The problem appears to be with the console proxy itself. Here are the
ports that are listening on the public interface, according to an nmap TCP
scan:
PORT STATE SERVICE
80/tcp open http
443/tcp closed https
When I logged into the console proxy through the link local address, I
checked for processes on port 443 and there are none, so obviously an HTTPS
connection can't be made. There is a Java process listening on port 80 but
nothing on 443. Is there something in the global settings that will enable
HTTPS, or is this a bug?
root@v-2-VM:~# netstat -lnp | grep java
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN
3491/java
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
3491/java
On Thu, May 15, 2014 at 2:53 PM, Ian Young <iyo...@ratespecial.com> wrote:
> I just realized I had to set the consoleproxy.url.domain field to "
> realhostip.com" but now when I try to view the console, the browser says
> "The server refused the connection." Does that indicate a problem with the
> SSL certificate?
>
> management-server.log:
> 2014-05-15 14:43:55,506 DEBUG [c.c.a.t.Request] (catalina-exec-15:null)
> Seq 1-90898443: Sending { Cmd , MgmtId: 161342909744, via: 1(
> virthost1.lax.ratespecial.com), Ver: v1, Flags: 100011,
> [{"com.cloud.agent.api.GetVncPortCommand":{"id":2,"name":"v-2-VM","wait":0}}]
> }
> 2014-05-15 14:43:55,563 DEBUG [c.c.a.t.Request]
> (AgentManager-Handler-5:null) Seq 1-90898443: Processing: { Ans: , MgmtId:
> 161342909744, via: 1, Ver: v1, Flags: 10,
> [{"com.cloud.agent.api.GetVncPortAnswer":{"address":"192.168.100.6","port":5901,"result":true,"wait":0}}]
> }
> 2014-05-15 14:43:55,563 DEBUG [c.c.a.t.Request] (catalina-exec-15:null)
> Seq 1-90898443: Received: { Ans: , MgmtId: 161342909744, via: 1, Ver: v1,
> Flags: 10, { GetVncPortAnswer } }
> 2014-05-15 14:43:55,563 DEBUG [c.c.s.ConsoleProxyServlet]
> (catalina-exec-15:null) Port info 192.168.100.6
> 2014-05-15 14:43:55,563 INFO [c.c.s.ConsoleProxyServlet]
> (catalina-exec-15:null) Parse host info returned from executing
> GetVNCPortCommand. host info: 192.168.100.6
> 2014-05-15 14:43:55,570 DEBUG [c.c.s.ConsoleProxyServlet]
> (catalina-exec-15:null) Compose console url:
> https://192-168-100-159.realhostip.com/ajax?token=CsPhU4m_R2ZoLIdXOtjo3y3humnQN20wt5fSPjbZOHtRh7nli7tiq0ZiWUuwCVIn7K0vuegv6oMAAq_vDY4Vr_f7jwoVQDkxAE1vmK9oRhy9pvBVlmAdCer6hlVjXQlwL9oJEQO4thhSDg2qeNji02xuxlSmDilVKnd9U9xiHqIV-PgktrKq3J2GT1EpcpTvhsew5COQ1h3j8M9IM8KLZpYA0dDp7TejMmfgSiQI8ifZSh_nNLyyqBzYvl1XWxSaDIrnj7UsP3JKUq74kdY5Pg
> 2014-05-15 14:43:55,570 DEBUG [c.c.s.ConsoleProxyServlet]
> (catalina-exec-15:null) the console url is ::
> <html><title>v-2-VM</title><frameset><frame src="
> https://192-168-100-159.realhostip.com/ajax?token=CsPhU4m_R2ZoLIdXOtjo3y3humnQN20wt5fSPjbZOHtRh7nli7tiq0ZiWUuwCVIn7K0vuegv6oMAAq_vDY4Vr_f7jwoVQDkxAE1vmK9oRhy9pvBVlmAdCer6hlVjXQlwL9oJEQO4thhSDg2qeNji02xuxlSmDilVKnd9U9xiHqIV-PgktrKq3J2GT1EpcpTvhsew5COQ1h3j8M9IM8KLZpYA0dDp7TejMmfgSiQI8ifZSh_nNLyyqBzYvl1XWxSaDIrnj7UsP3JKUq74kdY5Pg
> "></frame></frameset></html>
>
> ssl_access_log:
> 192.168.100.166 - - [15/May/2014:14:44:55 -0700] "GET
> /client/console?cmd=access&vm=086b5822-de00-4764-8b05-d8e00657ee54
> HTTP/1.1" 200 405
>
>
> On Wed, May 14, 2014 at 5:56 PM, Ian Young <iyo...@ratespecial.com> wrote:
