Re: Urgent. Importing certificate to CS 4.3.1 using GUI
If required, we can share tomcat configuration file. Screenshots and all info is with Sadhu. Regards, F. On 24 Oct 2014, at 18:36, Stephen Turner stephen.tur...@citrix.com wrote: I'm still puzzled why it would have worked on my Firefox too. There must be some difference in configuration. -- Stephen Turner -Original Message- From: Amogh Vasekar [mailto:amogh.vase...@citrix.com] Sent: 23 October 2014 16:18 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Hi, He certainly is :-) Can you share the screenshot of firebug request and response so as to diagnose better? Also, was the upload call made as admin or regular user? Thanks, Amogh On 10/23/14 3:27 AM, Suresh Sadhu suresh.sa...@citrix.com wrote: Thanks France, We(France myself) have diagnosed the problem and in firefox after uploading the certificate it shows HTTP Error 501 Not implemented error in api response(firebug output )and The request is not reaching the server itself(CS management server and api server logs not shown any API request details ..) so probably the failure is due to client side settings or due to some other problem. We need to identify reasons for HTTP error 501 not implemented. http://www.checkupdown.com/status/E501.html Amogh/Nitin : can you please check in which cases this 501 not implemented will occur. Regards Sadhu -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 23 October 2014 15:43 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Suresh is awesome. Hope Citrix knows that. :-) We diagnosed the issue with ACS 4.3.1 and Firefox browser, and Suresh will update this thread with details. Regards, F. On 15 Oct 2014, at 13:55, France mailingli...@isg.si wrote: Because i do not check this mailing list every day due to actual payed work, i have not seen your request. I will contact you right now. On 08 Oct 2014, at 20:10, Suresh Sadhu suresh.sa...@citrix.com wrote: Sure Nitin and as of now I didn't hear anything from France. Regards sadhu -Original Message- From: Nitin Mehta [mailto:nitin.me...@citrix.com] Sent: 08 October 2014 21:57 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Sadhu - Please do update the thread once you have some observation. Thanks -Nitin On 08/10/14 5:27 AM, Suresh Sadhu suresh.sa...@citrix.com wrote: HI France, I can help today . My personal email id is mailtosa...@gmail.com Regards sadhu -Original Message- From: Stephen Turner [mailto:stephen.tur...@citrix.com] Sent: 08 October 2014 17:43 To: dev@cloudstack.apache.org Subject: RE: Urgent. Importing certificate to CS 4.3.1 using GUI France, I'm sorry, but I'm about to go away for three weeks, and I'm not going to have time to work on this. Is there anyone else who could help France? Is anyone else seeing the problem, because I couldn't reproduce it? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 08 October 2014 11:44 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Send me a private email and you can test it on my exact system with all development options turned on as you wish. We will do it via remote screen sharing, like VNC, RDP, Teamviewer, .. Regards, F. On 26 Sep 2014, at 16:53, Stephen Turner stephen.tur...@citrix.com wrote: I'm afraid I couldn't reproduce this, even with your certificate and private key. Everything I tried, I got Update Certiciate [sic] Succeeded. Does anyone else have a convenient 4.3 and FF 32 that they can try and repro this with? France, if you open the developer tools in Firefox and do this again, do you see any errors? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
This might be due the preflighted requests [1]. Changing content type to text/plain might fix it. Looking at the access log will show if an OPTIONS request is being sent by Firefox. [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS On Fri, Oct 24, 2014 at 22:06 PM, Stephen Turner stephen.tur...@citrix.com wrote: I'm still puzzled why it would have worked on my Firefox too. There must be some difference in configuration. -- Stephen Turner -Original Message- From: Amogh Vasekar [mailto:amogh.vase...@citrix.com javascript:;] Sent: 23 October 2014 16:18 To: dev@cloudstack.apache.org javascript:; Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Hi, He certainly is :-) Can you share the screenshot of firebug request and response so as to diagnose better? Also, was the upload call made as admin or regular user? Thanks, Amogh On 10/23/14 3:27 AM, Suresh Sadhu suresh.sa...@citrix.com javascript:; wrote: Thanks France, We(France myself) have diagnosed the problem and in firefox after uploading the certificate it shows HTTP Error 501 Not implemented error in api response(firebug output )and The request is not reaching the server itself(CS management server and api server logs not shown any API request details ..) so probably the failure is due to client side settings or due to some other problem. We need to identify reasons for HTTP error 501 not implemented. http://www.checkupdown.com/status/E501.html Amogh/Nitin : can you please check in which cases this 501 not implemented will occur. Regards Sadhu -Original Message- From: France [mailto:mailingli...@isg.si javascript:;] Sent: 23 October 2014 15:43 To: dev@cloudstack.apache.org javascript:; Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Suresh is awesome. Hope Citrix knows that. :-) We diagnosed the issue with ACS 4.3.1 and Firefox browser, and Suresh will update this thread with details. Regards, F. On 15 Oct 2014, at 13:55, France mailingli...@isg.si javascript:; wrote: Because i do not check this mailing list every day due to actual payed work, i have not seen your request. I will contact you right now. On 08 Oct 2014, at 20:10, Suresh Sadhu suresh.sa...@citrix.com javascript:; wrote: Sure Nitin and as of now I didn't hear anything from France. Regards sadhu -Original Message- From: Nitin Mehta [mailto:nitin.me...@citrix.com javascript:;] Sent: 08 October 2014 21:57 To: dev@cloudstack.apache.org javascript:; Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Sadhu - Please do update the thread once you have some observation. Thanks -Nitin On 08/10/14 5:27 AM, Suresh Sadhu suresh.sa...@citrix.com javascript:; wrote: HI France, I can help today . My personal email id is mailtosa...@gmail.com javascript:; Regards sadhu -Original Message- From: Stephen Turner [mailto:stephen.tur...@citrix.com javascript:;] Sent: 08 October 2014 17:43 To: dev@cloudstack.apache.org javascript:; Subject: RE: Urgent. Importing certificate to CS 4.3.1 using GUI France, I'm sorry, but I'm about to go away for three weeks, and I'm not going to have time to work on this. Is there anyone else who could help France? Is anyone else seeing the problem, because I couldn't reproduce it? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si javascript:;] Sent: 08 October 2014 11:44 To: dev@cloudstack.apache.org javascript:; Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Send me a private email and you can test it on my exact system with all development options turned on as you wish. We will do it via remote screen sharing, like VNC, RDP, Teamviewer, .. Regards, F. On 26 Sep 2014, at 16:53, Stephen Turner stephen.tur...@citrix.com javascript:; wrote: I'm afraid I couldn't reproduce this, even with your certificate and private key. Everything I tried, I got Update Certiciate [sic] Succeeded. Does anyone else have a convenient 4.3 and FF 32 that they can try and repro this with? France, if you open the developer tools in Firefox and do this again, do you see any errors? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si javascript:;] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org javascript:; Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com javascript:; wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls
RE: Urgent. Importing certificate to CS 4.3.1 using GUI
