Hi, I’ve fixed cloudmonkey to url encode parameters so now you can use cloudmonkey to upload custom certificate but only in non-interactive mode on shell (bash/zsh). You’ll have to install cloudmonkey from source for now since the fix is only on master.
Something like: $ cloudmonkey upload customcertificate id=xx domainsuffix=yy name=zzz certificate=‘asdf asdfasdf asdfasdf asdf---' I’ve some issues to report while replacing certificates to get rid of realhostip, this is specific for Xen could apply for other hypervisors as well: - In case of 4.2, I see in the database that seq is 0 for the root certificate for the realhostip.com domain. I uploaded certificates in order (root, then intermediate and finally SSL cert from UI), and I see the old certificate is still there. after CPVM/SSVM restarts and are in UP state I still get SSL errors and I see that systemvm.iso is not getting patched. How to fix this? Or force systemvm.iso patching? - In case of 4.3.0 and above, I see the same issue. I’m confused whether to use *. wildcard in global setting or not. On 27-Sep-2014, at 9:32 pm, Amogh Vasekar <amogh.vase...@citrix.com> wrote: > Hi, > > For the encoding, in your case it was the space character causing the > issue - it should be replaced by %20. The correct encoding would be > (hoping mail clients don't screw up the blob): > -----BEGIN%20CERTIFICATE-----%0AMIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQU > AME4xCzAJBgNVBAYTAlVT%0AMRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFN > lY3VyZSBDZXJ0%0AaWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQ > wMDAw%0AWjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE%0A > AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB%0ACgKCAQEA > 2swYYzD99BcjGlZ%2BW988bDjkcbd4kdS8odhM%2BKhDtgPpTSEHCIjaWC9m%0AOSm9BXiLnTjo > BbdqfnGk5sRgprDvgOSJKA%2BeJdbtg%2FOtppHHmMlCGDUUna2YRpIu%0AT8rxh0PBFpVXLVDv > iS2Aelet8u5fa9IAjbkU%2BBQVNdnARqN7csiRv8lVK83Qlz6c%0AJmTM386DGXHKTubU1XupGc > 1V3sjs0l44U%2BVcT4wt%2FlAjNvxm5suOpDkZALeVAjmR%0ACw7%2BOC7RHQWa9k0%2Bbw8HHa > 8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz%0APeE4uwc2hGKceeoWMPRfwCvocWvk%2 > BQIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm%0AaPkr0rKV10fYIyAQTzOYkJ%2FUMB0GA1UdDg > QWBBTAephojYn7qwVkDBF9qn1luMrM%0ATjAPBgNVHRMBAf8EBTADAQH%2FMA4GA1UdDwEB%2Fw > QEAwIBBjA6BgNVHR8EMzAxMC%2Bg%0ALaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxz > L3NlY3VyZWNhLmNybDBO%0ABgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6 > Ly93d3cuZ2Vv%0AdHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUA > A4GB%0AAHbhEm5OSxYShjAGsoEIz%2FAIx8dxfmbuwu3UOx%2F%2F8PDITtZDOLC5MH0Y0FWDom > rL%0ANhGc6Ehmo21%2FuBPUR%2F6LWlxz%2FK7ZGzIZOKuXNBSqltLroxwUCEm2u%2BWR74M26x > 1W%0Ab8ravHNjkOR%2Fez4iyz0H7V84dJzjA1BOoa%2BY7mHyhD8S%0A-----END%20CERTIFIC > ATE----- > > As for the global parameter, you can set it to something like a few > seconds and reset to original value when the URLs have been expired. > > Thanks > Amogh > > > On 9/27/14 10:53 AM, "Indra Pramana" <in...@sg.or.id> wrote: > >> Hi Wido, >> >> I have changed the value of secstorage.ssl.cert.domain and restart >> management server, before I start uploading all the certificates. >> >> I found this article, which might be related to the problem: >> >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Troubleshooting+-+u >> ploading+custom+domain+certificate+instead+of+using+realhostip.com >> >> ==== >> >> *Specific Issues seen* >> >> 1. Download urls point to the old domain. >> 1. Reduce the expiration duration of the urls by changing global >> config extract.url.expiration.interval >> 2. And change the frequency for cleanup thread >> through extract.url.cleanup.interval restart MS. >> 3. Wait for the cleanup thread duration and try downloading again. >> See whether the url is deleted. >> 4. DB tables to check (don¹t recommend but worst case) >> Version < 4.2 upload table persists url. Entry is hard deleted on >> expiration of url. >> Version >= 4.2 >> template_store_ref, download_url is made null on expiration of url. >> volume_store_ref, entry hard deleted on expiration of url. >> >> ==== >> >> But I'm not too sure what is the recommended values I need to set for >> extract.url.expiration.interval and extract.url.cleanup.interval. Any >> advise? >> >> Thank you. >> >> >> >> On Sun, Sep 28, 2014 at 1:39 AM, Wido den Hollander <w...