Re: Console proxy SSL

[Jimmy Huybrechts]

Hi Jithin,

In the end I missed the actual enable global option for the console proxy, once 
I set that and destroyed the proxy vm, after it was rebuild it works over SSL 
now :)

--
Met vriendelijke groet,
Jimmy Huybrechts

Van: Jithin Raju 
Datum: donderdag, 9 november 2023 om 05:12
Aan: users@cloudstack.apache.org 
Onderwerp: Re: Console proxy SSL
Hi Jimmy,

The below article might help you, you are using the wildcard certificate right?

https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/

-Jithin

From: Jimmy Huybrechts 
Date: Wednesday, 8 November 2023 at 9:52 PM
To: users@cloudstack.apache.org 
Subject: Console proxy SSL
Hi,

So I’ve been setting up SSL for the management host and the console proxy but 
on the console proxy it’s not working.

I uploaded the SSL files over the GUI, made the adjustments in the management 
server properties file and restarted it. The management server has a valid ssl 
now.

I changed the console domain to my wildcard address so it generates 
a.b.c.d.(domain) which also works as it’s now reachable, however it still opens 
it in http but then as a.b.c.d.(domain).
The proxy was already destroyed and recreated with the same issue still.

How to debug why it doesn’t work? The management server has full ssl.
--
Jimmy

Re: Console proxy SSL

[Jithin Raju]

Hi Jimmy,

The below article might help you, you are using the wildcard certificate right?

https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/

-Jithin

From: Jimmy Huybrechts 
Date: Wednesday, 8 November 2023 at 9:52 PM
To: users@cloudstack.apache.org 
Subject: Console proxy SSL
Hi,

So I’ve been setting up SSL for the management host and the console proxy but 
on the console proxy it’s not working.

I uploaded the SSL files over the GUI, made the adjustments in the management 
server properties file and restarted it. The management server has a valid ssl 
now.

I changed the console domain to my wildcard address so it generates 
a.b.c.d.(domain) which also works as it’s now reachable, however it still opens 
it in http but then as a.b.c.d.(domain).
The proxy was already destroyed and recreated with the same issue still.

How to debug why it doesn’t work? The management server has full ssl.
--
Jimmy

 

Re: console proxy ssl offloading

[Nux]

See if you can get any inspiration from this guy:
https://leo.leung.xyz/wiki/CloudStack#Traefik (that's just the proxying 
subsection, but best read the whole SSL thing).


---
Nux
www.nux.ro

On 2023-01-02 21:16, m...@swen.io wrote:

Hello everyone,



first of all a happy new year to all of you! :-)



I am doing some kind of PoC and want to use a load balancer in front of 
the
console proxy and the secondary storage vm to offload ssl connections. 
I do

not get it to work.



I am using a load balancer on a public IP where "console.domain.tld" 
(of

cause I am using a working tld!) is referring to via DNS record. I
configured the domain in CS via consoleproxy.url.domain.

A working certificate is installed on the load balancer and offloading 
is
active. This means the lb is taking care of port 443 and the encryption 
and

forwarding the traffic to port 80 on the console proxy public IP not
encrypted.

I do get the page of the console proxy, but on this page the noVNC is 
not

loading and the connection failed to the console itself.



Is my setup even possible? Thx for any idea and help!



Cu Swen

Re: console proxy ssl offloading

[Wei ZHOU]

Hi,

Have you uploaded the SSL certificate in cloudstack ?
You can refer to
https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/

-Wei

On Mon, 2 Jan 2023 at 22:18,  wrote:

> Hello everyone,
>
>
>
> first of all a happy new year to all of you! :-)
>
>
>
> I am doing some kind of PoC and want to use a load balancer in front of the
> console proxy and the secondary storage vm to offload ssl connections. I do
> not get it to work.
>
>
>
> I am using a load balancer on a public IP where "console.domain.tld" (of
> cause I am using a working tld!) is referring to via DNS record. I
> configured the domain in CS via consoleproxy.url.domain.
>
> A working certificate is installed on the load balancer and offloading is
> active. This means the lb is taking care of port 443 and the encryption and
> forwarding the traffic to port 80 on the console proxy public IP not
> encrypted.
>
> I do get the page of the console proxy, but on this page the noVNC is not
> loading and the connection failed to the console itself.
>
>
>
> Is my setup even possible? Thx for any idea and help!
>
>
>
> Cu Swen
>
>

RE: Console Proxy & SSL

[Corey, Mike]

Thank you for the help - my issue was resolved when I destroyed and ACS 
redeployed the console proxy vm.  I was trying to avoid that by troubleshooting 
the systemvm itself but am on a time crunch.

Thanks for clarifying the client/agent log entry as not being part of my issue.



-Original Message-
From: Andrija Panic  
Sent: Thursday, July 1, 2021 4:22 PM
To: users 
Subject: Re: Console Proxy & SSL

Hi Mike,

certificate for securing UI and the certificate for securing access to
Console of the VM (i.e. securing HTTPS access from browser to the public IP
of the CPVM/SSVM) are 2 completely different things - and you can/should
use 2 different certificates.

Please read this article - it's very comprehensive and up to date in
regards to the steps - afterwards, I'm happy to answer any additional
questions you might have:
https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/


Your second email - is referring to a cloudstack agent certificate that is
generated by default to secure agent-to-mgmt communication - nothing to do
with the other 2 you are configuring.

Cheers,


On Thu, 1 Jul 2021 at 19:39, Corey, Mike  wrote:

> To help me with troubleshooting, could one of the developers let me know
> where the wildcard certificate is loaded into the ssvm and consolevm?  Is
> there a way to verify the custom wildcard cert I’ve uploaded is where it
> should be? I’m seeing this error in the ACS logs.
>
> Should the CA wildcard certificate issuer & CN be in the “presented these
> certificates” section of log?
>
>
> 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager]
> (pool-13-thread-1:null) (logid:) A client/agent attempting connection from
> address=10.#.#.# has presented these certificate(s):
> Certificate [1] :
> Serial: 85b01fc4f045cf08
>   Not Before:Thu Jul 01 01:03:33 EDT 2021
>   Not After:Fri Jul 01 13:03:33 EDT 2022
>   Signature Algorithm:SHA256withRSA
>   Version:3
>   Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM
>   Issuer DN:CN=ca.cloudstack.apache.org
>   Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]]
> Certificate [2] :
> Serial: 3b2fcee96e685c62
>   Not Before:Mon May 03 00:43:22 EDT 2021
>   Not After:Wed Apr 26 12:43:22 EDT 2051
>   Signature Algorithm:SHA256withRSA
>   Version:3
>   Subject DN:CN=ca.cloudstack.apache.org
>   Issuer DN:CN=ca.cloudstack.apache.org
>   Alternative Names:null
>
> 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager]
> (pool-13-thread-1:null) (logid:) Certificate ownership verification failed
> for client: 10.#.#.#
> 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link]
> (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during
> wrap data: Certificate ownership verification failed for client: 10.#.#.#,
> for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082.
> 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link]
> (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during
> wrap data: Empty server certificate chain, for local
> address=/10.#.#.#:8250, remote address=/10.#.#.##:36084.
>
>
>
>
> From: Corey, Mike 
> Sent: Thursday, July 1, 2021 10:33 AM
> To: users 
> Subject: [CAUTION] Console Proxy & SSL
>
> Hi,
>
> I could use some clarification here on TLS/SSL usage.  I’ve secured my ACS
> UI with a CA issued certificate.  This certificate has the FQDN of my ACS
> server as the CN.  The certificate is valid and the Management UI
> connection is secured in the web browser.
>
> I’m now trying to modify the Console Proxy SSL Certificate base on this
> page:
> http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy
>
> I have created the wildcard CA issued certificate as *. along
> with the unencrypted key per the steps on above wiki page.
>
> After the changes are made in the UI under Infrastructure – SSL
> Certificates, the consolevm reboots; however it doesn’t appear it is
> loading my CA certificate with the wildcard.
>
> Answer this please --- I should be able to have two separate certificates:
> one for the UI management (FQDN of ACS) and one for console proxy session
> (wildcard).
>
> I had this on the 4.14 lab implementation but unfortunately my build notes
> on this step were poor ☹.
>
>
> Mike Corey
>
> Technology Senior Consultant, IT CS CTW Operation & Virtualization Service
> US
>
> SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United
> States
>
> T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com mike.co...@sap.com>
>
>
> [cid:image003.png@01D76E64.7F7C0C60]
>
>
>

-- 

Andrija Panić

Re: Console Proxy & SSL

[Hean Seng]

I suggest you just do SSL for console proxy,  and setup another  server
with SSL cert and reverse proxy to your Management server .