I'm still puzzled why it would have worked on my Firefox too. There must be some difference in configuration. -- Stephen Turner -Original Message- From: Amogh Vasekar [mailto:amogh.vase...@citrix.com] Sent: 23 October 2014 16:18 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Hi, He certainly is :-) Can you share the screenshot of firebug request and response so as to diagnose better? Also, was the upload call made as admin or regular user? Thanks, Amogh On 10/23/14 3:27 AM, Suresh Sadhu suresh.sa...@citrix.com wrote: Thanks France, We(France myself) have diagnosed the problem and in firefox after uploading the certificate it shows HTTP Error 501 Not implemented error in api response(firebug output )and The request is not reaching the server itself(CS management server and api server logs not shown any API request details ..) so probably the failure is due to client side settings or due to some other problem. We need to identify reasons for HTTP error 501 not implemented. http://www.checkupdown.com/status/E501.html Amogh/Nitin : can you please check in which cases this 501 not implemented will occur. Regards Sadhu -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 23 October 2014 15:43 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Suresh is awesome. Hope Citrix knows that. :-) We diagnosed the issue with ACS 4.3.1 and Firefox browser, and Suresh will update this thread with details. Regards, F. On 15 Oct 2014, at 13:55, France mailingli...@isg.si wrote: Because i do not check this mailing list every day due to actual payed work, i have not seen your request. I will contact you right now. On 08 Oct 2014, at 20:10, Suresh Sadhu suresh.sa...@citrix.com wrote: Sure Nitin and as of now I didn't hear anything from France. Regards sadhu -Original Message- From: Nitin Mehta [mailto:nitin.me...@citrix.com] Sent: 08 October 2014 21:57 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Sadhu - Please do update the thread once you have some observation. Thanks -Nitin On 08/10/14 5:27 AM, Suresh Sadhu suresh.sa...@citrix.com wrote: HI France, I can help today . My personal email id is mailtosa...@gmail.com Regards sadhu -Original Message- From: Stephen Turner [mailto:stephen.tur...@citrix.com] Sent: 08 October 2014 17:43 To: dev@cloudstack.apache.org Subject: RE: Urgent. Importing certificate to CS 4.3.1 using GUI France, I'm sorry, but I'm about to go away for three weeks, and I'm not going to have time to work on this. Is there anyone else who could help France? Is anyone else seeing the problem, because I couldn't reproduce it? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 08 October 2014 11:44 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Send me a private email and you can test it on my exact system with all development options turned on as you wish. We will do it via remote screen sharing, like VNC, RDP, Teamviewer, .. Regards, F. On 26 Sep 2014, at 16:53, Stephen Turner stephen.tur...@citrix.com wrote: I'm afraid I couldn't reproduce this, even with your certificate and private key. Everything I tried, I got Update Certiciate [sic] Succeeded. Does anyone else have a convenient 4.3 and FF 32 that they can try and repro this with? France, if you open the developer tools in Firefox and do this again, do you see any errors? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
Suresh is awesome. Hope Citrix knows that. :-) We diagnosed the issue with ACS 4.3.1 and Firefox browser, and Suresh will update this thread with details. Regards, F. On 15 Oct 2014, at 13:55, France mailingli...@isg.si wrote: Because i do not check this mailing list every day due to actual payed work, i have not seen your request. I will contact you right now. On 08 Oct 2014, at 20:10, Suresh Sadhu suresh.sa...@citrix.com wrote: Sure Nitin and as of now I didn't hear anything from France. Regards sadhu -Original Message- From: Nitin Mehta [mailto:nitin.me...@citrix.com] Sent: 08 October 2014 21:57 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Sadhu - Please do update the thread once you have some observation. Thanks -Nitin On 08/10/14 5:27 AM, Suresh Sadhu suresh.sa...@citrix.com wrote: HI France, I can help today . My personal email id is mailtosa...@gmail.com Regards sadhu -Original Message- From: Stephen Turner [mailto:stephen.tur...@citrix.com] Sent: 08 October 2014 17:43 To: dev@cloudstack.apache.org Subject: RE: Urgent. Importing certificate to CS 4.3.1 using GUI France, I'm sorry, but I'm about to go away for three weeks, and I'm not going to have time to work on this. Is there anyone else who could help France? Is anyone else seeing the problem, because I couldn't reproduce it? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 08 October 2014 11:44 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Send me a private email and you can test it on my exact system with all development options turned on as you wish. We will do it via remote screen sharing, like VNC, RDP, Teamviewer, .. Regards, F. On 26 Sep 2014, at 16:53, Stephen Turner stephen.tur...@citrix.com wrote: I'm afraid I couldn't reproduce this, even with your certificate and private key. Everything I tried, I got Update Certiciate [sic] Succeeded. Does anyone else have a convenient 4.3 and FF 32 that they can try and repro this with? France, if you open the developer tools in Firefox and do this again, do you see any errors? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE-- tags. Nothing works. I have
RE: Urgent. Importing certificate to CS 4.3.1 using GUI
Thanks France, We(France myself) have diagnosed the problem and in firefox after uploading the certificate it shows HTTP Error 501 Not implemented error in api response(firebug output )and The request is not reaching the server itself(CS management server and api server logs not shown any API request details ..) so probably the failure is due to client side settings or due to some other problem. We need to identify reasons for HTTP error 501 not implemented. http://www.checkupdown.com/status/E501.html Amogh/Nitin : can you please check in which cases this 501 not implemented will occur. Regards Sadhu -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 23 October 2014 15:43 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Suresh is awesome. Hope Citrix knows that. :-) We diagnosed the issue with ACS 4.3.1 and Firefox browser, and Suresh will update this thread with details. Regards, F. On 15 Oct 2014, at 13:55, France mailingli...@isg.si wrote: Because i do not check this mailing list every day due to actual payed work, i have not seen your request. I will contact you right now. On 08 Oct 2014, at 20:10, Suresh Sadhu suresh.sa...@citrix.com wrote: Sure Nitin and as of now I didn't hear anything from France. Regards sadhu -Original Message- From: Nitin Mehta [mailto:nitin.me...@citrix.com] Sent: 08 October 2014 21:57 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Sadhu - Please do update the thread once you have some observation. Thanks -Nitin On 08/10/14 5:27 AM, Suresh Sadhu suresh.sa...@citrix.com wrote: HI France, I can help today . My personal email id is mailtosa...@gmail.com Regards sadhu -Original Message- From: Stephen Turner [mailto:stephen.tur...@citrix.com] Sent: 08 October 2014 17:43 To: dev@cloudstack.apache.org Subject: RE: Urgent. Importing certificate to CS 4.3.1 using GUI France, I'm sorry, but I'm about to go away for three weeks, and I'm not going to have time to work on this. Is there anyone else who could help France? Is anyone else seeing the problem, because I couldn't reproduce it? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 08 October 2014 11:44 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Send me a private email and you can test it on my exact system with all development options turned on as you wish. We will do it via remote screen sharing, like VNC, RDP, Teamviewer, .. Regards, F. On 26 Sep 2014, at 16:53, Stephen Turner stephen.tur...@citrix.com wrote: I'm afraid I couldn't reproduce this, even with your certificate and private key. Everything I tried, I got Update Certiciate [sic] Succeeded. Does anyone else have a convenient 4.3 and FF 32 that they can try and repro this with? France, if you open the developer tools in Firefox and do this again, do you see any errors? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
