I suggest you just do SSL for console proxy, and setup another server with SSL cert and reverse proxy to your Management server .
On Fri, Jul 2, 2021 at 4:22 AM Andrija Panic <andrija.pa...@gmail.com> wrote: > Hi Mike, > > certificate for securing UI and the certificate for securing access to > Console of the VM (i.e. securing HTTPS access from browser to the public IP > of the CPVM/SSVM) are 2 completely different things - and you can/should > use 2 different certificates. > > Please read this article - it's very comprehensive and up to date in > regards to the steps - afterwards, I'm happy to answer any additional > questions you might have: > https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ > > > Your second email - is referring to a cloudstack agent certificate that is > generated by default to secure agent-to-mgmt communication - nothing to do > with the other 2 you are configuring. > > Cheers, > > > On Thu, 1 Jul 2021 at 19:39, Corey, Mike <mike.co...@sap.com.invalid> > wrote: > > > To help me with troubleshooting, could one of the developers let me know > > where the wildcard certificate is loaded into the ssvm and consolevm? Is > > there a way to verify the custom wildcard cert I’ve uploaded is where it > > should be? I’m seeing this error in the ACS logs. > > > > Should the CA wildcard certificate issuer & CN be in the “presented these > > certificates” section of log? > > > > > > 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager] > > (pool-13-thread-1:null) (logid:) A client/agent attempting connection > from > > address=10.#.#.# has presented these certificate(s): > > Certificate [1] : > > Serial: 85b01fc4f045cf08 > > Not Before:Thu Jul 01 01:03:33 EDT 2021 > > Not After:Fri Jul 01 13:03:33 EDT 2022 > > Signature Algorithm:SHA256withRSA > > Version:3 > > Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM > > Issuer DN:CN=ca.cloudstack.apache.org > > Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]] > > Certificate [2] : > > Serial: 3b2fcee96e685c62 > > Not Before:Mon May 03 00:43:22 EDT 2021 > > Not After:Wed Apr 26 12:43:22 EDT 2051 > > Signature Algorithm:SHA256withRSA > > Version:3 > > Subject DN:CN=ca.cloudstack.apache.org > > Issuer DN:CN=ca.cloudstack.apache.org > > Alternative Names:null > > > > 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager] > > (pool-13-thread-1:null) (logid:) Certificate ownership verification > failed > > for client: 10.#.#.# > > 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link] > > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught > during > > wrap data: Certificate ownership verification failed for client: > 10.#.#.#, > > for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082. > > 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link] > > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught > during > > wrap data: Empty server certificate chain, for local > > address=/10.#.#.#:8250, remote address=/10.#.#.##:36084. > > > > > > > > > > From: Corey, Mike <mike.co...@sap.com.INVALID> > > Sent: Thursday, July 1, 2021 10:33 AM > > To: users <users@cloudstack.apache.org> > > Subject: [CAUTION] Console Proxy & SSL > > > > Hi, > > > > I could use some clarification here on TLS/SSL usage. I’ve secured my > ACS > > UI with a CA issued certificate. This certificate has the FQDN of my ACS > > server as the CN. The certificate is valid and the Management UI > > connection is secured in the web browser. > > > > I’m now trying to modify the Console Proxy SSL Certificate base on this > > page: > > > http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy > > > > I have created the wildcard CA issued certificate as *.<domain name> > along > > with the unencrypted key per the steps on above wiki page. > > > > After the changes are made in the UI under Infrastructure – SSL > > Certificates, the consolevm reboots; however it doesn’t appear it is > > loading my CA certificate with the wildcard. > > > > Answer this please --- I should be able to have two separate > certificates: > > one for the UI management (FQDN of ACS) and one for console proxy session > > (wildcard). > > > > I had this on the 4.14 lab implementation but unfortunately my build > notes > > on this step were poor ☹. > > > > > > Mike Corey > > > > Technology Senior Consultant, IT CS CTW Operation & Virtualization > Service > > US > > > > SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United > > States > > > > T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com<mailto: > > mike.co...@sap.com> > > > > > > [cid:image003.png@01D76E64.7F7C0C60] > > > > > > > > -- > > Andrija Panić > -- Regards, Hean Seng