On Fri, Jul 2, 2021 at 4:22 AM Andrija Panic 
wrote:

> Hi Mike,
>
> certificate for securing UI and the certificate for securing access to
> Console of the VM (i.e. securing HTTPS access from browser to the public IP
> of the CPVM/SSVM) are 2 completely different things - and you can/should
> use 2 different certificates.
>
> Please read this article - it's very comprehensive and up to date in
> regards to the steps - afterwards, I'm happy to answer any additional
> questions you might have:
> https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/
>
>
> Your second email - is referring to a cloudstack agent certificate that is
> generated by default to secure agent-to-mgmt communication - nothing to do
> with the other 2 you are configuring.
>
> Cheers,
>
>
> On Thu, 1 Jul 2021 at 19:39, Corey, Mike 
> wrote:
>
> > To help me with troubleshooting, could one of the developers let me know
> > where the wildcard certificate is loaded into the ssvm and consolevm?  Is
> > there a way to verify the custom wildcard cert I’ve uploaded is where it
> > should be? I’m seeing this error in the ACS logs.
> >
> > Should the CA wildcard certificate issuer & CN be in the “presented these
> > certificates” section of log?
> >
> >
> > 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager]
> > (pool-13-thread-1:null) (logid:) A client/agent attempting connection
> from
> > address=10.#.#.# has presented these certificate(s):
> > Certificate [1] :
> > Serial: 85b01fc4f045cf08
> >   Not Before:Thu Jul 01 01:03:33 EDT 2021
> >   Not After:Fri Jul 01 13:03:33 EDT 2022
> >   Signature Algorithm:SHA256withRSA
> >   Version:3
> >   Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM
> >   Issuer DN:CN=ca.cloudstack.apache.org
> >   Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]]
> > Certificate [2] :
> > Serial: 3b2fcee96e685c62
> >   Not Before:Mon May 03 00:43:22 EDT 2021
> >   Not After:Wed Apr 26 12:43:22 EDT 2051
> >   Signature Algorithm:SHA256withRSA
> >   Version:3
> >   Subject DN:CN=ca.cloudstack.apache.org
> >   Issuer DN:CN=ca.cloudstack.apache.org
> >   Alternative Names:null
> >
> > 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager]
> > (pool-13-thread-1:null) (logid:) Certificate ownership verification
> failed
> > for client: 10.#.#.#
> > 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link]
> > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught
> during
> > wrap data: Certificate ownership verification failed for client:
> 10.#.#.#,
> > for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082.
> > 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link]
> > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught
> during
> > wrap data: Empty server certificate chain, for local
> > address=/10.#.#.#:8250, remote address=/10.#.#.##:36084.
> >
> >
> >
> >
> > From: Corey, Mike 
> > Sent: Thursday, July 1, 2021 10:33 AM
> > To: users 
> > Subject: [CAUTION] Console Proxy & SSL
> >
> > Hi,
> >
> > I could use some clarification here on TLS/SSL usage.  I’ve secured my
> ACS
> > UI with a CA issued certificate.  This certificate has the FQDN of my ACS
> > server as the CN.  The certificate is valid and the Management UI
> > connection is secured in the web browser.
> >
> > I’m now trying to modify the Console Proxy SSL Certificate base on this
> > page:
> >
> http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy
> >
> > I have created the wildcard CA issued certificate as *.
> along
> > with the unencrypted key per the steps on above wiki page.
> >
> > After the changes are made in the UI under Infrastructure – SSL
> > Certificates, the consolevm reboots; however it doesn’t appear it is
> > loading my CA certificate with the wildcard.
> >
> > Answer this please --- I should be able to have two separate
> certificates:
> > one for the UI management (FQDN of ACS) and one for console proxy session
> > (wildcard).
> >
> > I had this on the 4.14 lab implementation but unfortunately my build
> notes
> > on this step were poor ☹.
> >
> >
> > Mike Corey
> >
> > Technology Senior Consultant, IT CS CTW Operation & Virtualization
> Service
> > US
> >
> > SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United
> > States
> >
> > T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com > mike.co...@sap.com>
> >
> >
> > [cid:image003.png@01D76E64.7F7C0C60]
> >
> >
> >
>
> --
>
> Andrija Panić
>


-- 
Regards,
Hean Seng

Re: Console Proxy & SSL

[Andrija Panic]

Hi Mike,

certificate for securing UI and the certificate for securing access to
Console of the VM (i.e. securing HTTPS access from browser to the public IP
of the CPVM/SSVM) are 2 completely different things - and you can/should
use 2 different certificates.

Please read this article - it's very comprehensive and up to date in
regards to the steps - afterwards, I'm happy to answer any additional
questions you might have:
https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/


Your second email - is referring to a cloudstack agent certificate that is
generated by default to secure agent-to-mgmt communication - nothing to do
with the other 2 you are configuring.

Cheers,


On Thu, 1 Jul 2021 at 19:39, Corey, Mike  wrote:

> To help me with troubleshooting, could one of the developers let me know
> where the wildcard certificate is loaded into the ssvm and consolevm?  Is
> there a way to verify the custom wildcard cert I’ve uploaded is where it
> should be? I’m seeing this error in the ACS logs.
>
> Should the CA wildcard certificate issuer & CN be in the “presented these
> certificates” section of log?
>
>
> 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager]
> (pool-13-thread-1:null) (logid:) A client/agent attempting connection from
> address=10.#.#.# has presented these certificate(s):
> Certificate [1] :
> Serial: 85b01fc4f045cf08
>   Not Before:Thu Jul 01 01:03:33 EDT 2021
>   Not After:Fri Jul 01 13:03:33 EDT 2022
>   Signature Algorithm:SHA256withRSA
>   Version:3
>   Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM
>   Issuer DN:CN=ca.cloudstack.apache.org
>   Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]]
> Certificate [2] :
> Serial: 3b2fcee96e685c62
>   Not Before:Mon May 03 00:43:22 EDT 2021
>   Not After:Wed Apr 26 12:43:22 EDT 2051
>   Signature Algorithm:SHA256withRSA
>   Version:3
>   Subject DN:CN=ca.cloudstack.apache.org
>   Issuer DN:CN=ca.cloudstack.apache.org
>   Alternative Names:null
>
> 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager]
> (pool-13-thread-1:null) (logid:) Certificate ownership verification failed
> for client: 10.#.#.#
> 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link]
> (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during
> wrap data: Certificate ownership verification failed for client: 10.#.#.#,
> for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082.
> 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link]
> (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during
> wrap data: Empty server certificate chain, for local
> address=/10.#.#.#:8250, remote address=/10.#.#.##:36084.
>
>
>
>
> From: Corey, Mike 
> Sent: Thursday, July 1, 2021 10:33 AM
> To: users 
> Subject: [CAUTION] Console Proxy & SSL
>
> Hi,
>
> I could use some clarification here on TLS/SSL usage.  I’ve secured my ACS
> UI with a CA issued certificate.  This certificate has the FQDN of my ACS
> server as the CN.  The certificate is valid and the Management UI
> connection is secured in the web browser.
>
> I’m now trying to modify the Console Proxy SSL Certificate base on this
> page:
> http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy
>
> I have created the wildcard CA issued certificate as *. along
> with the unencrypted key per the steps on above wiki page.
>
> After the changes are made in the UI under Infrastructure – SSL
> Certificates, the consolevm reboots; however it doesn’t appear it is
> loading my CA certificate with the wildcard.
>
> Answer this please --- I should be able to have two separate certificates:
> one for the UI management (FQDN of ACS) and one for console proxy session
> (wildcard).
>
> I had this on the 4.14 lab implementation but unfortunately my build notes
> on this step were poor ☹.
>
>
> Mike Corey
>
> Technology Senior Consultant, IT CS CTW Operation & Virtualization Service
> US
>
> SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United
> States
>
> T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com mike.co...@sap.com>
>
>
> [cid:image003.png@01D76E64.7F7C0C60]
>
>
>

-- 

Andrija Panić

RE: Console Proxy & SSL

[Corey, Mike]

To help me with troubleshooting, could one of the developers let me know where 
the wildcard certificate is loaded into the ssvm and consolevm?  Is there a way 
to verify the custom wildcard cert I’ve uploaded is where it should be? I’m 
seeing this error in the ACS logs.