Hi, He certainly is :-) Can you share the screenshot of firebug request and response so as to diagnose better? Also, was the upload call made as admin or regular user? Thanks, Amogh On 10/23/14 3:27 AM, Suresh Sadhu suresh.sa...@citrix.com wrote: Thanks France, We(France myself) have diagnosed the problem and in firefox after uploading the certificate it shows HTTP Error 501 Not implemented error in api response(firebug output )and The request is not reaching the server itself(CS management server and api server logs not shown any API request details ..) so probably the failure is due to client side settings or due to some other problem. We need to identify reasons for HTTP error 501 not implemented. http://www.checkupdown.com/status/E501.html Amogh/Nitin : can you please check in which cases this 501 not implemented will occur. Regards Sadhu -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 23 October 2014 15:43 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Suresh is awesome. Hope Citrix knows that. :-) We diagnosed the issue with ACS 4.3.1 and Firefox browser, and Suresh will update this thread with details. Regards, F. On 15 Oct 2014, at 13:55, France mailingli...@isg.si wrote: Because i do not check this mailing list every day due to actual payed work, i have not seen your request. I will contact you right now. On 08 Oct 2014, at 20:10, Suresh Sadhu suresh.sa...@citrix.com wrote: Sure Nitin and as of now I didn't hear anything from France. Regards sadhu -Original Message- From: Nitin Mehta [mailto:nitin.me...@citrix.com] Sent: 08 October 2014 21:57 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Sadhu - Please do update the thread once you have some observation. Thanks -Nitin On 08/10/14 5:27 AM, Suresh Sadhu suresh.sa...@citrix.com wrote: HI France, I can help today . My personal email id is mailtosa...@gmail.com Regards sadhu -Original Message- From: Stephen Turner [mailto:stephen.tur...@citrix.com] Sent: 08 October 2014 17:43 To: dev@cloudstack.apache.org Subject: RE: Urgent. Importing certificate to CS 4.3.1 using GUI France, I'm sorry, but I'm about to go away for three weeks, and I'm not going to have time to work on this. Is there anyone else who could help France? Is anyone else seeing the problem, because I couldn't reproduce it? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 08 October 2014 11:44 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Send me a private email and you can test it on my exact system with all development options turned on as you wish. We will do it via remote screen sharing, like VNC, RDP, Teamviewer, .. Regards, F. On 26 Sep 2014, at 16:53, Stephen Turner stephen.tur...@citrix.com wrote: I'm afraid I couldn't reproduce this, even with your certificate and private key. Everything I tried, I got Update Certiciate [sic] Succeeded. Does anyone else have a convenient 4.3 and FF 32 that they can try and repro this with? France, if you open the developer tools in Firefox and do this again, do you see any errors? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
Because i do not check this mailing list every day due to actual payed work, i have not seen your request. I will contact you right now. On 08 Oct 2014, at 20:10, Suresh Sadhu suresh.sa...@citrix.com wrote: Sure Nitin and as of now I didn't hear anything from France. Regards sadhu -Original Message- From: Nitin Mehta [mailto:nitin.me...@citrix.com] Sent: 08 October 2014 21:57 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Sadhu - Please do update the thread once you have some observation. Thanks -Nitin On 08/10/14 5:27 AM, Suresh Sadhu suresh.sa...@citrix.com wrote: HI France, I can help today . My personal email id is mailtosa...@gmail.com Regards sadhu -Original Message- From: Stephen Turner [mailto:stephen.tur...@citrix.com] Sent: 08 October 2014 17:43 To: dev@cloudstack.apache.org Subject: RE: Urgent. Importing certificate to CS 4.3.1 using GUI France, I'm sorry, but I'm about to go away for three weeks, and I'm not going to have time to work on this. Is there anyone else who could help France? Is anyone else seeing the problem, because I couldn't reproduce it? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 08 October 2014 11:44 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Send me a private email and you can test it on my exact system with all development options turned on as you wish. We will do it via remote screen sharing, like VNC, RDP, Teamviewer, .. Regards, F. On 26 Sep 2014, at 16:53, Stephen Turner stephen.tur...@citrix.com wrote: I'm afraid I couldn't reproduce this, even with your certificate and private key. Everything I tried, I got Update Certiciate [sic] Succeeded. Does anyone else have a convenient 4.3 and FF 32 that they can try and repro this with? France, if you open the developer tools in Firefox and do this again, do you see any errors? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE-- tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
Send me a private email and you can test it on my exact system with all development options turned on as you wish. We will do it via remote screen sharing, like VNC, RDP, Teamviewer, .. Regards, F. On 26 Sep 2014, at 16:53, Stephen Turner stephen.tur...@citrix.com wrote: I'm afraid I couldn't reproduce this, even with your certificate and private key. Everything I tried, I got Update Certiciate [sic] Succeeded. Does anyone else have a convenient 4.3 and FF 32 that they can try and repro this with? France, if you open the developer tools in Firefox and do this again, do you see any errors? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE-- tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld In the Update SSL Certificate screen of the CloudStack UI, paste the following: * The certificate you've just generated. * The private key you've just generated. * The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=XXX d.o.o., OU=IT department, CN=optimus.si/emailAddress=sis...@xxxb.si Validity Not Before: Sep 25 12:25:32 2014 GMT Not After : Jun 3 12:25:32 2028 GMT Subject: C=SI, ST=Slovenia, O=XXX d.o.o., OU=IT department, CN=*.somedomain.si/emailAddress=sis...@xxxb.si Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d: 94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4
RE: Urgent. Importing certificate to CS 4.3.1 using GUI
France, I'm sorry, but I'm about to go away for three weeks, and I'm not going to have time to work on this. Is there anyone else who could help France? Is anyone else seeing the problem, because I couldn't reproduce it? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 08 October 2014 11:44 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Send me a private email and you can test it on my exact system with all development options turned on as you wish. We will do it via remote screen sharing, like VNC, RDP, Teamviewer, .. Regards, F. On 26 Sep 2014, at 16:53, Stephen Turner stephen.tur...@citrix.com wrote: I'm afraid I couldn't reproduce this, even with your certificate and private key. Everything I tried, I got Update Certiciate [sic] Succeeded. Does anyone else have a convenient 4.3 and FF 32 that they can try and repro this with? France, if you open the developer tools in Firefox and do this again, do you see any errors? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE-- tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld In the Update SSL Certificate screen of the CloudStack UI, paste the following: * The certificate you've just generated. * The private key you've just generated. * The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=XXX d.o.o., OU=IT department, CN=optimus.si/emailAddress=sis...@xxxb.si Validity Not Before: Sep 25 12:25:32 2014 GMT
RE: Urgent. Importing certificate to CS 4.3.1 using GUI
