You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Rafael del Valle <ra...@livelens.net.INVALID> on 2020/08/26 18:01:42 UTC
keystore for manager
Hi!
I am not managing to generate a keystore for the manager (jetty 9 / java 11).
We have done this before many times as we also embed jetty in other projects.
But for some reason it keeps rejecting the keystore.
Anybody has any idea of that this could be about?
This is how we are doing it:
- name: Generate PKCS#12 file
openssl_pkcs12:
action: export
path: jetty.pkcs12
friendly_name: jetty
privatekey_path: Test_Server_Key.pem
certificate_path: VDC_Test_Server.crt
other_certificates:
- VDC_Test_Intermediate_CA.crt
- VDC_Test_CA.crt
state: present
passphrase: Secret
- name: Generate Java Key Store
shell: keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
Any idea what could be going on?
Rafael
Re: keystore for manager
Posted by Rafael del Valle <rv...@privaz.io.INVALID>.
OK, it seems to be already identified as an issue.
https://github.com/apache/cloudstack/issues/4199
On Thu, 2020-08-27 09:39 AM, rvalle@privaz.io.INVALID wrote:
> It is strange... my keystore works with a vanilla jetty 9
>
> but does not work with cloudstack-manager
>
>
>
>
> On Wed, 2020-08-26 08:01 PM, Rafael del Valle " target="_blank"><ra...@livelens.net.INVALID> wrote:
> > Hi!
> >
> > I am not managing to generate a keystore for the manager (jetty 9 / java 11).
> >
> > We have done this before many times as we also embed jetty in other projects.
> >
> > But for some reason it keeps rejecting the keystore.
> >
> > Anybody has any idea of that this could be about?
> >
> > This is how we are doing it:
> >
> > - name: Generate PKCS#12 file
> > openssl_pkcs12:
> > action: export
> > path: jetty.pkcs12
> > friendly_name: jetty
> > privatekey_path: Test_Server_Key.pem
> > certificate_path: VDC_Test_Server.crt
> > other_certificates:
> > - VDC_Test_Intermediate_CA.crt
> > - VDC_Test_CA.crt
> > state: present
> > passphrase: Secret
> >
> > - name: Generate Java Key Store
> > shell: keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
> >
> >
> > Any idea what could be going on?
> >
> > Rafael
> >
Re: keystore for manager
Posted by rv...@privaz.io.INVALID.
It is strange... my keystore works with a vanilla jetty 9
but does not work with cloudstack-manager
On Wed, 2020-08-26 08:01 PM, Rafael del Valle <ra...@livelens.net.INVALID> wrote:
> Hi!
>
> I am not managing to generate a keystore for the manager (jetty 9 / java 11).
>
> We have done this before many times as we also embed jetty in other projects.
>
> But for some reason it keeps rejecting the keystore.
>
> Anybody has any idea of that this could be about?
>
> This is how we are doing it:
>
> - name: Generate PKCS#12 file
> openssl_pkcs12:
> action: export
> path: jetty.pkcs12
> friendly_name: jetty
> privatekey_path: Test_Server_Key.pem
> certificate_path: VDC_Test_Server.crt
> other_certificates:
> - VDC_Test_Intermediate_CA.crt
> - VDC_Test_CA.crt
> state: present
> passphrase: Secret
>
> - name: Generate Java Key Store
> shell: keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
>
>
> Any idea what could be going on?
>
> Rafael
>
Re: keystore for manager
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Rafael, All,
The PR has been merged on 4.14 and master branches and the fix will be available in the next 4.15.0.0 and/or 4.14.1.0 releases in the future.
As a workaround, you can setup an apache or nginx SSL-offloading server and reverse proxy to your CloudStack mgmt server. For example, for see:
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/
https://pargo.info/caching/configure-apache-for-ssl-termination-to-varnish-and-letsencrypt/
Regards.
________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Thursday, August 27, 2020 16:30
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
Cc: dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: Re: keystore for manager
All,
I've proposed a PR here: https://github.com/apache/cloudstack/pull/4288
The issue was that newer Jetty 9 on 4.14 and master has deprecated how SSL connections are handled and fails with keystore related error. I've tested both JKS and PKCS12 type of keystore with (a) self-signed cert and (b) a valid wildcard cert with cert chains and it worked for me.
Regards.