Should the CA wildcard certificate issuer & CN be in the “presented these 
certificates” section of log?


2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager] 
(pool-13-thread-1:null) (logid:) A client/agent attempting connection from 
address=10.#.#.# has presented these certificate(s):
Certificate [1] :
Serial: 85b01fc4f045cf08
  Not Before:Thu Jul 01 01:03:33 EDT 2021
  Not After:Fri Jul 01 13:03:33 EDT 2022
  Signature Algorithm:SHA256withRSA
  Version:3
  Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM
  Issuer DN:CN=ca.cloudstack.apache.org
  Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]]
Certificate [2] :
Serial: 3b2fcee96e685c62
  Not Before:Mon May 03 00:43:22 EDT 2021
  Not After:Wed Apr 26 12:43:22 EDT 2051
  Signature Algorithm:SHA256withRSA
  Version:3
  Subject DN:CN=ca.cloudstack.apache.org
  Issuer DN:CN=ca.cloudstack.apache.org
  Alternative Names:null

2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager] 
(pool-13-thread-1:null) (logid:) Certificate ownership verification failed for 
client: 10.#.#.#
2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link] 
(AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during wrap 
data: Certificate ownership verification failed for client: 10.#.#.#, for local 
address=/10.#.#.#:8250, remote address=/10.#.#.#:36082.
2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link] 
(AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during wrap 
data: Empty server certificate chain, for local address=/10.#.#.#:8250, remote 
address=/10.#.#.##:36084.




From: Corey, Mike 
Sent: Thursday, July 1, 2021 10:33 AM
To: users 
Subject: [CAUTION] Console Proxy & SSL

Hi,

I could use some clarification here on TLS/SSL usage.  I’ve secured my ACS UI 
with a CA issued certificate.  This certificate has the FQDN of my ACS server 
as the CN.  The certificate is valid and the Management UI connection is 
secured in the web browser.

I’m now trying to modify the Console Proxy SSL Certificate base on this page: 
http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy

I have created the wildcard CA issued certificate as *. along with 
the unencrypted key per the steps on above wiki page.

After the changes are made in the UI under Infrastructure – SSL Certificates, 
the consolevm reboots; however it doesn’t appear it is loading my CA 
certificate with the wildcard.

Answer this please --- I should be able to have two separate certificates: one 
for the UI management (FQDN of ACS) and one for console proxy session 
(wildcard).

I had this on the 4.14 lab implementation but unfortunately my build notes on 
this step were poor ☹.


Mike Corey

Technology Senior Consultant, IT CS CTW Operation & Virtualization Service US

SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United States

T +1 610 661 0905, M +1 484 274 2658, E 
mike.co...@sap.com


[cid:image003.png@01D76E64.7F7C0C60]

Re: Console Proxy SSL Error

[Ian Service]

I had the exact same issue Konstantinos, but by URL encoding the
certificates they all were accepted and then functioned correctly.

- Ian


On Tue, May 6, 2014 at 10:29 AM, Konstantinos Karampogias <
konstantinos.karampog...@centralway.com> wrote:

> I was also able to upload the root certificate and the intermediate
> certificate using exactly
> the script in this link
>
> http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html
>
> I was not able to put my certificate and private key using the script,
> but i did it through the cloudstack web interface.
>
> A tip is to use api to get the error, for example when i was failing i
> was getting the error
> " cs job query cfa55630-6a76-4128-a759-469224ddee4f  -e cs3-admin
> accountid : 40ed3d8c-cae2-11e3-8f1a-001e67a0a266
> userid : 40ed6f44-cae2-11e3-8f1a-001e67a0a266
> cmd :
> org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd
> jobstatus : 2
> jobprocstatus : 0
> jobresultcode : 530
> jobresulttype : object
> jobresult :errorcode : 530
>errortext : Failed to pass certificate validation check
> created : 2014-05-06T15:47:52+0200
> jobid : cfa55630-6a76-4128-a759-469224ddee4f"
>
>
> when i succeeded  i got
> "$ cs job query 686d4d71-94da-4b27-9629-9067793147fa -e cs3-admin
> accountid : 40ed3d8c-cae2-11e3-8f1a-001e67a0a266
> userid : 40ed6f44-cae2-11e3-8f1a-001e67a0a266
> cmd :
> org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd
> jobstatus : 1
> jobprocstatus : 0
> jobresultcode : 0
> jobresulttype : object
> jobresult :customcertificate : {"message"=>"Certificate has been
> updated, we will stop all running console proxy VMs and secondary
> storage VMs to propagate the new certificate, please give a few
> minutes for console access service to be up again"}
> created : 2014-05-06T15:56:31+0200
> jobid : 686d4d71-94da-4b27-9629-9067793147fa
> "
>
> After you verify that all keys are there, verify also the console
> proxy is being restarted.
>
>
>
> On Tue, May 6, 2014 at 1:21 PM, Ian Service  wrote:
> > I was able to get it all to work using the API.
> >
> > I followed Chip's advice
> >
> http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html
> >
> > The difference is is that I'm using my own CloudStack API wrapper in PHP
> > and the certificates and private key needed to be url encoded twice (once
> > for normal URL transmission and once before that for transmission into
> the
> > system) before they would be pushed out correctly to the system VMs.  I
> > also replaced all newlines with \r\n and trimmed off the white space from
> > beginning and end of the strings for good measure.
> >
> > Before I discovered that, the certificates would look like they had been
> > imported correctly in the database but were being prevented from being
> used
> > on the Java end of things.
> >
> > - Ian
> >
> >
> >
> > On Tue, May 6, 2014 at 2:17 AM, Gopala Krishnan  >wrote:
> >
> >> Yes... I have changed manually id in keystore tables.
> >>
> >> 1 for root cert
> >> 2 for intermediate CA
> >> 3 for certificate
> >>
> >>
> >>
> >>
> >> On Tue, May 6, 2014 at 10:47 AM, Amogh Vasekar <
> amogh.vase...@citrix.com
> >> >wrote:
> >>
> >> > Can you please outline the steps in uploading intermediate and root
> >> > certificates? Specifically, was the "id" parameter set (1 for root, 2
> for
> >> > intermediate_ca_1 etc..)
> >> >
> >> > Amogh
> >> >
> >> > On 5/5/14 10:10 PM, "Gopala Krishnan"  wrote:
> >> >
> >> > >Amogh,
> >> > >
> >> > >Yes.. I am used Cloudstack 4.2 and uploaded root and intermediate CA
> >> > >certificate as per order.  But still not console accessible.
> >> > >
> >> > >Any idea?
> >> > >
> >> > >
> >> > >
> >> > >On Sat, May 3, 2014 at 11:58 PM, Amogh Vasekar
> >> > >wrote:
> >> > >
> >> > >> Hi,
> >> > >>
> >> > >> Which version are you on? Also, did you upload the root and
> >> intermediate
> >> > >> certificates (if any)?
> >> > >>
> >> > >> Amogh
> >> > >>
> >> > >> On 5/3/14 3:38 AM, "Gopala Krishnan" 
> wrote:
> >> > >>
> >> > >> >Hi,
> >> > >> >
> >> > >> >I have tried to change realhostip.com for console proxy. I have
> >> > created
> >> > >> >SSL
> >> > >> >certificate with wildcard SSL and updated as per the cloudstack
> >> > >>document.
> >> > >> >
> >> > >> >
> >> > >>
> >> > >>
> >> >
> >>
> http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/l
> >> > >>a
> >> > >> >test/systemvm.html#console-proxy
> >> > >> >
> >> > >> >Its not working.. I have done the following steps.
> >> > >> >
> >> > >> >Purchased SSL certificate for my domain *.hostname.com and
> updated
> >> the
> >> > >> >certificate via the cloudstack UI.
> >> > >> >
> >> > >> >Infrastructure - > SSL certificate
> >> > >> >
> >> > >> >Pasted the certificate
> >> > >> >Pasted the Key
> >> > >> >DNS domain = hostname.com
> >> > >> >
> >> > >> >Once completed, I have optimized the global settings
> >> > >> >

Re: Console Proxy SSL Error

[Konstantinos Karampogias]

I was also able to upload the root certificate and the intermediate
certificate using exactly
the script in this link
http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html

I was not able to put my certificate and private key using the script,
but i did it through the cloudstack web interface.

