You need another cert for the proxy host. In theory, all you could have done it with 1 SSL cert in front of ha-proxy, then restrict communication to 8080 via iptables from MS to ha-proxy.
Though, ideally - SSL accross the board is better. With that said, get one more cert for ha-proxy.. On 4/13/16 11:06 PM, Indra Pramana wrote: > Hi ilya and all, > > Good day to you, and thank you for your reply. > > Yes, I was able to access the second management server using http. To > resolve the problem, I ended up purchasing another SSL certificate for the > second management server, and after converting to PKS12 format and enable > SSL on server.xml and tomcat6.conf, I managed to access the GUI of the > second management server, thanks. > > Now the issue is on the haproxy load balancer. Each management server can > be accessed via https without any issue, but accessing it through the > haproxy load balancer gives the same SSL error message. I am running just > one haproxy server at the moment. > > https://first-management-server:8080/client/ - OK > https://second-management-server:8080/client/ - OK > > https://haproxy-server:8080/client/ - not OK > > Below is my haproxy.cfg configuration, I set the configuration based on > blog article Sadhu has provided: > > http://psiclouds.blogspot.in/2015/03/haproxy-configuring-ha-load-balancer.html > > Note that the UI (public facing) and the VM (hypervisor facing) are on > different NICs/networks since we are using private networks for our > hypervisors. > > Public network: X.X.X.0/28 > Private network: Y.Y.Y.0/24 > > ==== > listen cloudstack_ui_8080 X.X.X.7:8080 > bind X.X.X.7:8080 > mode http > balance source > server first-management-server X.X.X.12:8080 cookie A check > server second-management-server X.X.X.11:8080 cookie B check > > listen cloudstack_systemvm_8250 Y.Y.Y.8:8250 > bind Y.Y.Y.8:8250 > mode tcp > option tcplog > balance source > server first-management-server Y.Y.Y.3:8250 maxconn 32 check > server second-management-server Y.Y.Y.6:8250 maxconn 32 check > ==== > > Can advise what I might have missed out on the configuration? > > Looking forward to your reply, thank you. > > Cheers. > > > On Thu, Apr 14, 2016 at 1:26 PM, ilya <ilya.mailing.li...@gmail.com> wrote: > >> Indra >> >> Both MGMT servers should be accessed via web browser. >> >> However in your case, since you did not enable SSL on second server as >> evident by port 8080, you need to use http header and not https. >> >> Try http://second-management-server:8080/client/ >> >> Also, you can get away with single SSL for both MGMT servers by using >> "alias" as a Subject Alternate Name when you create Certificate Signing >> Request. >> >> Regards >> ilya >> >> On 4/12/16 10:14 PM, Indra Pramana wrote: >>> Dear all, >>> >>> I have managed to add the second CloudStack management server and add it >>> into the cluster. Based on the management server logs, we can see that >> the >>> second management server is being added. I haven't configured the haproxy >>> LB yet, however I noted that I am not able to access the second >> management >>> server's GUI, is it normal? >>> >>> https://second-management-server:8080/client/ >>> >>> ==== >>> Secure Connection Failed >>> >>> An error occurred during a connection to second-management-server:8080. >> SSL >>> received a record that exceeded the maximum permissible length. (Error >>> code: ssl_error_rx_record_too_long) >>> >>> The page you are trying to view cannot be shown because the >>> authenticity of the received data could not be verified. >>> Please contact the website owners to inform them of this problem. >>> ==== >>> >>> Is this due to SSL, i.e. I need to purchase the SSL certificate for this >>> second management server, similar to the first management server? >>> >>> Looking forward to your reply, thank you. >>> >>> Cheers. >>> >>> >>> On Mon, Apr 11, 2016 at 10:03 PM, Sanjeev Neelarapu < >>> sanjeev.neelar...@accelerite.com> wrote: >>> >>>> There is no restriction on which interface to use for LB. Make sure you >>>> pick the NIC from same network for both the management servers. >>>> >>>> Best Regards, >>>> Sanjeev N >>>> Chief Product Engineer, Accelerite >>>> Off: +91 40 6722 9368 | EMail: sanjeev.neelar...@accelerite.com >>>> >>>> >>>> -----Original Message----- >>>> From: Indra Pramana [mailto:in...@sg.or.id] >>>> Sent: Monday, April 11, 2016 7:26 PM >>>> To: users@cloudstack.apache.org >>>> Subject: Re: Adding a new CloudStack management server >>>> >>>> Dear all, >>>> >>>> Our management server has two NICs, one internal-facing to the >> hypervisor >>>> hosts and another one Internet-facing for our billing system and console >>>> users to connect to. If we want to add another management server and >> load >>>> balance them, does it mean that we need to load balance both the >>>> internal-facing and the Internet-facing NICs? >>>> >>>> Looking forward to your reply, thank you. >>>> >>>> Cheers. >>>> >>>> >>>> On Wed, Apr 6, 2016 at 12:30 PM, Indra Pramana <in...