To help me with troubleshooting, could one of the developers let me know where the wildcard certificate is loaded into the ssvm and consolevm? Is there a way to verify the custom wildcard cert I’ve uploaded is where it should be? I’m seeing this error in the ACS logs.
Should the CA wildcard certificate issuer & CN be in the “presented these certificates” section of log? 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager] (pool-13-thread-1:null) (logid:) A client/agent attempting connection from address=10.#.#.# has presented these certificate(s): Certificate [1] : Serial: 85b01fc4f045cf08 Not Before:Thu Jul 01 01:03:33 EDT 2021 Not After:Fri Jul 01 13:03:33 EDT 2022 Signature Algorithm:SHA256withRSA Version:3 Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM Issuer DN:CN=ca.cloudstack.apache.org Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]] Certificate [2] : Serial: 3b2fcee96e685c62 Not Before:Mon May 03 00:43:22 EDT 2021 Not After:Wed Apr 26 12:43:22 EDT 2051 Signature Algorithm:SHA256withRSA Version:3 Subject DN:CN=ca.cloudstack.apache.org Issuer DN:CN=ca.cloudstack.apache.org Alternative Names:null 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager] (pool-13-thread-1:null) (logid:) Certificate ownership verification failed for client: 10.#.#.# 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link] (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during wrap data: Certificate ownership verification failed for client: 10.#.#.#, for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082. 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link] (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during wrap data: Empty server certificate chain, for local address=/10.#.#.#:8250, remote address=/10.#.#.##:36084. From: Corey, Mike <mike.co...@sap.com.INVALID> Sent: Thursday, July 1, 2021 10:33 AM To: users <users@cloudstack.apache.org> Subject: [CAUTION] Console Proxy & SSL Hi, I could use some clarification here on TLS/SSL usage. I’ve secured my ACS UI with a CA issued certificate. This certificate has the FQDN of my ACS server as the CN. The certificate is valid and the Management UI connection is secured in the web browser. I’m now trying to modify the Console Proxy SSL Certificate base on this page: http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy I have created the wildcard CA issued certificate as *.<domain name> along with the unencrypted key per the steps on above wiki page. After the changes are made in the UI under Infrastructure – SSL Certificates, the consolevm reboots; however it doesn’t appear it is loading my CA certificate with the wildcard. Answer this please --- I should be able to have two separate certificates: one for the UI management (FQDN of ACS) and one for console proxy session (wildcard). I had this on the 4.14 lab implementation but unfortunately my build notes on this step were poor ☹. Mike Corey Technology Senior Consultant, IT CS CTW Operation & Virtualization Service US SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United States T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com<mailto:mike.co...@sap.com> [cid:image003.png@01D76E64.7F7C0C60]