A tip is to use api to get the error, for example when i was failing i
was getting the error
" cs job query cfa55630-6a76-4128-a759-469224ddee4f  -e cs3-admin
accountid : 40ed3d8c-cae2-11e3-8f1a-001e67a0a266
userid : 40ed6f44-cae2-11e3-8f1a-001e67a0a266
cmd : 
org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd
jobstatus : 2
jobprocstatus : 0
jobresultcode : 530
jobresulttype : object
jobresult :errorcode : 530
   errortext : Failed to pass certificate validation check
created : 2014-05-06T15:47:52+0200
jobid : cfa55630-6a76-4128-a759-469224ddee4f"


when i succeeded  i got
"$ cs job query 686d4d71-94da-4b27-9629-9067793147fa -e cs3-admin
accountid : 40ed3d8c-cae2-11e3-8f1a-001e67a0a266
userid : 40ed6f44-cae2-11e3-8f1a-001e67a0a266
cmd : 
org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd
jobstatus : 1
jobprocstatus : 0
jobresultcode : 0
jobresulttype : object
jobresult :customcertificate : {"message"=>"Certificate has been
updated, we will stop all running console proxy VMs and secondary
storage VMs to propagate the new certificate, please give a few
minutes for console access service to be up again"}
created : 2014-05-06T15:56:31+0200
jobid : 686d4d71-94da-4b27-9629-9067793147fa
"

After you verify that all keys are there, verify also the console
proxy is being restarted.



On Tue, May 6, 2014 at 1:21 PM, Ian Service  wrote:
> I was able to get it all to work using the API.
>
> I followed Chip's advice
> http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html
>
> The difference is is that I'm using my own CloudStack API wrapper in PHP
> and the certificates and private key needed to be url encoded twice (once
> for normal URL transmission and once before that for transmission into the
> system) before they would be pushed out correctly to the system VMs.  I
> also replaced all newlines with \r\n and trimmed off the white space from
> beginning and end of the strings for good measure.
>
> Before I discovered that, the certificates would look like they had been
> imported correctly in the database but were being prevented from being used
> on the Java end of things.
>
> - Ian
>
>
>
> On Tue, May 6, 2014 at 2:17 AM, Gopala Krishnan wrote:
>
>> Yes... I have changed manually id in keystore tables.
>>
>> 1 for root cert
>> 2 for intermediate CA
>> 3 for certificate
>>
>>
>>
>>
>> On Tue, May 6, 2014 at 10:47 AM, Amogh Vasekar > >wrote:
>>
>> > Can you please outline the steps in uploading intermediate and root
>> > certificates? Specifically, was the "id" parameter set (1 for root, 2 for
>> > intermediate_ca_1 etc..)
>> >
>> > Amogh
>> >
>> > On 5/5/14 10:10 PM, "Gopala Krishnan"  wrote:
>> >
>> > >Amogh,
>> > >
>> > >Yes.. I am used Cloudstack 4.2 and uploaded root and intermediate CA
>> > >certificate as per order.  But still not console accessible.
>> > >
>> > >Any idea?
>> > >
>> > >
>> > >
>> > >On Sat, May 3, 2014 at 11:58 PM, Amogh Vasekar
>> > >wrote:
>> > >
>> > >> Hi,
>> > >>
>> > >> Which version are you on? Also, did you upload the root and
>> intermediate
>> > >> certificates (if any)?
>> > >>
>> > >> Amogh
>> > >>
>> > >> On 5/3/14 3:38 AM, "Gopala Krishnan"  wrote:
>> > >>
>> > >> >Hi,
>> > >> >
>> > >> >I have tried to change realhostip.com for console proxy. I have
>> > created
>> > >> >SSL
>> > >> >certificate with wildcard SSL and updated as per the cloudstack
>> > >>document.
>> > >> >
>> > >> >
>> > >>
>> > >>
>> >
>> http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/l
>> > >>a
>> > >> >test/systemvm.html#console-proxy
>> > >> >
>> > >> >Its not working.. I have done the following steps.
>> > >> >
>> > >> >Purchased SSL certificate for my domain *.hostname.com and updated
>> the
>> > >> >certificate via the cloudstack UI.
>> > >> >
>> > >> >Infrastructure - > SSL certificate
>> > >> >
>> > >> >Pasted the certificate
>> > >> >Pasted the Key
>> > >> >DNS domain = hostname.com
>> > >> >
>> > >> >Once completed, I have optimized the global settings
>> > >> >
>> > >> >consoleproxy.url.domain = hostname.com
>> > >> >
>> > >> >
>> > >> >When I click console for VM, It shows certificate trusted errors.
>> May I
>> > >> >know what I done wrong??
>> > >> >
>> > >> >
>> > >> >--
>> > >> >Gopala Krishnan.S
>> > >> >Mobile : +91 9865709094 / +91 9994874447
>> > >> >*cPanel KnowledgeBase *
>> > >> >*Linux Server Admin Tools* 
>> > >>
>> > >>
>> > >
>> > >
>> > >--
>> > >Gopala Krishnan.S
>> > >Mobile : +91 9865709094 / +91 9994874447
>> > >*cPanel KnowledgeBase 

Re: Console Proxy SSL Error

[Ian Service]

I was able to get it all to work using the API.

I followed Chip's advice
http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html

The difference is is that I'm using my own CloudStack API wrapper in PHP
and the certificates and private key needed to be url encoded twice (once
for normal URL transmission and once before that for transmission into the
system) before they would be pushed out correctly to the system VMs.  I
also replaced all newlines with \r\n and trimmed off the white space from
beginning and end of the strings for good measure.

Before I discovered that, the certificates would look like they had been
imported correctly in the database but were being prevented from being used
on the Java end of things.

- Ian



On Tue, May 6, 2014 at 2:17 AM, Gopala Krishnan wrote:

> Yes... I have changed manually id in keystore tables.
>
> 1 for root cert
> 2 for intermediate CA
> 3 for certificate
>
>
>
>
> On Tue, May 6, 2014 at 10:47 AM, Amogh Vasekar  >wrote:
>
> > Can you please outline the steps in uploading intermediate and root
> > certificates? Specifically, was the "id" parameter set (1 for root, 2 for
> > intermediate_ca_1 etc..)
> >
> > Amogh
> >
> > On 5/5/14 10:10 PM, "Gopala Krishnan"  wrote:
> >
> > >Amogh,
> > >
> > >Yes.. I am used Cloudstack 4.2 and uploaded root and intermediate CA
> > >certificate as per order.  But still not console accessible.
> > >
> > >Any idea?
> > >
> > >
> > >
> > >On Sat, May 3, 2014 at 11:58 PM, Amogh Vasekar
> > >wrote:
> > >
> > >> Hi,
> > >>
> > >> Which version are you on? Also, did you upload the root and
> intermediate
> > >> certificates (if any)?
> > >>
> > >> Amogh
> > >>
> > >> On 5/3/14 3:38 AM, "Gopala Krishnan"  wrote:
> > >>
> > >> >Hi,
> > >> >
> > >> >I have tried to change realhostip.com for console proxy. I have
> > created
> > >> >SSL
> > >> >certificate with wildcard SSL and updated as per the cloudstack
> > >>document.
> > >> >
> > >> >
> > >>
> > >>
> >
> http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/l
> > >>a
> > >> >test/systemvm.html#console-proxy
> > >> >
> > >> >Its not working.. I have done the following steps.
> > >> >
> > >> >Purchased SSL certificate for my domain *.hostname.com and updated
> the
> > >> >certificate via the cloudstack UI.
> > >> >
> > >> >Infrastructure - > SSL certificate
> > >> >
> > >> >Pasted the certificate
> > >> >Pasted the Key
> > >> >DNS domain = hostname.com
> > >> >
> > >> >Once completed, I have optimized the global settings
> > >> >
> > >> >consoleproxy.url.domain = hostname.com
> > >> >
> > >> >
> > >> >When I click console for VM, It shows certificate trusted errors.
> May I
> > >> >know what I done wrong??
> > >> >
> > >> >
> > >> >--
> > >> >Gopala Krishnan.S
> > >> >Mobile : +91 9865709094 / +91 9994874447
> > >> >*cPanel KnowledgeBase *
> > >> >*Linux Server Admin Tools* 
> > >>
> > >>
> > >
> > >
> > >--
> > >Gopala Krishnan.S
> > >Mobile : +91 9865709094 / +91 9994874447
> > >*cPanel KnowledgeBase *
> > >*Linux Server Admin Tools* 
> >
> >
>
>
> --
> Gopala Krishnan.S
> Mobile : +91 9865709094 / +91 9994874447
> *cPanel KnowledgeBase *
> *Linux Server Admin Tools* 
>

