HTTPS for console VM, without the wildcard DNS

[Nux! <nu...@li.nux.ro>]

Hi,

Last I enabled HTTPS for the console VM, I had to get a *.domain.tld and a wildcard certificate to match that.
Is there no other way to enable SSL without the wildcard DNS bit?
It adds a bit of overhead having to setup DNS infra for the customer just so he's able to securely access his cloud.


--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

Re: HTTPS for console VM, without the wildcard DNS

[Nux! <nu...@li.nux.ro>]

Yeah, it's a hassle.

I wish the console VM came with a self signed certificate by default and be accessed via https by default.

Nowadays I use your proxy-ing tip to quickly put the cloudstack management behind mod_ssl - way easier than having to mess with Tomcat, however browsers will not render non-https URLs in https pages, such as the iframe inclusive of the console url.

The way it is now works fine if you have one or two clouds, but when you want to sell many little clouds adding new infra (spinning gears) to do the whole https/dns thingy is annoying.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "John Kinsella" <jl...@gmail.com>
> To: users@cloudstack.apache.org
> Sent: Friday, 19 February, 2016 20:31:55
> Subject: Re: HTTPS for console VM, without the wildcard DNS

> You could probably hack this - if you only provided enough IPs for your System
> VMs so that it’s IP wouldn’t change, you could register the SSL cert for that
> specific FQDN.
> 
> Seems like it should be possible to have the console proxy run in http-only,
> then put an TLS endpoint in front of it (haproxy, netscaler etc) but I suspect
> a few code tweaks would be necessary.
> 
> But no, no good out-of-the box solution.
> 
> John
> 
>> On Feb 19, 2016, at 8:38 AM, Nux! <nu...@li.nux.ro> wrote:
>> 
>> So there's no way around it, thanks Stephan. :-)
>> 
>> --
>> Sent from the Delta quadrant using Borg technology!
>> 
>> Nux!
>> www.nux.ro
>> 
>> ----- Original Message -----
>>> From: "Stephan Seitz" <s....@secretresearchfacility.com>
>>> To: users@cloudstack.apache.org
>>> Sent: Friday, 19 February, 2016 16:21:37
>>> Subject: Re: HTTPS for console VM, without the wildcard DNS
>> 
>>> Hi,
>>> 
>>> well, one could manage huge hosts-files ;)
>>> 
>>> but seriously, you just need a dns-name / wildcard-certificate for a
>>> domain you trust. If your customers trust your certificate AND your dns
>>> - maybe because of dnssec - you don't need that for every customer.
>>> 
>>> To keep things off our full-featured nameservers, we did a
>>> zone-delegation for a cloud-subdomain.domain.tld to a small bind which
>>> holds just a flat zone-file wich contains all of the a-b-c-d to a.b.c.d
>>> A-Records.
>>> This took us maybe one hour and a 3-liner in bash.
>>> 
>>> cheers,
>>> 
>>> - Stephan
>>> 
>>> Am Freitag, den 19.02.2016, 16:07 +0000 schrieb Nux!:
>>>> Hi,
>>>> 
>>>> Last I enabled HTTPS for the console VM, I had to get a *.domain.tld and a
>>>> wildcard certificate to match that.
>>>> Is there no other way to enable SSL without the wildcard DNS bit?
>>>> It adds a bit of overhead having to setup DNS infra for the customer just so
>>>> he's able to securely access his cloud.
>>>> 
>>>> 
>>>> --
>>>> Sent from the Delta quadrant using Borg technology!
>>>> 
>>>> Nux!
> >>> www.nux.ro

Re: HTTPS for console VM, without the wildcard DNS

[John Kinsella <jl...@gmail.com>]

You could probably hack this - if you only provided enough IPs for your System VMs so that it’s IP wouldn’t change, you could register the SSL cert for that specific FQDN.

Seems like it should be possible to have the console proxy run in http-only, then put an TLS endpoint in front of it (haproxy, netscaler etc) but I suspect a few code tweaks would be necessary.

But no, no good out-of-the box solution.

