You are right. You don’t need intermediate cert, its optional. Installation procedure says that. I edited the section you pointed as well.
Thanks, -Nitin On 24/09/14 6:40 AM, "France" <mailingli...@isg.si> wrote: >I went down the route with custom DNS service (already working) and >custom certificate, because it feels safer than rolling out my RPM >packages. > >So, the instructions >(https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Repla >ce+realhostip.com+with+Your+Own+Domain+Name#ProceduretoReplacerealhostip.c >omwithYourOwnDomainName-HowtogeneratemycustomrootCAandcertificate?) point >me to creating an intermediate certificate, which i do not think is >required. > >If I am my own CA, why should i create an intermediate certificate and >sign with that to complicate things? I guess i could sign my CSR with CA >directly. Can’t I? > >Then just use the GUI and no API calls, to add the certificate, the key >and domain info. As long as i keep secstorage.encrypt.copy to false, all >shoud work. Right? > >Regards, >F. > >On 20 Sep 2014, at 21:17, Amogh Vasekar <amogh.vase...@citrix.com> wrote: > >> ConsoleProxyInfo and ConsoleProxyManagerImpl.assignProxy has the >>relevant >> code to generate the URL for accessing console. >> The ConsoleProxyServlet handles the requests, and might be a good >>starting >> point if you wish to change the code. >> >> Amogh >> >> On 9/20/14 12:01 PM, "France" <mailingli...@isg.si> wrote: >> >>> Hi Amogh, >>> >>> thank you for your suggestions and instructions on disabling. >>> >>> We will not run a wildcard DNS resolver on certain subdomain as >>>required >>> for this option. >>> Once ACS supports single domain for console proxy access, we shall >>>enable >>> https once again with our signed/bought certificate. >>> >>> In the mean time, we either have to move to http from https making >>>access >>> to whole admin interface insecure or hack the code to display a link to >>> console instead of iframe. >>> I would rather go for the latter option. Does anyone who is following >>> this, know where is the code for that iframe link? >>> >>> Thank you. >>> >>> F. >>> >>> On 20 Sep 2014, at 20:33, Amogh Vasekar <amogh.vase...@citrix.com> >>>wrote: >>> >>>> Hi, >>>> >>>> I believe this is by design for SSL - a user would see a HTTPS site >>>> thinking everything is secure and encrypted, only to realize later >>>>that >>>> some part is in fact insecure. Hence, instead of trying to circumvent >>>> the >>>> security mechanism, you can try the steps at : >>>> >>>> >>>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Rep >>>>la >>>> ce >>>> >>>> >>>>+realhostip.com+with+Your+Own+Domain+Name#ProceduretoReplacerealhostip. >>>>co >>>> mw >>>> ithYourOwnDomainName-HowtogeneratemycustomrootCAandcertificate? >>>> >>>> This would help create your own certificate chain. The downside being >>>> your >>>> users would need to add the custom root CA in the browser (a practice >>>> followed by many companies for internal network), or simply accept the >>>> security warning the first time they access your domain. >>>> Please note that this would still need a publicly resolvable domain >>>>(or >>>> add the mappings directly in /etc/hosts if it is more convenient) >>>> >>>> Thanks, >>>> Amogh >>>> >>>> On 9/20/14 11:22 AM, "France" <mailingli...@isg.si> wrote: >>>> >>>>> It worked for us. Well kind of. >>>>> >>>>> The problem is now, that we have https for default admin interface, >>>>> while >>>>> console opens as iframe to http content and browsers such as firefox >>>>> will >>>>> not load content, because it is not on https. >>>>> They call it: "Mixed Content Blocking Enabled²: >>>>> >>>>> >>>>>https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabl >>>>>ed >>>>> -i >>>>> n-firefox-23/ >>>>> >>>>> Do you have any recommendations what to do in order to get around >>>>>this? >>>>> >>>>> We will not buy a wildcard certificate, because it is to expensive >>>>>for >>>>> us. >>>>> >>>>> Regards, >>>>> F. >>>>> >>>>> On 20 Sep 2014, at 15:21, France <mailingli...@isg.si> wrote: >>>>> >>>>>> I will just empty these two fields in global config: >>>>>> >>>>>> secstorage.ssl.cert.domain >>>>>> consoleproxy.url.domain >>>>>> >>>>>> restart CS and restart the console proxy.. >>>>>> >>>>>> Š and hope for the best. :-) >>>>>> >>>>>> If you do not hear from me on this, then this worked and others can >>>>>>do >>>>>> it too. >>>>>> >>>>>> Regards, >>>>>> F. >>>>>> >>>>>> >>>>>> On 20 Sep 2014, at 15:16, Aldis Gerhards <al...@hostnet.lv> wrote: >>>>>> >>>>>>> We got the same problem. It seemed like a bug :) we downgraded back >>>>>>> to >>>>>>> 4.3.0 because pf this issue. >>>>>>> >>>>>>> Sent from my iPhone >>>>>>> >>>>>>>> On 2014. gada 20. sept., at 15:39, France <mailingli...@isg.si> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Hi guys, >>>>>>>> >>>>>>>> how do we disable realhostip.com service with its certificates on >>>>>>>> ACS >>>>>>>> 4.3.1, to get consoleproxy working without ties to realhostip.com >>>>>>>> service? >>>>>>>> We are happy with HTTP only for now. >>>>>>>> >>>>>>>> Regards, >>>>>>>> F. >>>>>> >>>>> >>>> >>> >> >
