Hi, I do remember having issues with the steps in Shapeblue guide. Eventually I threw some notes for a future guide you can check here -> https://github.com/dredknight/cloud_scripts/blob/master/CloudStack-Xen/ACS-ssl-gui-guide.sh I hope that helps.
Best regards, Jordan -----Original Message----- From: Wei ZHOU <ustcweiz...@gmail.com> Sent: Thursday, September 16, 2021 10:20 PM To: users <users@cloudstack.apache.org>; vas...@gmx.de Subject: Re: Problems setting up HTTPS on CS Managementserver GUI / recommadations relizing [X] This message came from outside your organization Hi, afaik the most common setup is (1) start (multiple) cloudstack management server with port 8080 (2) setup a reverse proxy (nginx/pfsense/haproxy, etc) which supports SSL termination and transparent LB. (3) upload ssl certificate in cloudstack GUI, and enable SSL for cloudsack console proxy and secondary storage. -Wei On Tue, 14 Sept 2021 at 19:19, vas...@gmx.de <vas...@gmx.de> wrote: > Hi, > > at the moment I am trying to setting up https - access for the > management server with my own certificates. Sadly i wasn't successfull until > now. > OS: Ubuntu 20.04 > Standard Cloudstack > Basically i was following the documentation ( > > https://urldefense.com/v3/__http://docs.cloudstack.apache.org/en/lates > t/installguide/optional_installation.html*ssl-optional__;Iw!!A6UyJA!0d > TT8fqOaTGELyheFRnbrYw22T34WaEoPMbmxwezYicKr808oddMvJAwxkY7LIC7IuZy3pTq > DCm-$ > ) > as well as following guide from shapeblue ( > https://urldefense.com/v3/__https://www.shapeblue.com/securing-cloudst > ack-4-11-with-https-tls/__;!!A6UyJA!0dTT8fqOaTGELyheFRnbrYw22T34WaEoPMbmxwezYicKr808oddMvJAwxkY7LIC7IuZy3n-PQYEK$ > ) for setting up https for the GUI. > > At the moment i am stuck, as i didn't really have clue where and how > to proceed onwards, as i am not finding any problems, warinings or > errors in the cloudstack log's. > Usage of netstat shows, that currently no service is listening on port > 8443. > > Which leads me to a assumption that i maybe messed up > access-priviledges for the actual keystore-file, as the > server.properties noted sais, that the https configuration will only > be used when the keystorefile exists and is readable by the managementserver. > Therefore which permissions are normally used for the keystore to be > accessed by the management server? > > As the documentation states, that more or less every site has it's own > practices on providing webservices to actual users, i would like to > ask for some experiences with different appoaches? > Till now i "stumbled" over some ways the set up a reverseproxy based > on nginx / apache "in front" of the actual CS-Management WebServer, > which shall take care of the certificate handling. Another idea i have > read on a side would be to "by pass" the CS-Management Webserver, > targetting directly to the "root"-volume. Which seems to be a aventures > appoach... > > So i am highly interested in your approaches and experiences > regardning this topic. > > Thanks in advance! >