Re: Console Proxy SSL Error

[Gopala Krishnan]

Yes... I have changed manually id in keystore tables.

1 for root cert
2 for intermediate CA
3 for certificate




On Tue, May 6, 2014 at 10:47 AM, Amogh Vasekar wrote:

> Can you please outline the steps in uploading intermediate and root
> certificates? Specifically, was the "id" parameter set (1 for root, 2 for
> intermediate_ca_1 etc..)
>
> Amogh
>
> On 5/5/14 10:10 PM, "Gopala Krishnan"  wrote:
>
> >Amogh,
> >
> >Yes.. I am used Cloudstack 4.2 and uploaded root and intermediate CA
> >certificate as per order.  But still not console accessible.
> >
> >Any idea?
> >
> >
> >
> >On Sat, May 3, 2014 at 11:58 PM, Amogh Vasekar
> >wrote:
> >
> >> Hi,
> >>
> >> Which version are you on? Also, did you upload the root and intermediate
> >> certificates (if any)?
> >>
> >> Amogh
> >>
> >> On 5/3/14 3:38 AM, "Gopala Krishnan"  wrote:
> >>
> >> >Hi,
> >> >
> >> >I have tried to change realhostip.com for console proxy. I have
> created
> >> >SSL
> >> >certificate with wildcard SSL and updated as per the cloudstack
> >>document.
> >> >
> >> >
> >>
> >>
> http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/l
> >>a
> >> >test/systemvm.html#console-proxy
> >> >
> >> >Its not working.. I have done the following steps.
> >> >
> >> >Purchased SSL certificate for my domain *.hostname.com and updated the
> >> >certificate via the cloudstack UI.
> >> >
> >> >Infrastructure - > SSL certificate
> >> >
> >> >Pasted the certificate
> >> >Pasted the Key
> >> >DNS domain = hostname.com
> >> >
> >> >Once completed, I have optimized the global settings
> >> >
> >> >consoleproxy.url.domain = hostname.com
> >> >
> >> >
> >> >When I click console for VM, It shows certificate trusted errors. May I
> >> >know what I done wrong??
> >> >
> >> >
> >> >--
> >> >Gopala Krishnan.S
> >> >Mobile : +91 9865709094 / +91 9994874447
> >> >*cPanel KnowledgeBase *
> >> >*Linux Server Admin Tools* 
> >>
> >>
> >
> >
> >--
> >Gopala Krishnan.S
> >Mobile : +91 9865709094 / +91 9994874447
> >*cPanel KnowledgeBase *
> >*Linux Server Admin Tools* 
>
>


-- 
Gopala Krishnan.S
Mobile : +91 9865709094 / +91 9994874447
*cPanel KnowledgeBase *
*Linux Server Admin Tools* 

Re: Console Proxy SSL Error

[Amogh Vasekar]

Can you please outline the steps in uploading intermediate and root
certificates? Specifically, was the "id" parameter set (1 for root, 2 for
intermediate_ca_1 etc..)

Amogh

On 5/5/14 10:10 PM, "Gopala Krishnan"  wrote:

>Amogh,
>
>Yes.. I am used Cloudstack 4.2 and uploaded root and intermediate CA
>certificate as per order.  But still not console accessible.
>
>Any idea?
>
>
>
>On Sat, May 3, 2014 at 11:58 PM, Amogh Vasekar
>wrote:
>
>> Hi,
>>
>> Which version are you on? Also, did you upload the root and intermediate
>> certificates (if any)?
>>
>> Amogh
>>
>> On 5/3/14 3:38 AM, "Gopala Krishnan"  wrote:
>>
>> >Hi,
>> >
>> >I have tried to change realhostip.com for console proxy. I have created
>> >SSL
>> >certificate with wildcard SSL and updated as per the cloudstack
>>document.
>> >
>> >
>> 
>>http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/l
>>a
>> >test/systemvm.html#console-proxy
>> >
>> >Its not working.. I have done the following steps.
>> >
>> >Purchased SSL certificate for my domain *.hostname.com and updated the
>> >certificate via the cloudstack UI.
>> >
>> >Infrastructure - > SSL certificate
>> >
>> >Pasted the certificate
>> >Pasted the Key
>> >DNS domain = hostname.com
>> >
>> >Once completed, I have optimized the global settings
>> >
>> >consoleproxy.url.domain = hostname.com
>> >
>> >
>> >When I click console for VM, It shows certificate trusted errors. May I
>> >know what I done wrong??
>> >
>> >
>> >--
>> >Gopala Krishnan.S
>> >Mobile : +91 9865709094 / +91 9994874447
>> >*cPanel KnowledgeBase *
>> >*Linux Server Admin Tools* 
>>
>>
>
>
>-- 
>Gopala Krishnan.S
>Mobile : +91 9865709094 / +91 9994874447
>*cPanel KnowledgeBase *
>*Linux Server Admin Tools* 

Re: Console Proxy SSL Error

[Gopala Krishnan]

Amogh,

Yes.. I am used Cloudstack 4.2 and uploaded root and intermediate CA
certificate as per order.  But still not console accessible.

Any idea?



On Sat, May 3, 2014 at 11:58 PM, Amogh Vasekar wrote:

> Hi,
>
> Which version are you on? Also, did you upload the root and intermediate
> certificates (if any)?
>
> Amogh
>
> On 5/3/14 3:38 AM, "Gopala Krishnan"  wrote:
>
> >Hi,
> >
> >I have tried to change realhostip.com for console proxy. I have created
> >SSL
> >certificate with wildcard SSL and updated as per the cloudstack document.
> >
> >
> http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/la
> >test/systemvm.html#console-proxy
> >
> >Its not working.. I have done the following steps.
> >
> >Purchased SSL certificate for my domain *.hostname.com and updated the
> >certificate via the cloudstack UI.
> >
> >Infrastructure - > SSL certificate
> >
> >Pasted the certificate
> >Pasted the Key
> >DNS domain = hostname.com
> >
> >Once completed, I have optimized the global settings
> >
> >consoleproxy.url.domain = hostname.com
> >
> >
> >When I click console for VM, It shows certificate trusted errors. May I
> >know what I done wrong??
> >
> >
> >--
> >Gopala Krishnan.S
> >Mobile : +91 9865709094 / +91 9994874447
> >*cPanel KnowledgeBase *
> >*Linux Server Admin Tools* 
>
>


-- 
Gopala Krishnan.S
Mobile : +91 9865709094 / +91 9994874447
*cPanel KnowledgeBase *
*Linux Server Admin Tools* 

Re: Console Proxy SSL Error

[Amogh Vasekar]

Hi,

Which version are you on? Also, did you upload the root and intermediate
certificates (if any)?