HI France, I can help today . My personal email id is mailtosa...@gmail.com Regards sadhu -Original Message- From: Stephen Turner [mailto:stephen.tur...@citrix.com] Sent: 08 October 2014 17:43 To: dev@cloudstack.apache.org Subject: RE: Urgent. Importing certificate to CS 4.3.1 using GUI France, I'm sorry, but I'm about to go away for three weeks, and I'm not going to have time to work on this. Is there anyone else who could help France? Is anyone else seeing the problem, because I couldn't reproduce it? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 08 October 2014 11:44 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Send me a private email and you can test it on my exact system with all development options turned on as you wish. We will do it via remote screen sharing, like VNC, RDP, Teamviewer, .. Regards, F. On 26 Sep 2014, at 16:53, Stephen Turner stephen.tur...@citrix.com wrote: I'm afraid I couldn't reproduce this, even with your certificate and private key. Everything I tried, I got Update Certiciate [sic] Succeeded. Does anyone else have a convenient 4.3 and FF 32 that they can try and repro this with? France, if you open the developer tools in Firefox and do this again, do you see any errors? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE-- tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld In the Update SSL Certificate screen of the CloudStack UI, paste the following: * The certificate you've just generated. * The private key you've just generated. * The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text Certificate
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
Sadhu - Please do update the thread once you have some observation. Thanks -Nitin On 08/10/14 5:27 AM, Suresh Sadhu suresh.sa...@citrix.com wrote: HI France, I can help today . My personal email id is mailtosa...@gmail.com Regards sadhu -Original Message- From: Stephen Turner [mailto:stephen.tur...@citrix.com] Sent: 08 October 2014 17:43 To: dev@cloudstack.apache.org Subject: RE: Urgent. Importing certificate to CS 4.3.1 using GUI France, I'm sorry, but I'm about to go away for three weeks, and I'm not going to have time to work on this. Is there anyone else who could help France? Is anyone else seeing the problem, because I couldn't reproduce it? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 08 October 2014 11:44 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Send me a private email and you can test it on my exact system with all development options turned on as you wish. We will do it via remote screen sharing, like VNC, RDP, Teamviewer, .. Regards, F. On 26 Sep 2014, at 16:53, Stephen Turner stephen.tur...@citrix.com wrote: I'm afraid I couldn't reproduce this, even with your certificate and private key. Everything I tried, I got Update Certiciate [sic] Succeeded. Does anyone else have a convenient 4.3 and FF 32 that they can try and repro this with? France, if you open the developer tools in Firefox and do this again, do you see any errors? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE-- tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld In the Update SSL Certificate screen of the CloudStack UI, paste the following: * The certificate you've just generated. * The private key you've just generated. * The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com
RE: Urgent. Importing certificate to CS 4.3.1 using GUI
Sure Nitin and as of now I didn't hear anything from France. Regards sadhu -Original Message- From: Nitin Mehta [mailto:nitin.me...@citrix.com] Sent: 08 October 2014 21:57 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Sadhu - Please do update the thread once you have some observation. Thanks -Nitin On 08/10/14 5:27 AM, Suresh Sadhu suresh.sa...@citrix.com wrote: HI France, I can help today . My personal email id is mailtosa...@gmail.com Regards sadhu -Original Message- From: Stephen Turner [mailto:stephen.tur...@citrix.com] Sent: 08 October 2014 17:43 To: dev@cloudstack.apache.org Subject: RE: Urgent. Importing certificate to CS 4.3.1 using GUI France, I'm sorry, but I'm about to go away for three weeks, and I'm not going to have time to work on this. Is there anyone else who could help France? Is anyone else seeing the problem, because I couldn't reproduce it? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 08 October 2014 11:44 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Send me a private email and you can test it on my exact system with all development options turned on as you wish. We will do it via remote screen sharing, like VNC, RDP, Teamviewer, .. Regards, F. On 26 Sep 2014, at 16:53, Stephen Turner stephen.tur...@citrix.com wrote: I'm afraid I couldn't reproduce this, even with your certificate and private key. Everything I tried, I got Update Certiciate [sic] Succeeded. Does anyone else have a convenient 4.3 and FF 32 that they can try and repro this with? France, if you open the developer tools in Firefox and do this again, do you see any errors? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE-- tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you
RE: Urgent. Importing certificate to CS 4.3.1 using GUI
Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE-- tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld In the Update SSL Certificate screen of the CloudStack UI, paste the following: * The certificate you've just generated. * The private key you've just generated. * The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=XXX d.o.o., OU=IT department, CN=optimus.si/emailAddress=sis...@xxxb.si Validity Not Before: Sep 25 12:25:32 2014 GMT Not After : Jun 3 12:25:32 2028 GMT Subject: C=SI, ST=Slovenia, O=XXX d.o.o., OU=IT department, CN=*.somedomain.si/emailAddress=sis...@xxxb.si Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d: 94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4: 72:92:5b:d5:43:73:aa:e4:33:48:31:11:5a:62:7e: 95:2b:e1:78:11:81:f0:ef:1a:0d:d0:52:90:47:2b: fd:ab:0d:89:57:fa:ee:6b:3b:d1:24:c9:a9:6d:d6: fb:0f:14:e3:72:63:a7:75:3d:3e:f5:57:45:09:7e: 83:18:f1:77:c9:3a:1e:de:6f:cd:43:0f:84:11:08: 05:3b:da:ed:3e:a6:65:7c:e9:3f:3b:b9:73:b3:87: b6:a2:14:af:fd:3e:a9:6f:0f:e4:fb:4d:91:70:d6: 9a:78:b8:00:2e:f0:ad:24:07:01:64:b8:1f:ce:62: f6:83:e3:fb:45:b9:3e:a1:c3:e6:de:87:d9:37:d3: 28:cf:20:6c:f9:78:5f:24:64:fb:d4:dd:79:90:87: 69:36:ad:83:3d:bd:ab:fd:aa:1d:6a:a6:b8:d5:8a: f9:d6:e4:f0:db:9a:81:d4:41:e9:19:bf:a5:e8:fb: d9:f5:e2:50:3c:4d:01:6d:3d:96:26:59:76:70:99: 8c:2e:c0:cf:dd:09:3b:fb:6f:8d:43:29:0c:7e:8a: 5c:8d:49:f4:9a:96:ba:54:72:44:d8:fa:aa:64:71: 27:21 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE-- tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld In the Update SSL Certificate screen of the CloudStack UI, paste the following: * The certificate you've just generated. * The private key you've just generated. * The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=XXX d.o.o., OU=IT department, CN=optimus.si/emailAddress=sis...@xxxb.si Validity Not Before: Sep 25 12:25:32 2014 GMT Not After : Jun 3 12:25:32 2028 GMT Subject: C=SI, ST=Slovenia, O=XXX d.o.o., OU=IT department, CN=*.somedomain.si/emailAddress=sis...@xxxb.si Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d: 94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4: 72:92:5b:d5:43:73:aa:e4:33:48:31:11:5a:62:7e: 95:2b:e1:78:11:81:f0:ef:1a:0d:d0:52:90:47:2b: fd:ab:0d:89:57:fa:ee:6b:3b:d1:24:c9:a9:6d:d6: fb:0f:14:e3:72:63:a7:75:3d:3e:f5:57:45:09:7e: 83:18:f1:77:c9:3a:1e:de:6f:cd:43:0f:84:11:08: 05:3b:da:ed:3e:a6:65:7c:e9:3f:3b:b9:73:b3:87: b6:a2:14:af:fd:3e:a9:6f:0f:e4:fb:4d:91:70:d6: 9a:78:b8:00:2e:f0:ad:24:07:01:64:b8:1f:ce:62: f6:83:e3:fb:45:b9:3e:a1:c3:e6:de:87:d9:37:d3: 28:cf:20:6c:f9:78:5f:24:64:fb:d4:dd:79:90:87: 69:36:ad:83:3d:bd:ab:fd:aa:1d:6a:a6:b8:d5:8a: f9:d6:e4:f0:db:9a:81:d4:41:e9:19:bf:a5:e8:fb: d9:f5:e2:50:3c:4d:01:6d:3d:96:26:59:76:70:99: 8c
RE: Urgent. Importing certificate to CS 4.3.1 using GUI
Thanks, I've assigned it to myself. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE-- tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld In the Update SSL Certificate screen of the CloudStack UI, paste the following: * The certificate you've just generated. * The private key you've just generated. * The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=XXX d.o.o., OU=IT department, CN=optimus.si/emailAddress=sis...@xxxb.si Validity Not Before: Sep 25 12:25:32 2014 GMT Not After : Jun 3 12:25:32 2028 GMT Subject: C=SI, ST=Slovenia, O=XXX d.o.o., OU=IT department, CN=*.somedomain.si/emailAddress=sis...@xxxb.si Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d: 94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4: 72:92:5b:d5:43:73:aa:e4:33:48:31:11:5a:62:7e: 95:2b:e1:78:11:81:f0:ef:1a:0d:d0:52:90:47:2b: fd:ab:0d:89:57:fa:ee:6b:3b:d1:24:c9:a9:6d:d6: fb:0f:14:e3:72:63:a7:75:3d:3e:f5:57:45:09:7e: 83:18:f1:77:c9:3a:1e:de:6f:cd:43:0f:84:11:08: 05:3b:da:ed:3e:a6:65:7c:e9:3f:3b:b9:73:b3:87: b6:a2:14:af:fd:3e:a9:6f:0f:e4:fb:4d:91:70:d6: 9a:78:b8:00:2e:f0:ad:24:07:01:64:b8:1f:ce:62: f6:83:e3:fb:45:b9:3e:a1:c3:e6:de:87:d9:37:d3
