Hi Mike, certificate for securing UI and the certificate for securing access to Console of the VM (i.e. securing HTTPS access from browser to the public IP of the CPVM/SSVM) are 2 completely different things - and you can/should use 2 different certificates.
Please read this article - it's very comprehensive and up to date in regards to the steps - afterwards, I'm happy to answer any additional questions you might have: https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ Your second email - is referring to a cloudstack agent certificate that is generated by default to secure agent-to-mgmt communication - nothing to do with the other 2 you are configuring. Cheers, On Thu, 1 Jul 2021 at 19:39, Corey, Mike <mike.co...@sap.com.invalid> wrote: > To help me with troubleshooting, could one of the developers let me know > where the wildcard certificate is loaded into the ssvm and consolevm? Is > there a way to verify the custom wildcard cert I’ve uploaded is where it > should be? I’m seeing this error in the ACS logs. > > Should the CA wildcard certificate issuer & CN be in the “presented these > certificates” section of log? > > > 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager] > (pool-13-thread-1:null) (logid:) A client/agent attempting connection from > address=10.#.#.# has presented these certificate(s): > Certificate [1] : > Serial: 85b01fc4f045cf08 > Not Before:Thu Jul 01 01:03:33 EDT 2021 > Not After:Fri Jul 01 13:03:33 EDT 2022 > Signature Algorithm:SHA256withRSA > Version:3 > Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM > Issuer DN:CN=ca.cloudstack.apache.org > Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]] > Certificate [2] : > Serial: 3b2fcee96e685c62 > Not Before:Mon May 03 00:43:22 EDT 2021 > Not After:Wed Apr 26 12:43:22 EDT 2051 > Signature Algorithm:SHA256withRSA > Version:3 > Subject DN:CN=ca.cloudstack.apache.org > Issuer DN:CN=ca.cloudstack.apache.org > Alternative Names:null > > 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager] > (pool-13-thread-1:null) (logid:) Certificate ownership verification failed > for client: 10.#.#.# > 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link] > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during > wrap data: Certificate ownership verification failed for client: 10.#.#.#, > for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082. > 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link] > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during > wrap data: Empty server certificate chain, for local > address=/10.#.#.#:8250, remote address=/10.#.#.##:36084. > > > > > From: Corey, Mike <mike.co...@sap.com.INVALID> > Sent: Thursday, July 1, 2021 10:33 AM > To: users <users@cloudstack.apache.org> > Subject: [CAUTION] Console Proxy & SSL > > Hi, > > I could use some clarification here on TLS/SSL usage. I’ve secured my ACS > UI with a CA issued certificate. This certificate has the FQDN of my ACS > server as the CN. The certificate is valid and the Management UI > connection is secured in the web browser. > > I’m now trying to modify the Console Proxy SSL Certificate base on this > page: > http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy > > I have created the wildcard CA issued certificate as *.<domain name> along > with the unencrypted key per the steps on above wiki page. > > After the changes are made in the UI under Infrastructure – SSL > Certificates, the consolevm reboots; however it doesn’t appear it is > loading my CA certificate with the wildcard. > > Answer this please --- I should be able to have two separate certificates: > one for the UI management (FQDN of ACS) and one for console proxy session > (wildcard). > > I had this on the 4.14 lab implementation but unfortunately my build notes > on this step were poor ☹. > > > Mike Corey > > Technology Senior Consultant, IT CS CTW Operation & Virtualization Service > US > > SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United > States > > T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com<mailto: > mike.co...@sap.com> > > > [cid:image003.png@01D76E64.7F7C0C60] > > > -- Andrija Panić