Amogh

On 5/3/14 3:38 AM, "Gopala Krishnan"  wrote:

>Hi,
>
>I have tried to change realhostip.com for console proxy. I have created
>SSL
>certificate with wildcard SSL and updated as per the cloudstack document.
>
>http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/la
>test/systemvm.html#console-proxy
>
>Its not working.. I have done the following steps.
>
>Purchased SSL certificate for my domain *.hostname.com and updated the
>certificate via the cloudstack UI.
>
>Infrastructure - > SSL certificate
>
>Pasted the certificate
>Pasted the Key
>DNS domain = hostname.com
>
>Once completed, I have optimized the global settings
>
>consoleproxy.url.domain = hostname.com
>
>
>When I click console for VM, It shows certificate trusted errors. May I
>know what I done wrong??
>
>
>-- 
>Gopala Krishnan.S
>Mobile : +91 9865709094 / +91 9994874447
>*cPanel KnowledgeBase *
>*Linux Server Admin Tools* 

Re: Console Proxy SSL Certificate

[John Kinsella]

Self-signed is fine, just need to store it in the keystone as described on 
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Enabling+SSL+in+the+CloudStack+UI

On Nov 5, 2013, at 10:05 AM, Paulo Ricardo 
 wrote:

> Hello everybody,
> 
> After I generate a new 2048-bit private key and generate a new certificate
> CSR, do I need purchase a Certificate SSL? Or may I do a Certificate SSL
> self signed?
> 
> Thanks,
> 
> Paulo.

Re: Console Proxy SSL

[Chip Childers]

On Fri, Jun 21, 2013 at 09:49:42AM -0400, Billy Ramsay wrote:
> Thanks for catching that!
> 
> Is there anyway to get around the API call for this? During my research on
> this issue, I found a few references to folks who had inserted the certs
> directly into the database, bypassing the API when they could not get it to
> work. Is this feasible? I was hoping to use 4.1.0 for an impending
> deployment next week, and this is the last roadblock.
> 
> Thanks again!
> 
> -WPR

It's feasible, but not particularly easy to get the formatting right.  I
suggest playing with it a bit, and before you do so...  check the
formatting of the rows in the table before you change them.

> 
> -Original Message-
> From: Pranav Saxena [mailto:pranav.sax...@citrix.com] 
> Sent: Friday, June 21, 2013 9:41 AM
> To: users@cloudstack.apache.org
> Subject: RE: Console Proxy SSL
> 
> You are getting a NPE in your management server logs -
> /***
> 
> 
> Unexpected exception while executing
> org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd
> java.lang.NullPointerException
> at
> com.cloud.server.ManagementServerImpl.uploadCertificate(ManagementServerImpl
> .java:2818)
> 
> 
> /
> 
> Perhaps you should raise a bug in this case. 
> 
> Thanks,
> Pranav
> 
> -Original Message-
> From: Billy Ramsay [mailto:bram...@dynamicquest.com]
> Sent: Friday, June 21, 2013 7:07 PM
> To: users@cloudstack.apache.org
> Subject: RE: Console Proxy SSL
> 
> >> Greetings,
> >> 
> >> We just completed a clean install of 4.1.0. I was able to 
> >> successfully upload a custom certificate for use by the console proxy 
> >> machines in our old
> >> 4.0.1 environment, but now I cannot get it to work for the life of me 
> >> in 4.1.0.
> >> 
> >> The UI just says "failed to update", as usual. I also tried to upload 
> >> via API, and the error I get is below:
> >> 
> >> errorcode = 530
> >> errortext = Command failed due to Internal Server Error
> >> 
> >> I have confirmed that the certificate and key are in the proper 
> >> format, as was used in our 4.0.1 environment.
> >> 
> >> Thanks in advance for any light you can shed on this!
> >> 
> >> -WPR
> >> 
> >> 
> >> 
> >
> >What do you see in the management server logs and / or API logs during 
> >the
> upload process?
> 
> Absolutely nothing in either when I do it from the UI. I did a tail -f on
> one monitor while I tried to upload via the UI on another.
> 
> When I do it from cloudmonkey I get the output at the bottom (sanitized,
> including cert).
> 
> Thanks for looking into this!
> 
> 
> API log:
> 
> 2013-06-21 09:22:27,560 INFO  [cloud.api.ApiServer] (catalina-exec-21:null)
> (userId=2 accountId=2 sessionId=null) 74.122.165.7 -- GET
> apiKey=x&certifi
> cate=-BEGIN+CERTIFICATE-%5CnMIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsx
> JDAiBgNVBAcTG1ZhbGlDZXJ0%5CnIFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNl
> cnQsIEluYy4xNTAz%5CnBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
> QXV0aG9y%5CnaXR5MSvd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG%
> 5Cn9w0BCQEWEWlusrtjrjrsthjsrthrthrth4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy%5CnNjAwMT
> k1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y%5CnazEXMBUGA1UECh
> MOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs%5CnYXNzIDIgUG9sarjrtjhrst
> hrsthsrtjhrsthaXR5MSEwHwYDVQQDExhodHRw%5CnOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBg
> kqhkiG9w0BCQEWEWluZm9AdmFsaWNl%5CncnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ
> KBgQDOOnHK5avIWZJV16vY%5CndA757tn2VUdZZUsrthsrthsrthsrthsrthsthUGJ7SVCCSRrCl
> 6zfN1SLUzm1NZ9%5CnWlmpZdRJEy0kTRxQb7XBhVQ7%2FnHk01xC%2BYDgkRoKWzk2Z%2FM%2FVX
> wbP7RfZHM047QS%5Cnv4dk%2BNoS%2FzcnwbNDu%2B97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUA
> A4GBADt%2FUG9v%5CnUJSZSWI4OB9L%2BKXIPqeCgfYrx%2BjFzug6EILLGACOTb2oWH%2BheQC1
> u%2BmNr0HZDzTu%5CnIYEZoDJJKPTEjlbVUjP9UNV%2BmWwD5MlM%2FMtsq2azSiGM5bUMMj4Qss
> xsodyamEwC%5CnW%2FPOuZ6lcg5Ktz885hZo%2BL7tdEy8W9ViH0Pd%5Cn-END+CERTIFICA
> TE-&command=uploadCustomCertificate&domainsuffix=domain.com&id=1&name=ro
> ot&response=json&signature=CTlxx0YM%2FwfxPTR%2Fxx0%3D 200 {
> "uploadcustomcertificateresponse" :
> {"jobid":"5c293efd-dd23-4766-8e96-4a03e6a5f29e"} }
> 2013-06-21 09:22:29,613 INFO  [cloud.api.ApiS

RE: Console Proxy SSL

[Billy Ramsay]

Thanks for catching that!

Is there anyway to get around the API call for this? During my research on
this issue, I found a few references to folks who had inserted the certs
directly into the database, bypassing the API when they could not get it to
work. Is this feasible? I was hoping to use 4.1.0 for an impending
deployment next week, and this is the last roadblock.

Thanks again!

-WPR

-Original Message-
From: Pranav Saxena [mailto:pranav.sax...@citrix.com] 
Sent: Friday, June 21, 2013 9:41 AM
To: users@cloudstack.apache.org
Subject: RE: Console Proxy SSL

You are getting a NPE in your management server logs -
/***


Unexpected exception while executing
org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd
java.lang.NullPointerException
at
com.cloud.server.ManagementServerImpl.uploadCertificate(ManagementServerImpl
.java:2818)


/

Perhaps you should raise a bug in this case. 

Thanks,
Pranav

-Original Message-
From: Billy Ramsay [mailto:bram...@dynamicquest.com]
Sent: Friday, June 21, 2013 7:07 PM
To: users@cloudstack.apache.org
Subject: RE: Console Proxy SSL

>> Greetings,
>> 
>> We just completed a clean install of 4.1.0. I was able to 
>> successfully upload a custom certificate for use by the console proxy 
>> machines in our old
>> 4.0.1 environment, but now I cannot get it to work for the life of me 
>> in 4.1.0.
>> 
>> The UI just says "failed to update", as usual. I also tried to upload 
>> via API, and the error I get is below:
>> 
>> errorcode = 530
>> errortext = Command failed due to Internal Server Error
>> 
>> I have confirmed that the certificate and key are in the proper 
>> format, as was used in our 4.0.1 environment.
>> 
>> Thanks in advance for any light you can shed on this!
>> 
>> -WPR
>> 
>> 
>> 
>
>What do you see in the management server logs and / or API logs during 
>the
upload process?