________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Thursday, August 27, 2020 13:21
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>; Rafael del Valle <rv...@privaz.io.INVALID>
Subject: Re: keystore for manager
Hi Rafael, All,
Yes, as you've identified this is a known blocker issue and we're working towards to fixing that. I think this has to do with migration towards Java11 and change in the default keystore formats and I'm currently exploring the issue. This has been working with 4.13 that uses Java8.
Regards.
________________________________
From: Rafael del Valle <ra...@livelens.net.INVALID>
Sent: Wednesday, August 26, 2020 23:31
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: keystore for manager
Hi!
I am not managing to generate a keystore for the manager (jetty 9 / java 11).
We have done this before many times as we also embed jetty in other projects.
But for some reason it keeps rejecting the keystore.
Anybody has any idea of that this could be about?
This is how we are doing it:
- name: Generate PKCS#12 file
openssl_pkcs12:
action: export
path: jetty.pkcs12
friendly_name: jetty
privatekey_path: Test_Server_Key.pem
certificate_path: VDC_Test_Server.crt
other_certificates:
- VDC_Test_Intermediate_CA.crt
- VDC_Test_CA.crt
state: present
passphrase: Secret
- name: Generate Java Key Store
shell: keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
Any idea what could be going on?
Rafael
rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
@shapeblue
rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
@shapeblue
rohit.yadav@shapeblue.com
www.shapeblue.com
3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
@shapeblue
Re: keystore for manager
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Rafael, All,
The PR has been merged on 4.14 and master branches and the fix will be available in the next 4.15.0.0 and/or 4.14.1.0 releases in the future.
As a workaround, you can setup an apache or nginx SSL-offloading server and reverse proxy to your CloudStack mgmt server. For example, for see:
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/
https://pargo.info/caching/configure-apache-for-ssl-termination-to-varnish-and-letsencrypt/
Regards.
________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Thursday, August 27, 2020 16:30
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
Cc: dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Subject: Re: keystore for manager
All,
I've proposed a PR here: https://github.com/apache/cloudstack/pull/4288
The issue was that newer Jetty 9 on 4.14 and master has deprecated how SSL connections are handled and fails with keystore related error. I've tested both JKS and PKCS12 type of keystore with (a) self-signed cert and (b) a valid wildcard cert with cert chains and it worked for me.
Regards.
________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Thursday, August 27, 2020 13:21
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>; Rafael del Valle <rv...@privaz.io.INVALID>
Subject: Re: keystore for manager
Hi Rafael, All,
Yes, as you've identified this is a known blocker issue and we're working towards to fixing that. I think this has to do with migration towards Java11 and change in the default keystore formats and I'm currently exploring the issue. This has been working with 4.13 that uses Java8.
Regards.
________________________________
From: Rafael del Valle <ra...@livelens.net.INVALID>
Sent: Wednesday, August 26, 2020 23:31
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: keystore for manager
Hi!
I am not managing to generate a keystore for the manager (jetty 9 / java 11).
We have done this before many times as we also embed jetty in other projects.
But for some reason it keeps rejecting the keystore.
Anybody has any idea of that this could be about?
This is how we are doing it:
- name: Generate PKCS#12 file
openssl_pkcs12:
action: export
path: jetty.pkcs12
friendly_name: jetty
privatekey_path: Test_Server_Key.pem
certificate_path: VDC_Test_Server.crt
other_certificates:
- VDC_Test_Intermediate_CA.crt
- VDC_Test_CA.crt
state: present
passphrase: Secret
- name: Generate Java Key Store
shell: keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
Any idea what could be going on?
Rafael
rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
@shapeblue
rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
@shapeblue
rohit.yadav@shapeblue.com
www.shapeblue.com
3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
@shapeblue
Re: keystore for manager
Posted by Rohit Yadav <ro...@shapeblue.com>.
All,
I've proposed a PR here: https://github.com/apache/cloudstack/pull/4288
The issue was that newer Jetty 9 on 4.14 and master has deprecated how SSL connections are handled and fails with keystore related error. I've tested both JKS and PKCS12 type of keystore with (a) self-signed cert and (b) a valid wildcard cert with cert chains and it worked for me.
Regards.
________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Thursday, August 27, 2020 13:21
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>; Rafael del Valle <rv...@privaz.io.INVALID>
Subject: Re: keystore for manager
Hi Rafael, All,
Yes, as you've identified this is a known blocker issue and we're working towards to fixing that. I think this has to do with migration towards Java11 and change in the default keystore formats and I'm currently exploring the issue. This has been working with 4.13 that uses Java8.