>
>> Looks like it's still using HTTP, not HTTPS:
>>
>> 2014-05-14 17:52:35,812 DEBUG [c.c.a.t.Request] (catalina-exec-20:null)
>> Seq 1-800529939: Sending { Cmd , MgmtId: 161342909744, via: 1(
>> virthost1.lax.ratespecial.com), Ver: v1, Flags: 100011,
>> [{"com.cloud.agent.api.GetVncPortCommand":{"id":6,"name":"i-5-6-VM","wait":0}}]
>> }
>> 2014-05-14 17:52:35,861 DEBUG [c.c.a.t.Request]
>> (AgentManager-Handler-1:null) Seq 1-800529939: Processing: { Ans: ,
>> MgmtId: 161342909744, via: 1, Ver: v1, Flags: 10,
>> [{"com.cloud.agent.api.GetVncPortAnswer":{"address":"192.168.100.6","port":5903,"result":true,"wait":0}}]
>> }
>> 2014-05-14 17:52:35,861 DEBUG [c.c.a.t.Request] (catalina-exec-20:null)
>> Seq 1-800529939: Received: { Ans: , MgmtId: 161342909744, via: 1, Ver: v1,
>> Flags: 10, { GetVncPortAnswer } }
>> 2014-05-14 17:52:35,861 DEBUG [c.c.s.ConsoleProxyServlet]
>> (catalina-exec-20:null) Port info 192.168.100.6
>> 2014-05-14 17:52:35,861 INFO [c.c.s.ConsoleProxyServlet]
>> (catalina-exec-20:null) Parse host info returned from executing
>> GetVNCPortCommand. host info: 192.168.100.6
>> 2014-05-14 17:52:35,865 DEBUG [c.c.s.ConsoleProxyServlet]
>> (catalina-exec-20:null) Compose console url:
>> http://192.168.100.159/ajax?token=CsPhU4m_R2ZoLIdXOtjo3y3humnQN20wt5fSPjbZOHtRh7nli7tiq0ZiWUuwCVIn_GSECIK5nC2lBX8cMHvt1_GrmwDVK1PEEAwyueLlgNRgodobz8Lsyv2jEc-mUvMH340AYGt0FyZOuXIA6dunN3yx-bP-vp4rao5Up61eJwOvqFr3PhggNpbq5Up59ObOdYMe2GsBP_3FrL8ZQfBhNBSmViHQ0fKJSyUHDoC9tKlfs2Bb0rPOBxsZeTPfe-hDuaVT-pZxjQXCKM93sujnWw
>> 2014-05-14 17:52:35,865 DEBUG [c.c.s.ConsoleProxyServlet]
>> (catalina-exec-20:null) the console url is ::
>> <html><title>phonesynergy</title><frameset><frame src="
>> http://192.168.100.159/ajax?token=CsPhU4m_R2ZoLIdXOtjo3y3humnQN20wt5fSPjbZOHtRh7nli7tiq0ZiWUuwCVIn_GSECIK5nC2lBX8cMHvt1_GrmwDVK1PEEAwyueLlgNRgodobz8Lsyv2jEc-mUvMH340AYGt0FyZOuXIA6dunN3yx-bP-vp4rao5Up61eJwOvqFr3PhggNpbq5Up59ObOdYMe2GsBP_3FrL8ZQfBhNBSmViHQ0fKJSyUHDoC9tKlfs2Bb0rPOBxsZeTPfe-hDuaVT-pZxjQXCKM93sujnWw
>> "></frame></frameset></html>
>>
>>
>> On Wed, May 14, 2014 at 5:41 PM, Ian Young <iyo...@ratespecial.com>wrote:
>>
>>> I decided to create my own internal realhostip.com. My DNS servers use
>>> PowerDNS, not BIND, so the $GENERATE directive was not an option and I
>>> didn't want to have to populate my DNS servers' databases with a record for
>>> every possible IP address. Fortunately, I found the following Lua script:
>>>
>>> https://github.com/terbolous/powerdns-cloudstack-proxy-dns
>>>
>>> I can confirm the Lua script works as expected and my CloudStack server
>>> can be tricked into believing my internal DNS servers are the authority for
>>> realhostip.com:
>>>
>>> [root@virthost1 ]# dig +short 1-2-3-4.realhostip.com
>>> 1.2.3.4
>>>
>>> I followed this guide and updated the console proxy/SSVM SSL certificate
>>> with my own *.realhostip.com certificate.
>>>
>>>
>>> http://docs.cloudstack.apache.org/projects/cloudstack-administration/en/latest/systemvm.html#changing-the-console-proxy-ssl-certificate-and-domain
>>>
>>> The console proxy restarted but it's still blank when I try to view the
>>> console. Does the domain have to be something other than realhostip.com
>>> ?
>>>
>>
>>
>