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
On Sep 25, 2014, at 9:52 AM, France mailingli...@isg.si wrote: There is a bug in ACS 4.3.1 GUI. Do you know if this affects 4.4 and master as well ? The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Can you tell us where the issue in the docs is exactly ? Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. Sorry about that, everyone is welcome to submit patches. Unfortunatley it's true that some bugs don't get fixed. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Really most likely an oversight from them, they solve tons of issues in the code and on the ML. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE—— tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld “ In the Update SSL Certificate screen of the CloudStack UI, paste the following: • The certificate you’ve just generated. • The private key you’ve just generated. • The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com “ [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=XXX d.o.o., OU=IT department, CN=optimus.si/emailAddress=sis...@xxxb.si Validity Not Before: Sep 25 12:25:32 2014 GMT Not After : Jun 3 12:25:32 2028 GMT Subject: C=SI, ST=Slovenia, O=XXX d.o.o., OU=IT department, CN=*.somedomain.si/emailAddress=sis...@xxxb.si Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d: 94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4: 72:92:5b:d5:43:73:aa:e4:33:48:31:11:5a:62:7e: 95:2b:e1:78:11:81:f0:ef:1a:0d:d0:52:90:47:2b: fd:ab:0d:89:57:fa:ee:6b:3b:d1:24:c9:a9:6d:d6: fb:0f:14:e3:72:63:a7:75:3d:3e:f5:57:45:09:7e: 83:18:f1:77:c9:3a:1e:de:6f:cd:43:0f:84:11:08: 05:3b:da:ed:3e:a6:65:7c:e9:3f:3b:b9:73:b3:87: b6:a2:14:af:fd:3e:a9:6f:0f:e4:fb:4d:91:70:d6: 9a:78:b8:00:2e:f0:ad:24:07:01:64:b8:1f:ce:62: f6:83:e3:fb:45:b9:3e:a1:c3:e6:de:87:d9:37:d3: 28:cf:20:6c:f9:78:5f:24:64:fb:d4:dd:79:90:87: 69:36:ad:83:3d:bd:ab:fd:aa:1d:6a:a6:b8:d5:8a: f9:d6:e4:f0:db:9a:81:d4:41:e9:19:bf:a5:e8:fb: d9:f5:e2:50:3c:4d:01:6d:3d:96:26:59:76:70:99: 8c:2e:c0:cf:dd:09:3b:fb:6f:8d:43:29:0c:7e:8a: 5c:8d:49:f4:9a:96:ba:54:72:44:d8:fa:aa:64:71: 27:21 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier:
RE: Urgent. Importing certificate to CS 4.3.1 using GUI
The UI code on master is different because it was rewritten for the realhostip shutdown. But I will check whether that works properly with Firefox too. -- Stephen Turner -Original Message- From: Sebastien Goasguen [mailto:run...@gmail.com] Sent: 26 September 2014 13:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI On Sep 25, 2014, at 9:52 AM, France mailingli...@isg.si wrote: There is a bug in ACS 4.3.1 GUI. Do you know if this affects 4.4 and master as well ?
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
On 26 Sep 2014, at 14:52, Sebastien Goasguen run...@gmail.com wrote: The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Can you tell us where the issue in the docs is exactly ? For 4.3 on http://docs.cloudstack.apache.org/ administration documentation. The docs that should be changed are at: http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/4.4/systemvm.html?highlight=console%20proxy#changing-the-console-proxy-ssl-certificate-and-domain Just below 3. step : In the Update SSL Certificate screen of the CloudStack UI, paste the following: It says one must enter *.domain.tld while it should be just domain.tld without * And below that, there should be a note like: Importing certificate in Infrastructure - SSL Certificate does/might not work with Firefox, but works with Chrome.
RE: Urgent. Importing certificate to CS 4.3.1 using GUI
I'm afraid I couldn't reproduce this, even with your certificate and private key. Everything I tried, I got Update Certiciate [sic] Succeeded. Does anyone else have a convenient 4.3 and FF 32 that they can try and repro this with? France, if you open the developer tools in Firefox and do this again, do you see any errors? -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner stephen.tur...@citrix.com wrote: Yes, I would like a bug report for this. Please assign it to me. This bit of UI has been rewritten on master, but it should work the same in all browsers, so I'd like to investigate whether it's fixed on master, and also whether there are any other similar controls that aren't working in FF 32. If you can attach a public key and other data that illustrates the problem, that would be great just to make sure that we can repro it. Thank you. -- Stephen Turner -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 14:52 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE-- tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld In the Update SSL Certificate screen of the CloudStack UI, paste the following: * The certificate you've just generated. * The private key you've just generated. * The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=XXX d.o.o., OU=IT department, CN=optimus.si/emailAddress=sis...@xxxb.si Validity Not Before: Sep 25 12:25:32 2014 GMT Not After : Jun 3 12:25:32 2028 GMT Subject: C=SI, ST=Slovenia, O=XXX d.o.o., OU=IT department, CN=*.somedomain.si/emailAddress=sis...@xxxb.si Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d: 94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4: 72:92:5b:d5:43:73:aa:e4:33:48:31:11:5a:62:7e: 95:2b:e1:78:11:81:f0:ef:1a:0d:d0:52:90:47:2b: fd:ab:0d:89:57:fa:ee:6b:3b:d1:24:c9:a9:6d:d6: fb:0f:14:e3:72:63:a7:75:3d:3e:f5:57:45:09:7e: 83:18:f1:77:c9:3a:1e:de
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
Tnx Amogh, i have checked management-server.log and no new entries or errors regarding certificate operation are written at the time when i get Failed to update SSL Certificate. error message. I tried it a couple of times. I also used somedomain.tld in the GUI. Certificate is for *.somedomain.tld. I will go thru whole create CA and certificate process again and retry. There must be some simple mistake in my process somewhere. Lack of errors in logs, is also strange. :-/ Regards, F. On 24 Sep 2014, at 21:10, Amogh Vasekar amogh.vase...@citrix.com wrote: Hi, Couple of things : 1. The error will be logged to the cloudstack management server log file (management-server.log) and would really help to know what it is. 2. While uploading the certificate, the domain_suffix should be somedomain.tld and not *.somedomain.tld (the asterisk is only for global config so that cloudstack can distinguish between HTTP and HTTPS modes) Thanks Amogh On 9/24/14 7:40 AM, France mailingli...@isg.si wrote: Hi guys, i want to migrate away from realhostip.com. I have set up DNS service in no time, but am having problems importing certificates to ACS 3.4.1. I created my own CA like this: cd /etc/pki/CA touch index.txt echo 1000 serial openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem 4096 chmod 400 /etc/pki/CA/private/ca.key.pem nano -w /etc/pki/tls/openssl.cnf openssl req -new -x509 -days 63650 -key /etc/pki/CA/private/ca.key.pem -sha256 -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem Signed my own keys and converted them to pkcs8 format like this: cd /etc/pki/CA openssl genrsa -out private/vse.somedomain.tld.key.pem 4096 chmod 400 private/vse.somedomain.tld.key.pem openssl req -sha256 -new -key private/vse.somedomain.tld.key.pem -out certs/vse.somedomain.tld.csr.pem openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -extensions usr_cert -notext -md sha256 -days 63649 -in certs/vse.somedomain.tld.csr.pem -out certs/vse.somedomain.tld.cert.pem openssl pkcs8 -topk8 -in private/vse.somedomain.tld.key.pem -out private/vse.somedomain.tld.key.encrypted.pkcs8 openssl pkcs8 -in private/vse.somedomain.tld.key.encrypted.pkcs8 -out private/vse.somedomain.tld.key.pkcs8 chmod 400 private/vse.somedomain.tld.key.encrypted.pkcs8 chmod 400 private/vse.somedomain.tld.key.pkcs8 But when trying to import it via GUI: infrastructure - SSL Certificate: Certificate from vse.somedomain.tld.cert.pem PKCS8 from private/vse.somedomain.tld.key.pkcs8 DNS domain suffix to: *.somedomain.tld But it fails with: Failed to update SSL Certificate. Please help me upload the new certificate. Catalina.out shows no error. I have no idea what else to check. Thank you. F.
