssvm and consolevm?  Is there a way to verify the custom wildcard
cert I’ve uploaded is where it should be? I’m seeing this error in the ACS logs.

Should the CA wildcard certificate issuer & CN be in the “presented these certificates”
section of log?

2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager] (pool-13-thread-1:null)
(logid:) A client/agent attempting connection from address=10.#.#.# has presented these certificate(s):
Certificate [1] :
Serial: 85b01fc4f045cf08
  Not Before:Thu Jul 01 01:03:33 EDT 2021
  Not After:Fri Jul 01 13:03:33 EDT 2022
  Signature Algorithm:SHA256withRSA
  Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM
  Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]]
Certificate [2] :
Serial: 3b2fcee96e685c62
  Not Before:Mon May 03 00:43:22 EDT 2021
  Not After:Wed Apr 26 12:43:22 EDT 2051
  Signature Algorithm:SHA256withRSA
  Alternative Names:null

2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager] (pool-13-thread-1:null)
(logid:) Certificate ownership verification failed for client: 10.#.#.#
2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link] (AgentManager-SSLHandshakeHandler-4:null) (logid:)
SSL error caught during wrap data: Certificate ownership verification failed for client: 10.#.#.#,
for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082.
2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link] (AgentManager-SSLHandshakeHandler-4:null) (logid:)
SSL error caught during wrap data: Empty server certificate chain, for local address=/10.#.#.#:8250,
remote address=/10.#.#.##:36084.

From: Corey, Mike <>
Sent: Thursday, July 1, 2021 10:33 AM
To: users <>
Subject: [CAUTION] Console Proxy & SSL


I could use some clarification here on TLS/SSL usage.  I’ve secured my ACS UI with a CA
issued certificate.  This certificate has the FQDN of my ACS server as the CN.  The certificate
is valid and the Management UI connection is secured in the web browser.

I’m now trying to modify the Console Proxy SSL Certificate base on this page:

I have created the wildcard CA issued certificate as *.<domain name> along with the
unencrypted key per the steps on above wiki page.

After the changes are made in the UI under Infrastructure – SSL Certificates, the consolevm
reboots; however it doesn’t appear it is loading my CA certificate with the wildcard.

Answer this please --- I should be able to have two separate certificates: one for the UI
management (FQDN of ACS) and one for console proxy session (wildcard).

I had this on the 4.14 lab implementation but unfortunately my build notes on this step were
poor ☹.

Mike Corey

Technology Senior Consultant, IT CS CTW Operation & Virtualization Service US

SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United States

T +1 610 661 0905, M +1 484 274 2658, E<>


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message