Regards.
________________________________
From: Rafael del Valle <ra...@livelens.net.INVALID>
Sent: Wednesday, August 26, 2020 23:31
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: keystore for manager
Hi!
I am not managing to generate a keystore for the manager (jetty 9 / java 11).
We have done this before many times as we also embed jetty in other projects.
But for some reason it keeps rejecting the keystore.
Anybody has any idea of that this could be about?
This is how we are doing it:
- name: Generate PKCS#12 file
openssl_pkcs12:
action: export
path: jetty.pkcs12
friendly_name: jetty
privatekey_path: Test_Server_Key.pem
certificate_path: VDC_Test_Server.crt
other_certificates:
- VDC_Test_Intermediate_CA.crt
- VDC_Test_CA.crt
state: present
passphrase: Secret
- name: Generate Java Key Store
shell: keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
Any idea what could be going on?
Rafael
rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
@shapeblue
rohit.yadav@shapeblue.com
www.shapeblue.com
3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
@shapeblue
Re: keystore for manager
Posted by Rohit Yadav <ro...@shapeblue.com>.
All,
I've proposed a PR here: https://github.com/apache/cloudstack/pull/4288
The issue was that newer Jetty 9 on 4.14 and master has deprecated how SSL connections are handled and fails with keystore related error. I've tested both JKS and PKCS12 type of keystore with (a) self-signed cert and (b) a valid wildcard cert with cert chains and it worked for me.
Regards.
________________________________
From: Rohit Yadav <ro...@shapeblue.com>
Sent: Thursday, August 27, 2020 13:21
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>; Rafael del Valle <rv...@privaz.io.INVALID>
Subject: Re: keystore for manager
Hi Rafael, All,
Yes, as you've identified this is a known blocker issue and we're working towards to fixing that. I think this has to do with migration towards Java11 and change in the default keystore formats and I'm currently exploring the issue. This has been working with 4.13 that uses Java8.
Regards.
________________________________
From: Rafael del Valle <ra...@livelens.net.INVALID>
Sent: Wednesday, August 26, 2020 23:31
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: keystore for manager
Hi!
I am not managing to generate a keystore for the manager (jetty 9 / java 11).
We have done this before many times as we also embed jetty in other projects.
But for some reason it keeps rejecting the keystore.
Anybody has any idea of that this could be about?
This is how we are doing it:
- name: Generate PKCS#12 file
openssl_pkcs12:
action: export
path: jetty.pkcs12
friendly_name: jetty
privatekey_path: Test_Server_Key.pem
certificate_path: VDC_Test_Server.crt
other_certificates:
- VDC_Test_Intermediate_CA.crt
- VDC_Test_CA.crt
state: present
passphrase: Secret
- name: Generate Java Key Store
shell: keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
Any idea what could be going on?
Rafael
rohit.yadav@shapeblue.com
www.shapeblue.com<http://www.shapeblue.com>
3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
@shapeblue
rohit.yadav@shapeblue.com
www.shapeblue.com
3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
@shapeblue
Re: keystore for manager
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Rafael, All,
Yes, as you've identified this is a known blocker issue and we're working towards to fixing that. I think this has to do with migration towards Java11 and change in the default keystore formats and I'm currently exploring the issue. This has been working with 4.13 that uses Java8.
Regards.
________________________________
From: Rafael del Valle <ra...@livelens.net.INVALID>
Sent: Wednesday, August 26, 2020 23:31
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: keystore for manager
Hi!
I am not managing to generate a keystore for the manager (jetty 9 / java 11).
We have done this before many times as we also embed jetty in other projects.
But for some reason it keeps rejecting the keystore.
Anybody has any idea of that this could be about?
This is how we are doing it:
- name: Generate PKCS#12 file
openssl_pkcs12:
action: export
path: jetty.pkcs12
friendly_name: jetty
privatekey_path: Test_Server_Key.pem
certificate_path: VDC_Test_Server.crt
other_certificates:
- VDC_Test_Intermediate_CA.crt
- VDC_Test_CA.crt
state: present
passphrase: Secret
- name: Generate Java Key Store
shell: keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
Any idea what could be going on?
Rafael
rohit.yadav@shapeblue.com
www.shapeblue.com
3 London Bridge Street, 3rd floor, News Building, London SE1 9SGUK
@shapeblue