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE—— tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld “ In the Update SSL Certificate screen of the CloudStack UI, paste the following: • The certificate you’ve just generated. • The private key you’ve just generated. • The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com “ [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=XXX d.o.o., OU=IT department, CN=optimus.si/emailAddress=sis...@xxxb.si Validity Not Before: Sep 25 12:25:32 2014 GMT Not After : Jun 3 12:25:32 2028 GMT Subject: C=SI, ST=Slovenia, O=XXX d.o.o., OU=IT department, CN=*.somedomain.si/emailAddress=sis...@xxxb.si Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d: 94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4: 72:92:5b:d5:43:73:aa:e4:33:48:31:11:5a:62:7e: 95:2b:e1:78:11:81:f0:ef:1a:0d:d0:52:90:47:2b: fd:ab:0d:89:57:fa:ee:6b:3b:d1:24:c9:a9:6d:d6: fb:0f:14:e3:72:63:a7:75:3d:3e:f5:57:45:09:7e: 83:18:f1:77:c9:3a:1e:de:6f:cd:43:0f:84:11:08: 05:3b:da:ed:3e:a6:65:7c:e9:3f:3b:b9:73:b3:87: b6:a2:14:af:fd:3e:a9:6f:0f:e4:fb:4d:91:70:d6: 9a:78:b8:00:2e:f0:ad:24:07:01:64:b8:1f:ce:62: f6:83:e3:fb:45:b9:3e:a1:c3:e6:de:87:d9:37:d3: 28:cf:20:6c:f9:78:5f:24:64:fb:d4:dd:79:90:87: 69:36:ad:83:3d:bd:ab:fd:aa:1d:6a:a6:b8:d5:8a: f9:d6:e4:f0:db:9a:81:d4:41:e9:19:bf:a5:e8:fb: d9:f5:e2:50:3c:4d:01:6d:3d:96:26:59:76:70:99: 8c:2e:c0:cf:dd:09:3b:fb:6f:8d:43:29:0c:7e:8a: 5c:8d:49:f4:9a:96:ba:54:72:44:d8:fa:aa:64:71: 27:21 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 13:B4:E9:B7:EA:67:BC:00:BA:20:F9:9D:AB:02:14:0D:22:B4:F7:5B X509v3 Authority Key Identifier: keyid:B9:4F:AC:D0:CA:A4:32:E0:A0:49:48:8D:D4:C9:6A:6D:6F:6C:8F:42 Signature Algorithm: sha256WithRSAEncryption a9:f2:77:c2:10:9b:87:f4:44:9c:57:52:1b:dc:70:a7:e2:bf: 97:8d:bb:3d:bc:b7:a9:90:55:75:43:47:ac:bf:6f:2a:5e:90: b1:5b:8c:41:e7:5a:51:2a:f7:db:2e:6a:37:e5:6e:18:3a:88: ae:10:42:1e:97:4c:75:e9:8a:51:37:8f:e9:99:bc:40:46:18: 85:18:ce:6f:03:24:c7:b3:43:f2:53:51:34:36:70:d8:3b:84: 09:70:91:13:51:a9:b7:30:e4:d3:f7:1a:34:f4:6b:25:b7:46: a1:dd:b7:eb:19:b3:03:be:b5:3d:12:b7:ee:a9:47:26:17:89: ef:06:9e:90:b4:78:5d:d9:52:1c:b4:0d:14:f2:37:64:9a:d8: 4d:89:95:1e:c0:6b:14:93:e8:ea:91:84:69:c5:22:1f:d2:82: 54:bd:fe:06:f8:ea:f3:66:a1:27:41:72:88:25:78:eb:2b:1b: 73:fb:98:0f:00:58:b0:43:22:5b:3b:ea:89:b5:4f:3e:2a:ed: 92:5f:48:37:39:ec:39:6c:b5:73:d3:0d:9c:ff:3b:37:92:5b: c6:ef:64:65:7a:99:1a:be:09:0e:bb:62:1b:9f:9e:ad:5d:cf: 32:8c:81:42:c2:d9:11:65:64:8d:ce:5e:f5:b4:77:66:74:eb: 10:d5:7e:58:d7:ba:70:fe:96:4b:94:f5:66:5c:af:57:ae:e0: ad:72:7a:ef:04:80:7e:4b:6d:ee:13:e2:de:20:94:4e:bb:7b: a6:87:0f:92:d8:c4:01:9b:50:fd:b4:0b:60:b2:93:91:32:ce: 31:f9:b7:4f:a0:72:71:a1:87:b4:02:ff:5b:49:c1:2f:a1:6d: 13:98:c1:81:9c:33:f6:61:b9:f9:47:7b:7b:2a:b2:e0:7b:21: 4b:67:c0:23:04:b7:08:e5:7d:a3:44:b5:a5:aa:ce:03:be:93: cb:78:fe:2d:e5:a7:61:20:03:b2:a1:ac:92:41:54:c0:25:b5: 32:c6:c5:83:49:7a:cd:a8:16:4e:80:f2:05:9c:47:17:74:1f:
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE—— tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld “ In the Update SSL Certificate screen of the CloudStack UI, paste the following: • The certificate you’ve just generated. • The private key you’ve just generated. • The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com “ [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=XXX d.o.o., OU=IT department, CN=optimus.si/emailAddress=sis...@xxxb.si Validity Not Before: Sep 25 12:25:32 2014 GMT Not After : Jun 3 12:25:32 2028 GMT Subject: C=SI, ST=Slovenia, O=XXX d.o.o., OU=IT department, CN=*.somedomain.si/emailAddress=sis...@xxxb.si Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d: 94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4: 72:92:5b:d5:43:73:aa:e4:33:48:31:11:5a:62:7e: 95:2b:e1:78:11:81:f0:ef:1a:0d:d0:52:90:47:2b: fd:ab:0d:89:57:fa:ee:6b:3b:d1:24:c9:a9:6d:d6: fb:0f:14:e3:72:63:a7:75:3d:3e:f5:57:45:09:7e: 83:18:f1:77:c9:3a:1e:de:6f:cd:43:0f:84:11:08: 05:3b:da:ed:3e:a6:65:7c:e9:3f:3b:b9:73:b3:87: b6:a2:14:af:fd:3e:a9:6f:0f:e4:fb:4d:91:70:d6: 9a:78:b8:00:2e:f0:ad:24:07:01:64:b8:1f:ce:62: f6:83:e3:fb:45:b9:3e:a1:c3:e6:de:87:d9:37:d3: 28:cf:20:6c:f9:78:5f:24:64:fb:d4:dd:79:90:87: 69:36:ad:83:3d:bd:ab:fd:aa:1d:6a:a6:b8:d5:8a: f9:d6:e4:f0:db:9a:81:d4:41:e9:19:bf:a5:e8:fb: d9:f5:e2:50:3c:4d:01:6d:3d:96:26:59:76:70:99: 8c:2e:c0:cf:dd:09:3b:fb:6f:8d:43:29:0c:7e:8a: 5c:8d:49:f4:9a:96:ba:54:72:44:d8:fa:aa:64:71: 27:21 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 13:B4:E9:B7:EA:67:BC:00:BA:20:F9:9D:AB:02:14:0D:22:B4:F7:5B X509v3 Authority Key Identifier: keyid:B9:4F:AC:D0:CA:A4:32:E0:A0:49:48:8D:D4:C9:6A:6D:6F:6C:8F:42 Signature Algorithm: sha256WithRSAEncryption a9:f2:77:c2:10:9b:87:f4:44:9c:57:52:1b:dc:70:a7:e2:bf: 97:8d:bb:3d:bc:b7:a9:90:55:75:43:47:ac:bf:6f:2a:5e:90:
RE: Urgent. Importing certificate to CS 4.3.1 using GUI
HI France, Did you import the certificate in firefox . In firefox we need to explicitly import the certificate Please check below procedure to import the certificate in firefox: go to the Tools menu and select Options In the Options window, go to the Advanced section - Encryption tab and click the View certificates button. In the Certificate Manager window, switch to the Authorities tab and click the Import... button to import your .crt certificate In the Downloading Certificate window ,check the trust the CA identity to identify websites and clickOK button. Then open the new firefox session and try to check the console view.hope you will see the same result what you seen with chrome browser. Regards sadhu -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 19:22 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE-- tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld In the Update SSL Certificate screen of the CloudStack UI, paste the following: * The certificate you've just generated. * The private key you've just generated. * The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=XXX d.o.o., OU=IT department, CN=optimus.si/emailAddress=sis...