You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cloudstack.apache.org by cs user <ac...@gmail.com> on 2015/07/31 10:51:31 UTC

4.5.1 - SSVM Cert issues

Hi Folks,

After updating to 4.5.1 and installing using the shapeblue SSVM templates:
http://packages.shapeblue.com/systemvmtemplate/4.5/new/

We are hitting an issue very similar to the below when trying to copy
templates between zones:

https://issues.apache.org/jira/browse/CLOUDSTACK-1475

We are using our own wildcard cert for this parameter:
secstorage.ssl.cert.domain

We weren't having any issues when using 4.3. Has anyone run into this?

Cheers!

Re: 4.5.1 - SSVM Cert issues

Posted by cs user <ac...@gmail.com>.

Hi There :)

I've gone through the process of uploading the SSL certificate again, and
now all is working fine, which is fantastic! :)

Not sure if this has broken as part of upgrading or if it was never
installed fully before, but its working now.

Cheers!

On Fri, Jul 31, 2015 at 12:00 PM, Thomas Moroder <cl...@server24.eu>
wrote:

> The url's that are being generated are of the form:
>> https://192-168-2-15.random.net
>> Which all looks fine.
>>
>
> OK
>
> The secstorage.ssl.cert.domain parmater is set to *.random.net
>>  From the ssvm I ran the following:
>> openssl s_client -connect 192-168-2-15.random.net:443
>>
>
> have you included the intermediary certificates?
>
>
> Sincerely,
> Thomas Moroder
>
> --
> Incubatec GmbH - Srl
> Via Scurcia'str. 36, 39046 Ortisei(BZ), ITALIA
> Registered with the chamber of commerce of Bolzano the 8th of November
> 2001 with
> REA-No. 168204 (s.c. of EUR 10.000 f.p.u.)
> President: Thomas Moroder, VAT-No. IT 02283140214
> Tel: +39.0471796829 - Fax: +39.0471797949
>
> IMPRINT:
> http://www.incubatec.com/imprint.html
> PRIVACY:
> http://www.server24.it/informativa_completa.html
>
>

Re: 4.5.1 - SSVM Cert issues

Posted by Thomas Moroder <cl...@server24.eu>.

> The url's that are being generated are of the form:
> https://192-168-2-15.random.net
> Which all looks fine.

OK

> The secstorage.ssl.cert.domain parmater is set to *.random.net
>  From the ssvm I ran the following:
> openssl s_client -connect 192-168-2-15.random.net:443

have you included the intermediary certificates?

Sincerely,
Thomas Moroder

--
Incubatec GmbH - Srl
Via Scurcia'str. 36, 39046 Ortisei(BZ), ITALIA
Registered with the chamber of commerce of Bolzano the 8th of November 2001 with
REA-No. 168204 (s.c. of EUR 10.000 f.p.u.)
President: Thomas Moroder, VAT-No. IT 02283140214
Tel: +39.0471796829 - Fax: +39.0471797949

IMPRINT:
http://www.incubatec.com/imprint.html
PRIVACY:
http://www.server24.it/informativa_completa.html

Re: 4.5.1 - SSVM Cert issues

Posted by cs user <ac...@gmail.com>.

Hi There,

The url's that are being generated are of the form:

https://192-168-2-15.random.net

Which all looks fine.

The secstorage.ssl.cert.domain parmater is set to *.random.net

>From the ssvm I ran the following:

openssl s_client -connect 192-168-2-15.random.net:443

Which then seemed to complain about the root cert. I guess the provider we
have used does not have it's trusted root cert in the new ssvm template.

Perhaps a consequence of the move to java7 within the templates?

As I say, this all worked fine in 4.3.

So either we have to load this cert in every time we launch a fresh ssvm,
or we somehow build our own ssvm template with the root cert baked into the
image.

When you add a new cert to the environment, does it push the root cert to
the ssvm? Has it ever been possible to use a self signed cert?

Thanks!

On Fri, Jul 31, 2015 at 10:34 AM, Thomas Moroder <cl...@server24.eu>
wrote:

> We are hitting an issue very similar to the below when trying to copy
>> templates between zones:
>> https://issues.apache.org/jira/browse/CLOUDSTACK-1475
>> We are using our own wildcard cert for this parameter:
>> secstorage.ssl.cert.domain
>> We weren't having any issues when using 4.3. Has anyone run into this?
>>
>
> I guess the certificate controls are more strict. Are you sure your
> wildcard certificate is for *.ssl.cert.domain and not *.cert.domain?
> Subdomains are not included in the wildcard-certificate.
>
> Sincerely,
> Thomas Moroder
>
>
> --
> Incubatec GmbH - Srl
> Via Scurcia'str. 36, 39046 Ortisei(BZ), ITALIA
> Registered with the chamber of commerce of Bolzano the 8th of November
> 2001 with
> REA-No. 168204 (s.c. of EUR 10.000 f.p.u.)
> President: Thomas Moroder, VAT-No. IT 02283140214
> Tel: +39.0471796829 - Fax: +39.0471797949
>
> IMPRINT:
> http://www.incubatec.com/imprint.html
> PRIVACY:
> http://www.server24.it/informativa_completa.html
>
>

Re: 4.5.1 - SSVM Cert issues

Posted by Thomas Moroder <cl...@server24.eu>.

> We are hitting an issue very similar to the below when trying to copy
> templates between zones:
> https://issues.apache.org/jira/browse/CLOUDSTACK-1475
> We are using our own wildcard cert for this parameter:
> secstorage.ssl.cert.domain
> We weren't having any issues when using 4.3. Has anyone run into this?

I guess the certificate controls are more strict. Are you sure your wildcard 
certificate is for *.ssl.cert.domain and not *.cert.domain? Subdomains are not 
included in the wildcard-certificate.

Sincerely,
Thomas Moroder


-- 
Incubatec GmbH - Srl
Via Scurcia'str. 36, 39046 Ortisei(BZ), ITALIA
Registered with the chamber of commerce of Bolzano the 8th of November 2001 with
REA-No. 168204 (s.c. of EUR 10.000 f.p.u.)
President: Thomas Moroder, VAT-No. IT 02283140214
Tel: +39.0471796829 - Fax: +39.0471797949

IMPRINT:
http://www.incubatec.com/imprint.html
PRIVACY:
http://www.server24.it/informativa_completa.html