@widodh.nl> >> wrote: >> >>> >>> >>> >>> >>>> Op 27 sep. 2014 om 19:25 heeft Indra Pramana <in...@sg.or.id> het >>> volgende geschreven: >>>> >>>> Dear all, >>>> >>>> FYI, I managed to complete the tasks and install the certificates. As >>> a >>>> workaround to the unable to upload the root/intermediate cert via API >>>> issue, I uploaded a certificate with just "BEGIN" as text via API, and >>> then >>>> proceed to update the keystore table on the MySQL database directly to >>>> input the whole cert. >>>> >>>> It seems to be working, after I uploaded the cert and private key via >>> GUI, >>>> I can see that both CPVM and SSVM are being restarted. When I test: >>>> >>>> - Console is working, using my own domain now. Yay! :) >>>> >>>> - However, when I try to test downloading a template, it's still >>> showing >>>> realhostip.com as the URL to download. I have tried destroying the >>> SSVM >>> and >>>> a new SSVM was created, up and running. However, it's still showing >>>> realhostip.com when I test again. >>>> >>>> Anyone knows why it's still referring to realhostip.com for >>> downloading >>>> templates? >>>> >>> >>> Look at the global settings. There is a domain for the sec storage as >>> well. >>> >>> Maybe restart the mgmt server? >>> >>>> Looking forward to your reply, thank you. >>>> >>>> Cheers. >>>> >>>> >>>>> On Sun, Sep 28, 2014 at 12:49 AM, Indra Pramana <in...@sg.or.id> >>> wrote: >>>>> >>>>> Dear all, >>>>> >>>>> Apologise for sending quite a lot of emails tonight. Anyone knows if >>> it's >>>>> safe for me to update the keystore table on the database directly? >>> Since >>>>> the API call doesn't work. >>>>> >>>>> Thank you. >>>>> >>>>> >>>>>> On Sun, Sep 28, 2014 at 12:39 AM, Indra Pramana <in...@sg.or.id> >>> wrote: >>>>>> >>>>>> Only if I key in the certificate as "BEGIN", then it seems to be >>>>>> accepting. But of course, the certificate is invalid. >>>>>> >>>>>> <uploadcustomcertificateresponse cloud-stack-version="4.2.0"> >>>>>> <jobid>1efe722a-e7c7-4c43-9f6b-67ce860dbe34</jobid> >>>>>> </uploadcustomcertificateresponse> >>>>>> >>>>>> Is it my browser issue? I have tried using two different browsers: >>>>>> Firefox and Chrome, and both are having the same problem. >>>>>> >>>>>> >>>>>>> On Sun, Sep 28, 2014 at 12:36 AM, Indra Pramana <in...@sg.or.id> >>> wrote: >>>>>>> >>>>>>> I tried to key in just "BEGIN CERTIFICATE\nEND CERTIFICATE" without >>> the >>>>>>> "-----" and the content of the certificate itself. Same problem >>> persists, >>>>>>> it says parameter certificate is invalid, contains illegal ASCII >>>>>>> non-printable characters. >>>>>>> >>>>>>> <uploadcustomcertificateresponse cloud-stack-version="4.2.0"> >>>>>>> <errorcode>431</errorcode> >>>>>>> <cserrorcode>9999</cserrorcode> >>>>>>> <errortext> >>>>>>> Received value BEGIN CERTIFICATE END CERTIFICATE for parameter >>>>>>> certificate is invalid, contains illegal ASCII non-printable >>> characters >>>>>>> </errortext> >>>>>>> </uploadcustomcertificateresponse> >>>>>>> >>>>>>> >>>>>>> Seems the issue was not actually on the certificate itself, but >>> may be >>>>>>> on the API call handler? >>>>>>> >>>>>>> Any advice is greatly appreciated. >>>>>>> >>>>>>> >>>>>>>> On Sat, Sep 27, 2014 at 11:35 PM, Indra Pramana <in...