@xxxb.si Validity Not Before: Sep 25 12:25:32 2014 GMT Not After : Jun 3 12:25:32 2028 GMT Subject: C=SI, ST=Slovenia, O=XXX d.o.o., OU=IT department, CN=*.somedomain.si/emailAddress=sis...@xxxb.si Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d: 94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4: 72:92:5b:d5:43:73:aa:e4:33:48:31:11:5a:62:7e: 95:2b:e1:78:11:81:f0:ef:1a:0d:d0:52:90:47:2b: fd:ab:0d:89:57:fa:ee:6b:3b:d1:24:c9:a9:6d:d6: fb:0f:14:e3:72:63:a7:75:3d:3e:f5:57:45:09:7e: 83:18:f1:77:c9:3a:1e:de:6f:cd:43:0f:84:11:08: 05:3b:da:ed:3e:a6:65:7c:e9:3f:3b:b9:73:b3:87: b6:a2:14:af:fd:3e:a9:6f:0f:e4:fb:4d:91:70:d6: 9a:78:b8:00:2e:f0:ad:24:07:01:64:b8:1f:ce:62: f6:83:e3:fb:45:b9:3e:a1:c3:e6:de:87:d9:37:d3: 28:cf:20:6c:f9:78:5f:24:64:fb:d4:dd:79:90:87: 69:36:ad:83:3d:bd:ab:fd:aa:1d:6a:a6:b8:d5:8a: f9:d6:e4:f0:db:9a:81:d4:41:e9:19:bf:a5:e8:fb: d9:f5:e2:50:3c:4d:01:6d:3d:96:26:59
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
You are talking about importing CA root certificate into client machine, while i was clearly talking about importing certificate into the ACS 3.2.1 install to be used by console proxy. Of course you need to import the CA root certificate not to get warnings on the client side, but only _after_ the server certificate is installed/changed via ACS GUI - infrastructure - SSL Certificate. This procedure does not work with Firefox, but does work in Chrome. Regards, F. On 25 Sep 2014, at 16:26, Suresh Sadhu suresh.sa...@citrix.com wrote: HI France, Did you import the certificate in firefox . In firefox we need to explicitly import the certificate Please check below procedure to import the certificate in firefox: go to the Tools menu and select Options In the Options window, go to the Advanced section - Encryption tab and click the View certificates button. In the Certificate Manager window, switch to the Authorities tab and click the Import... button to import your .crt certificate In the Downloading Certificate window ,check the trust the CA identity to identify websites and clickOK button. Then open the new firefox session and try to check the console view.hope you will see the same result what you seen with chrome browser. Regards sadhu -Original Message- From: France [mailto:mailingli...@isg.si] Sent: 25 September 2014 19:22 To: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE-- tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld In the Update SSL Certificate screen of the CloudStack UI, paste the following: * The certificate you've just generated. * The private key you've just generated. * The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=XXX d.o.o., OU=IT department, CN=optimus.si/emailAddress=sis...@xxxb.si Validity Not Before: Sep 25 12:25:32 2014 GMT Not After : Jun 3 12:25:32 2028 GMT Subject: C=SI, ST=Slovenia, O=XXX d.o.o., OU=IT department, CN=*.somedomain.si/emailAddress=sis...@xxxb.si Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d: 94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4: 72:92:5b:d5:43:73:aa:e4:33:48:31:11:5a:62:7e: 95:2b:e1:78:11:81:f0:ef:1a:0d:d0:52:90:47:2b: fd:ab:0d:89:57:fa:ee:6b:3b:d1:24:c9:a9:6d:d6: fb:0f:14:e3:72:63:a7:75:3d:3e:f5:57:45:09:7e
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
Thanks for letting us know, I will follow-up with the doc folks to fix the notes published. Funny that the GUI is not working right with FF 32.0.2. I know they changed the pkix libraries they use (I hit it while testing something on ACS), but this bug may call for more testing on FF to see if anything else is broken. Thanks Amogh On 9/25/14 6:52 AM, France mailingli...@isg.si wrote: There is a bug in ACS 4.3.1 GUI. The before mentioned process did not work with Firefox 32.0.2, while it worked on latest Chrome. Because the problem is on the browser side, it did not reach management server logs at all. I have done everything correct. Even a couple of times. ;-) Hopefully this mail will help someone in the future. I would also advise to update the documentation on the issue. Do you want me to open a bug report for this? I am a little reluctant to do so, because some of the bug reports i made previously just sit there for years to come. FYI also got contacted off the mailing list by Steve Roles from ShapeBlue who kindly offered to sell annual 24/7 support to help me sort this issue. Too bad they did not want to provide help/support for this one incident, which which they have come across already. They could get payed well for telling me to use another browser. :-) While i appreciate what ShapeBlue does for ACS, they could easily just have told us publicly on the mailing list to use a different browser. Many thanks to anyone else who actually tried to help on the issue. Realhostip.com migration is now officially complete. Regards, F. On 25 Sep 2014, at 14:54, France mailingli...