Absolutely nothing in either when I do it from the UI. I did a tail -f on
one monitor while I tried to upload via the UI on another.

When I do it from cloudmonkey I get the output at the bottom (sanitized,
including cert).

Thanks for looking into this!


API log:

2013-06-21 09:22:27,560 INFO  [cloud.api.ApiServer] (catalina-exec-21:null)
(userId=2 accountId=2 sessionId=null) 74.122.165.7 -- GET
apiKey=x&certifi
cate=-BEGIN+CERTIFICATE-%5CnMIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsx
JDAiBgNVBAcTG1ZhbGlDZXJ0%5CnIFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNl
cnQsIEluYy4xNTAz%5CnBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
QXV0aG9y%5CnaXR5MSvd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG%
5Cn9w0BCQEWEWlusrtjrjrsthjsrthrthrth4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy%5CnNjAwMT
k1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y%5CnazEXMBUGA1UECh
MOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs%5CnYXNzIDIgUG9sarjrtjhrst
hrsthsrtjhrsthaXR5MSEwHwYDVQQDExhodHRw%5CnOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBg
kqhkiG9w0BCQEWEWluZm9AdmFsaWNl%5CncnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ
KBgQDOOnHK5avIWZJV16vY%5CndA757tn2VUdZZUsrthsrthsrthsrthsrthsthUGJ7SVCCSRrCl
6zfN1SLUzm1NZ9%5CnWlmpZdRJEy0kTRxQb7XBhVQ7%2FnHk01xC%2BYDgkRoKWzk2Z%2FM%2FVX
wbP7RfZHM047QS%5Cnv4dk%2BNoS%2FzcnwbNDu%2B97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUA
A4GBADt%2FUG9v%5CnUJSZSWI4OB9L%2BKXIPqeCgfYrx%2BjFzug6EILLGACOTb2oWH%2BheQC1
u%2BmNr0HZDzTu%5CnIYEZoDJJKPTEjlbVUjP9UNV%2BmWwD5MlM%2FMtsq2azSiGM5bUMMj4Qss
xsodyamEwC%5CnW%2FPOuZ6lcg5Ktz885hZo%2BL7tdEy8W9ViH0Pd%5Cn-END+CERTIFICA
TE-&command=uploadCustomCertificate&domainsuffix=domain.com&id=1&name=ro
ot&response=json&signature=CTlxx0YM%2FwfxPTR%2Fxx0%3D 200 {
"uploadcustomcertificateresponse" :
{"jobid":"5c293efd-dd23-4766-8e96-4a03e6a5f29e"} }
2013-06-21 09:22:29,613 INFO  [cloud.api.ApiServer] (catalina-exec-19:null)
(userId=2 accountId=2 sessionId=null) 74.122.165.7 -- GET
apiKey=&command=quer
yAsyncJobResult&jobid=5c293efd-dd23-4766-8e96-4a03e6a5f29e&response=json&sig
nature=YcxqT%2BmxxtqjMDyww%3D 200 {
"queryasyncjobresultresponse" :
{"accountid":"92562526-d9a9-11e2-a93b-b6bd483074cc","userid":"9256e632-d9a9-
11e2-a93b-b6bd483074cc","cmd":"org.apache.cloudstack.api.command.admin.resou
rce.UploadCustomCertificateCmd","jobstatus":2,"jobprocstatus":0,"jobresultco
de":530,"jobresulttype":"object","jobresult":{"errorcode":530,"errortext

RE: Console Proxy SSL

[Pranav Saxena]

You are getting a NPE in your management server logs - 
/***

Unexpected exception while executing 
org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd
java.lang.NullPointerException
at
com.cloud.server.ManagementServerImpl.uploadCertificate(ManagementServerImpl
.java:2818)

/

Perhaps you should raise a bug in this case. 

Thanks,
Pranav

-Original Message-
From: Billy Ramsay [mailto:bram...@dynamicquest.com] 
Sent: Friday, June 21, 2013 7:07 PM
To: users@cloudstack.apache.org
Subject: RE: Console Proxy SSL

>> Greetings,
>> 
>> We just completed a clean install of 4.1.0. I was able to 
>> successfully upload a custom certificate for use by the console proxy 
>> machines in our old
>> 4.0.1 environment, but now I cannot get it to work for the life of me 
>> in 4.1.0.
>> 
>> The UI just says "failed to update", as usual. I also tried to upload 
>> via API, and the error I get is below:
>> 
>> errorcode = 530
>> errortext = Command failed due to Internal Server Error
>> 
>> I have confirmed that the certificate and key are in the proper 
>> format, as was used in our 4.0.1 environment.
>> 
>> Thanks in advance for any light you can shed on this!
>> 
>> -WPR
>> 
>> 
>> 
>
>What do you see in the management server logs and / or API logs during 
>the
upload process?

Absolutely nothing in either when I do it from the UI. I did a tail -f on one 
monitor while I tried to upload via the UI on another.

When I do it from cloudmonkey I get the output at the bottom (sanitized, 
including cert).

Thanks for looking into this!


API log:

2013-06-21 09:22:27,560 INFO  [cloud.api.ApiServer] (catalina-exec-21:null)
(userId=2 accountId=2 sessionId=null) 74.122.165.7 -- GET 
apiKey=x&certifi
cate=-BEGIN+CERTIFICATE-%5CnMIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsx
JDAiBgNVBAcTG1ZhbGlDZXJ0%5CnIFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNl
cnQsIEluYy4xNTAz%5CnBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
QXV0aG9y%5CnaXR5MSvd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG%
5Cn9w0BCQEWEWlusrtjrjrsthjsrthrthrth4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy%5CnNjAwMT
k1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y%5CnazEXMBUGA1UECh
MOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs%5CnYXNzIDIgUG9sarjrtjhrst
hrsthsrtjhrsthaXR5MSEwHwYDVQQDExhodHRw%5CnOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBg
kqhkiG9w0BCQEWEWluZm9AdmFsaWNl%5CncnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ
KBgQDOOnHK5avIWZJV16vY%5CndA757tn2VUdZZUsrthsrthsrthsrthsrthsthUGJ7SVCCSRrCl
6zfN1SLUzm1NZ9%5CnWlmpZdRJEy0kTRxQb7XBhVQ7%2FnHk01xC%2BYDgkRoKWzk2Z%2FM%2FVX
wbP7RfZHM047QS%5Cnv4dk%2BNoS%2FzcnwbNDu%2B97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUA
A4GBADt%2FUG9v%5CnUJSZSWI4OB9L%2BKXIPqeCgfYrx%2BjFzug6EILLGACOTb2oWH%2BheQC1
u%2BmNr0HZDzTu%5CnIYEZoDJJKPTEjlbVUjP9UNV%2BmWwD5MlM%2FMtsq2azSiGM5bUMMj4Qss
xsodyamEwC%5CnW%2FPOuZ6lcg5Ktz885hZo%2BL7tdEy8W9ViH0Pd%5Cn-END+CERTIFICA
TE-&command=uploadCustomCertificate&domainsuffix=domain.com&id=1&name=ro
ot&response=json&signature=CTlxx0YM%2FwfxPTR%2Fxx0%3D 200 { 
"uploadcustomcertificateresponse" :
{"jobid":"5c293efd-dd23-4766-8e96-4a03e6a5f29e"} }
2013-06-21 09:22:29,613 INFO  [cloud.api.ApiServer] (catalina-exec-19:null)
(userId=2 accountId=2 sessionId=null) 74.122.165.7 -- GET 
apiKey=&command=quer
yAsyncJobResult&jobid=5c293efd-dd23-4766-8e96-4a03e6a5f29e&response=json&sig
nature=YcxqT%2BmxxtqjMDyww%3D 200 { "queryasyncjobresultresponse" :
{"accountid":"92562526-d9a9-11e2-a93b-b6bd483074cc","userid":"9256e632-d9a9-
11e2-a93b-b6bd483074cc","cmd":"org.apache.cloudstack.api.command.admin.resou
rce.UploadCustomCertificateCmd","jobstatus":2,"jobprocstatus":0,"jobresultco
de":530,"jobresulttype":"object","jobresult":{"errorcode":530,"errortext":"C
ommand failed due to Internal Server
Error"},"created":"2013-06-21T09:22:27-0400","jobid":"5c293efd-dd23-4766-8e9
6-4a03e6a5f29e"} }