@sg.or.id> >>> wrote: >>>>>>>> >>>>>>>> Hi Amogh and all, >>>>>>>> >>>>>>>> To add, I am using RapidSSL and I got the root and intermediate >>> CAs >>>>>>>> from here: >>>>>>>> >>>>>>>> >>>>>>>> >>> >>> https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page >>> =content&actp=CROSSLINK&id=SO26457 >>>>>>>> >>>>>>>> I have ensured that the encoding is done correctly, but still >>> there's >>>>>>>> issue when I tried to upload it. Is it because I am still using >>> version >>>>>>>> 4.2.0, may be there's a different method on how to upload? >>>>>>>> >>>>>>>> Error messages: >>>>>>>> >>>>>>>> <uploadcustomcertificateresponse cloud-stack-version="4.2.0"> >>>>>>>> <errorcode>431</errorcode> >>>>>>>> <cserrorcode>9999</cserrorcode> >>>>>>>> <errortext> >>>>>>>> Received value -----BEGIN CERTIFICATE----- >>>>>>>> MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT >>>>>>>> MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 >>>>>>>> aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw >>>>>>>> WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE >>>>>>>> AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB >>>>>>>> CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m >>>>>>>> OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu >>>>>>>> T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c >>>>>>>> JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR >>>>>>>> Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz >>>>>>>> PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm >>>>>>>> aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM >>>>>>>> TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g >>>>>>>> LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO >>>>>>>> BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv >>>>>>>> dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB >>>>>>>> AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL >>>>>>>> NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W >>>>>>>> b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -----END >>> CERTIFICATE----- for >>>>>>>> parameter certificate is invalid, contains illegal ASCII >>> non-printable >>>>>>>> characters >>>>>>>> </errortext> >>>>>>>> </uploadcustomcertificateresponse> >>>>>>>> >>>>>>>> >>>>>>>> Any advice is greatly appreciated, since 30 Sep is just another 3 >>>>>>>> days... >>>>>>>> >>>>>>>> >>>>>>>>> On Sat, Sep 27, 2014 at 11:21 PM, Indra Pramana <in...@sg.or.id> >>> wrote: >>>>>>>>> >>>>>>>>> Hi Amogh, >>>>>>>>> >>>>>>>>> I tried again tonight, still the same. Not too sure why, is it >>>>>>>>> something wrong with the certificate? But I have confirmed that >>> it's the >>>>>>>>> correct root certificate from my CA. >>>>>>>>> >>>>>>>>> Any other advice? >>>>>>>>> >>>>>>>>> Looking forward to your reply, thank you. >>>>>>>>> >>>>>>>>> Cheers. >>>>>>>>> >>>>>>>>> On Tue, Sep 23, 2014 at 12:56 AM, Amogh Vasekar < >>>>>>>>> amogh.vase...@citrix.com> wrote: >>>>>>>>> >>>>>>>>>> Can you try using http://meyerweb.com/eric/tools/dencoder/ >>>>>>>>>> >>>>>>>>>> Amogh >>>>>>>>>> >>>>>>>>>>> On 9/22/14 4:36 AM, "Indra Pramana" <in...@sg.or.id> wrote: >>>>>>>>>>> >>>>>>>>>>> Dear all, >>>>>>>>>>> >>>>>>>>>>> I am following the instruction on this documentation to replace >>>>>>>>>>> realhostip.com with my own domain. >>>>>>>>>> >>> >>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Repla >>> c >>>>>>>>>>> e+realhostip.com+with+Your+Own+Domain+Name >>>>>>>>>>> >>>>>>>>>>> Everything is fine until I need to upload the root certificate >>> via >>>>>>>>>> API. I >>>>>>>>>>> have URL-encoded the certificate using online URL encoder tool >>> such >>>>>>>>>> as: >>>>>>>>>>> >>>>>>>>>>> http://www.url-encode-decode.com/ >>>>>>>>>>> >>>>>>>>>>> However, when I run the API command, the certificate is >>> rejected, >>>>>>>>>> saying >>>>>>>>>>> that it contains illegal ASCII non-printable characters: >>>>>>>>>>> >>>>>>>>>>> for parameter certificate is invalid, contains illegal ASCII >>>>>>>>>> non-printable >>>>>>>>>>> characters >>>>>>>>>>> >>>>>>>>>>> I have ensured and verified that it only contains generic ASCII >>> text >>>>>>>>>>> format, no space, symbol etc. Tried using UTF-8, US-ASCII >>> format >>>>>>>>>> while >>>>>>>>>>> encoding, but still cannot work. >>>>>>>>>>> >>>>>>>>>>> Any advice is greatly appreciated. >>>>>>>>>>> >>>>>>>>>>> Looking forward to your reply, thank you. >>>>>>>>>>> >>>>>>>>>>> Cheers. Regards, Rohit Yadav Software Architect, ShapeBlue M. +41 779015219 | rohit.ya...@shapeblue.com Blog: bhaisaab.org | Twitter: @_bhaisaab Find out more about ShapeBlue and our range of CloudStack related services IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