@isg.si wrote: I have created new key and csr. Signed it, converted key to pkcs8 format without encryption and added in ACS GUI with *.domain.tld and again with domain.tld. I did copy paste the crt and key with and without -BEGIN CERTIFICATE‹‹ tags. Nothing works. I have the same GUI error message as before. Management-log shows no errors or even logs regarding certificate manipulation. I have not created CA key and certs again. I have confirmed certificate before importing to ACS using: openssl x509 -in private/vse.somedomain.tls.crt -noout -text (result below). Maybe i could just insert new certs straight into the database, destroy console proxy and see what happens. Any more ideas? Also there is a bug in 4.3 documentation, because it says one must enter *.domain.tld while you say, it should be just domain.tld ³ In the Update SSL Certificate screen of the CloudStack UI, paste the following: € The certificate you¹ve just generated. € The private key you¹ve just generated. € The desired domain name, prefixed with *.; for example, *.consoleproxy.company.com ³ [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 4097 (0x1001) Signature Algorithm: sha256WithRSAEncryption Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=XXX d.o.o., OU=IT department, CN=optimus.si/emailAddress=sis...@xxxb.si Validity Not Before: Sep 25 12:25:32 2014 GMT Not After : Jun 3 12:25:32 2028 GMT Subject: C=SI, ST=Slovenia, O=XXX d.o.o., OU=IT department, CN=*.somedomain.si/emailAddress=sis...@xxxb.si Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d: 94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4: 72:92:5b:d5:43:73:aa:e4:33:48:31:11:5a:62:7e: 95:2b:e1:78:11:81:f0:ef:1a:0d:d0:52:90:47:2b: fd:ab:0d:89:57:fa:ee:6b:3b:d1:24:c9:a9:6d:d6: fb:0f:14:e3:72:63:a7:75:3d:3e:f5:57:45:09:7e: 83:18:f1:77:c9:3a:1e:de:6f:cd:43:0f:84:11:08: 05:3b:da:ed:3e:a6:65:7c:e9:3f:3b:b9:73:b3:87: b6:a2:14:af:fd:3e:a9:6f:0f:e4:fb:4d:91:70:d6: 9a:78:b8:00:2e:f0:ad:24:07:01:64:b8:1f:ce:62: f6:83:e3:fb:45:b9:3e:a1:c3:e6:de:87:d9:37:d3: 28:cf:20:6c:f9:78:5f:24:64:fb:d4:dd:79:90:87: 69:36:ad:83:3d:bd:ab:fd:aa:1d:6a:a6:b8:d5:8a: f9:d6:e4:f0:db:9a:81:d4:41:e9:19:bf:a5:e8:fb: d9:f5:e2:50:3c:4d:01:6d:3d:96:26:59:76:70:99: 8c:2e:c0:cf:dd:09:3b:fb:6f:8d:43:29:0c:7e:8a: 5c:8d:49:f4:9a:96:ba:54:72:44:d8:fa:aa:64:71: 27:21 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier:
Urgent. Importing certificate to CS 4.3.1 using GUI
Hi guys, i want to migrate away from realhostip.com. I have set up DNS service in no time, but am having problems importing certificates to ACS 3.4.1. I created my own CA like this: cd /etc/pki/CA touch index.txt echo 1000 serial openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem 4096 chmod 400 /etc/pki/CA/private/ca.key.pem nano -w /etc/pki/tls/openssl.cnf openssl req -new -x509 -days 63650 -key /etc/pki/CA/private/ca.key.pem -sha256 -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem Signed my own keys and converted them to pkcs8 format like this: cd /etc/pki/CA openssl genrsa -out private/vse.somedomain.tld.key.pem 4096 chmod 400 private/vse.somedomain.tld.key.pem openssl req -sha256 -new -key private/vse.somedomain.tld.key.pem -out certs/vse.somedomain.tld.csr.pem openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -extensions usr_cert -notext -md sha256 -days 63649 -in certs/vse.somedomain.tld.csr.pem -out certs/vse.somedomain.tld.cert.pem openssl pkcs8 -topk8 -in private/vse.somedomain.tld.key.pem -out private/vse.somedomain.tld.key.encrypted.pkcs8 openssl pkcs8 -in private/vse.somedomain.tld.key.encrypted.pkcs8 -out private/vse.somedomain.tld.key.pkcs8 chmod 400 private/vse.somedomain.tld.key.encrypted.pkcs8 chmod 400 private/vse.somedomain.tld.key.pkcs8 But when trying to import it via GUI: infrastructure - SSL Certificate: Certificate from vse.somedomain.tld.cert.pem PKCS8 from private/vse.somedomain.tld.key.pkcs8 DNS domain suffix to: *.somedomain.tld But it fails with: Failed to update SSL Certificate. Please help me upload the new certificate. Catalina.out shows no error. I have no idea what else to check. Thank you. F.
Re: Urgent. Importing certificate to CS 4.3.1 using GUI
Hi, Couple of things : 1. The error will be logged to the cloudstack management server log file (management-server.log) and would really help to know what it is. 2. While uploading the certificate, the domain_suffix should be somedomain.tld and not *.somedomain.tld (the asterisk is only for global config so that cloudstack can distinguish between HTTP and HTTPS modes) Thanks Amogh On 9/24/14 7:40 AM, France mailingli...@isg.si wrote: Hi guys, i want to migrate away from realhostip.com. I have set up DNS service in no time, but am having problems importing certificates to ACS 3.4.1. I created my own CA like this: cd /etc/pki/CA touch index.txt echo 1000 serial openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem 4096 chmod 400 /etc/pki/CA/private/ca.key.pem nano -w /etc/pki/tls/openssl.cnf openssl req -new -x509 -days 63650 -key /etc/pki/CA/private/ca.key.pem -sha256 -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem Signed my own keys and converted them to pkcs8 format like this: cd /etc/pki/CA openssl genrsa -out private/vse.somedomain.tld.key.pem 4096 chmod 400 private/vse.somedomain.tld.key.pem openssl req -sha256 -new -key private/vse.somedomain.tld.key.pem -out certs/vse.somedomain.tld.csr.pem openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -extensions usr_cert -notext -md sha256 -days 63649 -in certs/vse.somedomain.tld.csr.pem -out certs/vse.somedomain.tld.cert.pem openssl pkcs8 -topk8 -in private/vse.somedomain.tld.key.pem -out private/vse.somedomain.tld.key.encrypted.pkcs8 openssl pkcs8 -in private/vse.somedomain.tld.key.encrypted.pkcs8 -out private/vse.somedomain.tld.key.pkcs8 chmod 400 private/vse.somedomain.tld.key.encrypted.pkcs8 chmod 400 private/vse.somedomain.tld.key.pkcs8 But when trying to import it via GUI: infrastructure - SSL Certificate: Certificate from vse.somedomain.tld.cert.pem PKCS8 from private/vse.somedomain.tld.key.pkcs8 DNS domain suffix to: *.somedomain.tld But it fails with: Failed to update SSL Certificate. Please help me upload the new certificate. Catalina.out shows no error. I have no idea what else to check. Thank you. F.