@sg.or.id> wrote: >>>> >>>>> Thanks Glenn and Suresh. >>>>> >>>>> Cheers. >>>>> >>>>> >>>>> On Mon, Apr 4, 2016 at 1:01 PM, Suresh Sadhu >>>>> <suresh.sa...@accelerite.com> >>>>> wrote: >>>>> >>>>>> As Glenn told ,it will work well with haproxy .I found nice blog >>>>>> from psiclouds ,hope this might be useful to you. >>>>>> >>>>>> >>>>>> http://psiclouds.blogspot.in/2015/03/haproxy-configuring-ha-load-bala >>>>>> ncer.html >>>>>> >>>>>> regards >>>>>> Sadhu >>>>>> Chief Product Engineer, Accelerite >>>>>> suresh.sa...@accelerite.com >>>>>> >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> >>>>>> From: Glenn Wagner [mailto:glenn.wag...@shapeblue.com] >>>>>> Sent: Monday, April 4, 2016 3:09 AM >>>>>> To: users@cloudstack.apache.org >>>>>> Subject: RE: Adding a new CloudStack management server >>>>>> >>>>>> Hi, >>>>>> >>>>>> I would also recommend using a load balancing with Cloudstack if you >>>>>> want to run multiple management servers HA proxy is the preferred >>>>>> choice (works very well for us) >>>>>> >>>>>> Once you have added the second server you need to change the >>>>>> management server ip in the global setting (search for host) and also >>>>>> the management ip in all the cloudstack agents to the new vip , >>>>>> restart cloudstack >>>>>> >>>>>> I would all suggest setting up two haproxy's one primary and the >>>>>> other secondary using keepalived for redundancy of your haproxy >>>>>> servers >>>>>> >>>>>> Regards >>>>>> Glenn >>>>>> >>>>>> >>>>>> Regards, >>>>>> >>>>>> Glenn Wagner >>>>>> >>>>>> glenn.wag...@shapeblue.com >>>>>> www.shapeblue.com >>>>>> 2nd Floor, Oudehuis Centre, 122 Main Rd, Somerset West, Cape Town >>>>>> 7130South Africa @shapeblue >>>>>> >>>>>> -----Original Message----- >>>>>> From: Indra Pramana [mailto:in...@sg.or.id] >>>>>> Sent: Sunday, 03 April 2016 2:49 PM >>>>>> To: users@cloudstack.apache.org >>>>>> Subject: Adding a new CloudStack management server >>>>>> >>>>>> Dear all, >>>>>> >>>>>> We are running CloudStack 4.2.0 and all this while we are running on >>>>>> just one management server. We intend to add another new management >>>>>> server for redundancy. These are parts of the documentation touching >>>>>> on how to add another new management server: >>>>>> >>>>>> >>>>>> http://docs.cloudstack.apache.org/projects/cloudstack-installation/en >>>>>> /4.8/management-server/#additional-management-servers >>>>>> >>>>>> http://docs.cloudstack.apache.org/en/latest/administration_guide.html >>>>>> ?highlight=management%20server%20load#management-server-load-balancin >>>>>> g >>>>>> >>>>>> - Can I confirm that for multiple management servers, a load >>>>>> balancing server or device is compulsory? Can multiple management >>>>>> servers still work without load balancing and still achieve HA? >>>>>> - What do people normally use to setup the load balancing for the >>>>>> management servers? Is a server running haproxy sufficient? >>>>>> - Once the second management server and the load balancer has been >>>>>> setup, I believe we would need to change the management IP to the VIP >>>>>> (virtual IP) of the load balancer, what are the things that need to be >>>> changed? >>>>>> >>>>>> Any help is greatly appreciated. >>>>>> >>>>>> Looking forward to your reply, thank you. >>>>>> >>>>>> Cheers. >>>>>> >>>>>> -ip- >>>>>> >>>>>> >>>>>> >>>>>> DISCLAIMER >>>>>> ========== >>>>>> This e-mail may contain privileged and confidential information which >>>>>> is the property of Accelerite, a Persistent Systems business. It is >>>>>> intended only for the use of the individual or entity to which it is >>>>>> addressed. If you are not the intended recipient, you are not >>>>>> authorized to read, retain, copy, print, distribute or use this >>>>>> message. If you have received this communication in error, please >>>>>> notify the sender and delete all copies of this message. Accelerite, >>>>>> a Persistent Systems business does not accept any liability for virus >>>> infected mails. >>>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> DISCLAIMER >>>> ========== >>>> This e-mail may contain privileged and confidential information which is >>>> the property of Accelerite, a Persistent Systems business. It is >> intended >>>> only for the use of the individual or entity to which it is addressed. >> If >>>> you are not the intended recipient, you are not authorized to read, >> retain, >>>> copy, print, distribute or use this message. If you have received this >>>> communication in error, please notify the sender and delete all copies >> of >>>> this message. Accelerite, a Persistent Systems business does not accept >> any >>>> liability for virus infected mails. >>>> >>> >> >