John

> On Feb 19, 2016, at 8:38 AM, Nux! <nu...@li.nux.ro> wrote:
> 
> So there's no way around it, thanks Stephan. :-)
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro
> 
> ----- Original Message -----
>> From: "Stephan Seitz" <s....@secretresearchfacility.com>
>> To: users@cloudstack.apache.org
>> Sent: Friday, 19 February, 2016 16:21:37
>> Subject: Re: HTTPS for console VM, without the wildcard DNS
> 
>> Hi,
>> 
>> well, one could manage huge hosts-files ;)
>> 
>> but seriously, you just need a dns-name / wildcard-certificate for a
>> domain you trust. If your customers trust your certificate AND your dns
>> - maybe because of dnssec - you don't need that for every customer.
>> 
>> To keep things off our full-featured nameservers, we did a
>> zone-delegation for a cloud-subdomain.domain.tld to a small bind which
>> holds just a flat zone-file wich contains all of the a-b-c-d to a.b.c.d
>> A-Records.
>> This took us maybe one hour and a 3-liner in bash.
>> 
>> cheers,
>> 
>> - Stephan
>> 
>> Am Freitag, den 19.02.2016, 16:07 +0000 schrieb Nux!:
>>> Hi,
>>> 
>>> Last I enabled HTTPS for the console VM, I had to get a *.domain.tld and a
>>> wildcard certificate to match that.
>>> Is there no other way to enable SSL without the wildcard DNS bit?
>>> It adds a bit of overhead having to setup DNS infra for the customer just so
>>> he's able to securely access his cloud.
>>> 
>>> 
>>> --
>>> Sent from the Delta quadrant using Borg technology!
>>> 
>>> Nux!
>>> www.nux.ro

Re: HTTPS for console VM, without the wildcard DNS

[Nux! <nu...@li.nux.ro>]

So there's no way around it, thanks Stephan. :-)

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Stephan Seitz" <s....@secretresearchfacility.com>
> To: users@cloudstack.apache.org
> Sent: Friday, 19 February, 2016 16:21:37
> Subject: Re: HTTPS for console VM, without the wildcard DNS

> Hi,
> 
> well, one could manage huge hosts-files ;)
> 
> but seriously, you just need a dns-name / wildcard-certificate for a
> domain you trust. If your customers trust your certificate AND your dns
> - maybe because of dnssec - you don't need that for every customer.
> 
> To keep things off our full-featured nameservers, we did a
> zone-delegation for a cloud-subdomain.domain.tld to a small bind which
> holds just a flat zone-file wich contains all of the a-b-c-d to a.b.c.d
> A-Records.
> This took us maybe one hour and a 3-liner in bash.
> 
> cheers,
> 
> - Stephan
> 
> Am Freitag, den 19.02.2016, 16:07 +0000 schrieb Nux!:
>> Hi,
>> 
>> Last I enabled HTTPS for the console VM, I had to get a *.domain.tld and a
>> wildcard certificate to match that.
>> Is there no other way to enable SSL without the wildcard DNS bit?
>> It adds a bit of overhead having to setup DNS infra for the customer just so
>> he's able to securely access his cloud.
>> 
>> 
>> --
>> Sent from the Delta quadrant using Borg technology!
>> 
>> Nux!
> > www.nux.ro

Re: HTTPS for console VM, without the wildcard DNS

[Stephan Seitz <s....@secretresearchfacility.com>]

Hi,

well, one could manage huge hosts-files ;)

but seriously, you just need a dns-name / wildcard-certificate for a
domain you trust. If your customers trust your certificate AND your dns
- maybe because of dnssec - you don't need that for every customer.

To keep things off our full-featured nameservers, we did a
zone-delegation for a cloud-subdomain.domain.tld to a small bind which
holds just a flat zone-file wich contains all of the a-b-c-d to a.b.c.d
A-Records.
This took us maybe one hour and a 3-liner in bash.

cheers,

- Stephan

Am Freitag, den 19.02.2016, 16:07 +0000 schrieb Nux!: 
> Hi,
> 
> Last I enabled HTTPS for the console VM, I had to get a *.domain.tld and a wildcard certificate to match that.
> Is there no other way to enable SSL without the wildcard DNS bit?
> It adds a bit of overhead having to setup DNS infra for the customer just so he's able to securely access his cloud.
> 
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro