You need to put all certificates in the chain in the GUI dialog, in 4.8 this is supported in GUI, made easy (god forgive doing the same work in 4.5 :)
I don't remember ATM, but I believe also restarting MGMT was required or advises, since it build up the ssl/trust chan (of whaever...) so make sure you better do than don't do it (I hardly remember that MGMT would not start due to some hacks I did with SSLs back in the days) On 2 February 2018 at 15:10, Ugo Vasi <ugo.v...@procne.it> wrote: > Hi Paul, > do I have to destroy console-proxy too? > Could the problem be caused by certificates' chain? > I've got two intermediate certificates between the root and the leaf one, > could this cause problems? > > Thanks > > > On 02/02/2018 13:18, Paul Angus wrote: > >> Hi Ugo, >> Have you destroyed your sec storage VM and let CloudStack recreate it. A >> stop-start isn't usually enough to reconfigure certificates. >> >> paul.an...@shapeblue.com >> www.shapeblue.com >> 53 Chandos Place, Covent Garden, London WC2N 4HSUK >> @shapeblue >> >> >> -----Original Message----- >> From: Ugo Vasi [mailto:ugo.v...@procne.it] >> Sent: 02 February 2018 11:37 >> To: users@cloudstack.apache.org; Benjamin Naber < >> benjamin.na...@coders-area.de> >> Subject: Re: Failing to enable SSL/HTTPS on console proxy vm >> >> Hi Ben, >> I'm sure that the DNS is resolving the right IP ( >> aaa-bbb-ccc-ddd.domain.com -> aaa.bbb.ccc.ddd), I tried with wget using >> the same src of iframe (masquerade log): >> >> $ wget https://123-123-123-123.domain.com/ajax?token=...(snipped) >> --2018-02-02 10:24:23-- https://123-123-123-123.domain.com/ajax?token=... >> Resolving 123-123-123-123.domain.com (123-123-123-123.domain.com)... >> 123.123.123.123 >> Connecting to 123-123-123-123.domain.com (123-123-123-123.domain.com)|1 >> 23.123.123.123|:443... >> >> here the command hangs until a timeout. >> >> >> >> On 02/02/2018 11:43, Benjamin Naber wrote: >> >>> Hi Ugo, >>> >>> you need a DNS Record for the public ip address the consoleproxy has >>> beed allocatet. >>> should be look like this: 80-190-44-22.domain.com otherwise the iframe >>> denied loading in case of ssl error. >>> In Global setting "Console proxy url domain" set *.domain.com restart >>> management server and it should work. >>> >>> Kind Regards >>> >>> Ben >>> >>> Ugo Vasi <ugo.v...@procne.it> hat am 2. Februar 2018 um 11:26 >>>> geschrieben: >>>> >>>> >>>> Hi all, >>>> I had the same problem installing the wildcard certificate. >>>> >>>> I tried to set the consoleproxy.url.domain in global settings but now >>>> the console interface inside the iframe does not respond... >>>> >>>> The dns record are OK. >>>> >>>> >>>> >>>> >>>> On 16/06/2016 18:10, Andy Dills wrote: >>>> >>>>> I have this working perfectly. >>>>> >>>>> Couple of key things that are not mentioned in the >>>>> documentation: >>>>> >>>>> - You need to set consoleproxy.url.domain to *.domain.com for >>>>> whatever domain you're using. Do this before re-uploading your SSL >>>>> certificate. The SSL upload dialogue doesn't set this value as it should. >>>>> >>>>> - You need a wildcard certificate for that domain. >>>>> >>>>> Assuming you setup the proper DNS records, it should then work. >>>>> >>>>> I'm open to follow up questions if anybody is struggling with this. >>>>> >>>>> Thanks, >>>>> Andy >>>>> >>>>> Sent from my iPhone >>>>> >>>>> On Jun 16, 2016, at 12:01 PM, Will Stevens <wstev...@cloudops.com> >>>>>> wrote: >>>>>> >>>>>> We have been having issues with this for as long as I can remember >>>>>> (on both ACS and CCP). In order to get it to work you have to >>>>>> 'trust unsafe scripts' or whatever by clicking the shield in the >>>>>> URL bar in the top right (maybe that is chrome). >>>>>> >>>>>> I don't know that there is a solution, but if there is, I am all >>>>>> ears... >>>>>> >>>>>> *Will STEVENS* >>>>>> Lead Developer >>>>>> >>>>>> *CloudOps* *| *Cloud Solutions Experts >>>>>> 420 rue Guy *|* Montreal *|* Quebec *|* H3J 1S6 w cloudops.com *|* >>>>>> tw @CloudOps_ >>>>>> >>>>>> On Thu, Jun 16, 2016 at 11:54 AM, Nux! <n...@li.nux.ro> wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Is there any particular voodoo involved in getting the $subject to >>>>>>> work correctly on 4.8.0? >>>>>>> I've uploaded the Comodo wildcard cabundle, crt and key in the >>>>>>> Infrastructure page, the systemvms have rebooted. >>>>>>> They came back fine and nothing dodgy in the logs, but when I open >>>>>>> the console of a VM Firefox will say there are insecure contents >>>>>>> loaded and will not display the terminal ajax thingy. >>>>>>> View source shoes an iframe linking http://1.2.3.4 instead of >>>>>>> https://1-2-3-4.wildcarddomain.tld. >>>>>>> >>>>>>> Apache HTTPD and Tomcat had no issues with these certs. >>>>>>> >>>>>>> Is there something that I am missing? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Sent from the Delta quadrant using Borg technology! >>>>>>> >>>>>>> Nux! >>>>>>> www.nux.ro >>>>>>> >>>>>>> >>>>> >>>>> -- >>>> >>>> *Ugo Vasi* / System Administrator >>>> ugo.v...@procne.it <mailto:ugo.v...@procne.it> >>>> >>>> >>>> >>>> >>>> *Procne S.r.l.* >>>> +39 0432 486 523 >>>> via Cotonificio, 45 >>>> 33010 Tavagnacco (UD) >>>> www.procne.it <http://www.procne.it/> >>>> >>>> >>>> Le informazioni contenute nella presente comunicazione ed i relativi >>>> allegati possono essere riservate e sono, comunque, destinate >>>> esclusivamente alle persone od alla Società sopraindicati. La >>>> diffusione, distribuzione e/o copiatura del documento trasmesso da >>>> parte di qualsiasi soggetto diverso dal destinatario è proibita sia >>>> ai sensi dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. >>>> 196/2003 "Codice in materia di protezione dei dati personali". Se >>>> avete ricevuto questo messaggio per errore, vi preghiamo di >>>> distruggerlo e di informare immediatamente Procne S.r.l. scrivendo >>>> all' indirizzo e-mail i...@procne.it <mailto:i...@procne.it>. >>>> >>>> >>>> >>>> >>>> >>> >>> >> > > -- > > *Ugo Vasi* / System Administrator > ugo.v...@procne.it <mailto:ugo.v...@procne.it> > > > > > *Procne S.r.l.* > +39 0432 486 523 > via Cotonificio, 45 > 33010 Tavagnacco (UD) > www.procne.it <http://www.procne.it/> > > > Le informazioni contenute nella presente comunicazione ed i relativi > allegati possono essere riservate e sono, comunque, destinate > esclusivamente alle persone od alla Società sopraindicati. La diffusione, > distribuzione e/o copiatura del documento trasmesso da parte di qualsiasi > soggetto diverso dal destinatario è proibita sia ai sensi dell'art. 616 > c.p., che ai sensi del Decreto Legislativo n. 196/2003 "Codice in materia > di protezione dei dati personali". Se avete ricevuto questo messaggio per > errore, vi preghiamo di distruggerlo e di informare immediatamente Procne > S.r.l. scrivendo all' indirizzo e-mail i...@procne.it <mailto: > i...@procne.it>. > > > > > -- Andrija Panić
