Hi,
I do remember having issues with the steps in Shapeblue guide.
Eventually I threw some notes for a future guide you can check here ->
https://github.com/dredknight/cloud_scripts/blob/master/CloudStack-Xen/ACS-ssl-gui-guide.sh
I hope that helps.
Best regards,
Jordan
-----Original Message-----
From: Wei ZHOU <ustcweiz...@gmail.com>
Sent: Thursday, September 16, 2021 10:20 PM
To: users <users@cloudstack.apache.org>; vas...@gmx.de
Subject: Re: Problems setting up HTTPS on CS Managementserver GUI /
recommadations relizing
[X] This message came from outside your organization
Hi,
afaik the most common setup is
(1) start (multiple) cloudstack management server with port 8080
(2) setup a reverse proxy (nginx/pfsense/haproxy, etc) which supports SSL
termination and transparent LB.
(3) upload ssl certificate in cloudstack GUI, and enable SSL for cloudsack
console proxy and secondary storage.
-Wei
On Tue, 14 Sept 2021 at 19:19, vas...@gmx.de <vas...@gmx.de> wrote:
> Hi,
>
> at the moment I am trying to setting up https - access for the
> management server with my own certificates. Sadly i wasn't successfull until
> now.
> OS: Ubuntu 20.04
> Standard Cloudstack
> Basically i was following the documentation (
>
> https://urldefense.com/v3/__http://docs.cloudstack.apache.org/en/lates
> t/installguide/optional_installation.html*ssl-optional__;Iw!!A6UyJA!0d
> TT8fqOaTGELyheFRnbrYw22T34WaEoPMbmxwezYicKr808oddMvJAwxkY7LIC7IuZy3pTq
> DCm-$
> )
> as well as following guide from shapeblue (
> https://urldefense.com/v3/__https://www.shapeblue.com/securing-cloudst
> ack-4-11-with-https-tls/__;!!A6UyJA!0dTT8fqOaTGELyheFRnbrYw22T34WaEoPMbmxwezYicKr808oddMvJAwxkY7LIC7IuZy3n-PQYEK$
> ) for setting up https for the GUI.
>
> At the moment i am stuck, as i didn't really have clue where and how
> to proceed onwards, as i am not finding any problems, warinings or
> errors in the cloudstack log's.
> Usage of netstat shows, that currently no service is listening on port
> 8443.
>
> Which leads me to a assumption that i maybe messed up
> access-priviledges for the actual keystore-file, as the
> server.properties noted sais, that the https configuration will only
> be used when the keystorefile exists and is readable by the managementserver.
> Therefore which permissions are normally used for the keystore to be
> accessed by the management server?
>
> As the documentation states, that more or less every site has it's own
> practices on providing webservices to actual users, i would like to
> ask for some experiences with different appoaches?
> Till now i "stumbled" over some ways the set up a reverseproxy based
> on nginx / apache "in front" of the actual CS-Management WebServer,
> which shall take care of the certificate handling. Another idea i have
> read on a side would be to "by pass" the CS-Management Webserver,
> targetting directly to the "root"-volume. Which seems to be a aventures
> appoach...
>
> So i am highly interested in your approaches and experiences
> regardning this topic.
>
> Thanks in advance!
>