Mgmt log:

2013-06-21 09:30:07,423 DEBUG [cloud.api.ApiServlet] (catalina-exec-20:null) 
===START===  74.122.165.7 -- GET 
apiKey=x
&certificate=-BEGIN+CERTIFICATE-%5CnMIIC5zCCAlACAQEwDQYJKoZIhvcN
AQEFBQAwgbsxJDAiBgNVBAcTG

RE: Console Proxy SSL

[Billy Ramsay]

>> Greetings,
>> 
>> We just completed a clean install of 4.1.0. I was able to successfully 
>> upload a custom certificate for use by the console proxy machines in 
>> our old
>> 4.0.1 environment, but now I cannot get it to work for the life of me 
>> in 4.1.0.
>> 
>> The UI just says "failed to update", as usual. I also tried to upload 
>> via API, and the error I get is below:
>> 
>> errorcode = 530
>> errortext = Command failed due to Internal Server Error
>> 
>> I have confirmed that the certificate and key are in the proper 
>> format, as was used in our 4.0.1 environment.
>> 
>> Thanks in advance for any light you can shed on this!
>> 
>> -WPR
>> 
>> 
>> 
>
>What do you see in the management server logs and / or API logs during the
upload process?

Absolutely nothing in either when I do it from the UI. I did a tail -f on
one monitor while I tried to upload via the UI on another.

When I do it from cloudmonkey I get the output at the bottom (sanitized,
including cert).

Thanks for looking into this!


API log:

2013-06-21 09:22:27,560 INFO  [cloud.api.ApiServer] (catalina-exec-21:null)
(userId=2 accountId=2 sessionId=null) 74.122.165.7 -- GET
apiKey=x&certifi
cate=-BEGIN+CERTIFICATE-%5CnMIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsx
JDAiBgNVBAcTG1ZhbGlDZXJ0%5CnIFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNl
cnQsIEluYy4xNTAz%5CnBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24g
QXV0aG9y%5CnaXR5MSvd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG%
5Cn9w0BCQEWEWlusrtjrjrsthjsrthrthrth4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy%5CnNjAwMT
k1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y%5CnazEXMBUGA1UECh
MOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs%5CnYXNzIDIgUG9sarjrtjhrst
hrsthsrtjhrsthaXR5MSEwHwYDVQQDExhodHRw%5CnOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBg
kqhkiG9w0BCQEWEWluZm9AdmFsaWNl%5CncnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQ
KBgQDOOnHK5avIWZJV16vY%5CndA757tn2VUdZZUsrthsrthsrthsrthsrthsthUGJ7SVCCSRrCl
6zfN1SLUzm1NZ9%5CnWlmpZdRJEy0kTRxQb7XBhVQ7%2FnHk01xC%2BYDgkRoKWzk2Z%2FM%2FVX
wbP7RfZHM047QS%5Cnv4dk%2BNoS%2FzcnwbNDu%2B97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUA
A4GBADt%2FUG9v%5CnUJSZSWI4OB9L%2BKXIPqeCgfYrx%2BjFzug6EILLGACOTb2oWH%2BheQC1
u%2BmNr0HZDzTu%5CnIYEZoDJJKPTEjlbVUjP9UNV%2BmWwD5MlM%2FMtsq2azSiGM5bUMMj4Qss
xsodyamEwC%5CnW%2FPOuZ6lcg5Ktz885hZo%2BL7tdEy8W9ViH0Pd%5Cn-END+CERTIFICA
TE-&command=uploadCustomCertificate&domainsuffix=domain.com&id=1&name=ro
ot&response=json&signature=CTlxx0YM%2FwfxPTR%2Fxx0%3D 200 {
"uploadcustomcertificateresponse" :
{"jobid":"5c293efd-dd23-4766-8e96-4a03e6a5f29e"} }
2013-06-21 09:22:29,613 INFO  [cloud.api.ApiServer] (catalina-exec-19:null)
(userId=2 accountId=2 sessionId=null) 74.122.165.7 -- GET
apiKey=&command=quer
yAsyncJobResult&jobid=5c293efd-dd23-4766-8e96-4a03e6a5f29e&response=json&sig
nature=YcxqT%2BmxxtqjMDyww%3D 200 {
"queryasyncjobresultresponse" :
{"accountid":"92562526-d9a9-11e2-a93b-b6bd483074cc","userid":"9256e632-d9a9-
11e2-a93b-b6bd483074cc","cmd":"org.apache.cloudstack.api.command.admin.resou
rce.UploadCustomCertificateCmd","jobstatus":2,"jobprocstatus":0,"jobresultco
de":530,"jobresulttype":"object","jobresult":{"errorcode":530,"errortext":"C
ommand failed due to Internal Server
Error"},"created":"2013-06-21T09:22:27-0400","jobid":"5c293efd-dd23-4766-8e9
6-4a03e6a5f29e"} }

Mgmt log:

2013-06-21 09:30:07,423 DEBUG [cloud.api.ApiServlet] (catalina-exec-20:null)
===START===  74.122.165.7 -- GET
apiKey=x
&certificate=-BEGIN+CERTIFICATE-%5CnMIIC5zCCAlACAQEwDQYJKoZIhvcN
AQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0%5CnIFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UE
ChMOVmFsaUNlcnQsIEluYy4xNTAz%5CnBgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZh
bGlkYXRpb24gQXV0aG9y%5CnaXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8x
IDAeBgkqhkiG%5Cn9w0BCQEWEWluZmxx
xx5MDYy%5CnNjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y%
5CnazEXMBUTLFZhbGlDZXJ0IENs%
5CnYXNzIDIgUG9saWN5xxxYDVQQDExho
dHRw%5CnOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl%5Cn
cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOnHK5avIWZJV16vY%5CndA757tn2
VUethETHehehAEHa5e6qw4uWU5koe6WQTVCCSRrCl6zfN1SLUzm1NZ9%5CnWlmpZdRJEy0kTRxQb
7XBhVQ7%2FnHk01xC%2BYDgkRoKWzk2Z%2FM%2FVXwbP7RfZHM047QS%5Cnv4dk%2BNoS%2Fzcnw
bNDu%2B97bi5GBADt%2FUG9v%5CnUJSZSWI4
OB9L%2BKXIPqeCgfYrx%2BjFzug6EILLGACOTb2oWH%2BheQC1u%2BmNr0HZDzTu%5CnIYEZoDJJ
KPTEjlbVUjP9UNV%2BmWwD5MlM%2FMtsq2azSiGM5bUMMj4QssxsodyamEwC%5CnW%2FPOuZ6lcg
5Ktz885hZo%2BL7tdEy8W9ViH0Pd%5Cn-END+CERTIFICATE-&command=uploadCust
omCertificate&domainsuffix=domain.com&id=1&name=root&response=json&signature
=CTM%2FTR%2Fck0%3D
2013-06-21 09:3

Re: Console Proxy SSL

[Chip Childers]

On Fri, Jun 21, 2013 at 08:33:44AM -0400, Billy Ramsay wrote:
> Greetings,
> 
> We just completed a clean install of 4.1.0. I was able to successfully
> upload a custom certificate for use by the console proxy machines in our old
> 4.0.1 environment, but now I cannot get it to work for the life of me in
> 4.1.0.
> 
> The UI just says "failed to update", as usual. I also tried to upload via
> API, and the error I get is below:
> 
> errorcode = 530
> errortext = Command failed due to Internal Server Error
> 
> I have confirmed that the certificate and key are in the proper format, as
> was used in our 4.0.1 environment.
> 
> Thanks in advance for any light you can shed on this!
> 
> -WPR
> 
> 
> 

What do you see in the management server logs and / or API logs during
the upload process?