You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Billy Ramsay <br...@dynamicquest.com> on 2013/12/12 23:20:04 UTC
Console Proxy Certificate Chain
All,
I am attempting to install a custom certificate for our console proxy VMs,
as we have setup our own DNS responder using the RHIP source. The
uploadCustomCertificate API command is not documented very well, and I'm
having issues getting the certificate to install correctly. If I am not
mistaken, a cert that requires an intermediate CA cannot be installed from
the web interface, and must be done using the API. However, when using
CloudMonkey, I cannot seem to get the certificate (and it's chain) uploaded
properly.
I am using the instructions here:
http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certifi
cate-chains-in-cloudstack.html
However, I am using CloudMonkey and not the old Python wrapper.
The root and intermediate CA certs seem to upload without issue, but when I
view the "keystore" table in the CS database, the certs are formatted wrong
(the "\n"s did not get converted to new lines).
Also, the actual certificate will not upload, and the error I receive is
that the certificate failed validation. The certificate and key work fine
when I install them via the web interface (although there is not
intermediate CA installed, obviously).
What am I doing wrong?
Version info:
CloudStack 4.1.1
CloudMonkey 5.0.0
RE: Console Proxy Certificate Chain
Posted by Billy Ramsay <br...@dynamicquest.com>.
I apologize for the delay in responding to this.
This is what I have found in my research and testing.
The table in question is "keystore". The table has a few fields (id, name, certificate, key, domain_suffix, seq).
1. The "id" field seems to be just a numerical identifier for the entry, starting at 1 and incrementing from there. If you use the web interface to upload a cert, the row with the "id" of "1" is replaced. From what I have found, using the web interface to upload certs will not add rows to the keystore table, but using the API will.
2. The "name" field is just a label for the entry, and using the API you can specify whatever you want here. If you use the web interface to upload a cert, the field is set to "CPVMCertificate".
3. The "certificate" field holds the actual cert, in PEM format.
4. The "key" field holds the key in PEM format.
5. The "domain_suffix" field holds the domain of the certificate, also referred to as the "common name".
6. The "seq" field is used to set the sequence that the server will read and apply the certificates. The root CA cert should be 1, an intermediate CA cert should be 2, and the domain cert should be 3. If you use the web interface to upload a cert, it sets this field to null. I changed this to a 3 in my case.
To modify the table, I just used some UPDATE statements to modify the fields. For the certs and keys in PEM format, I used an actual line break after each line. For example, I pasted the cert into the MySQL command line one line at a time, pressing enter between each, and finally finishing the query with a semicolon at the end of the last line. I'm sure there is a less obtuse method of doing this, but I'm not a DBA :)
After manually adding the root and intermediate CAs to the database, I used the web interface to upload the domain cert. I'm not sure if manually adding all of the certs will work, as the API call (that the web interface uses) doesn't simply update the DB, it kicks off other internal operations (system VM reboot at the very least).
If anyone has any questions, feel free to ask.
-WPR
-----Original Message-----
From: Nux! [mailto:nux@li.nux.ro]
Sent: Saturday, December 14, 2013 11:48 AM
To: users@cloudstack.apache.org
Subject: RE: Console Proxy Certificate Chain
On 13.12.2013 14:20, Billy Ramsay wrote:
> I've got this working now. I manually added the root and intermediate
> CA certs to the DB as Chiradeep suggested, and then added the domain
> cert using the web interface. All is now working properly.
>
> Thanks!
Can you detail which tables/fields you had to modify please?
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
RE: Console Proxy Certificate Chain
Posted by Nux! <nu...@li.nux.ro>.
On 13.12.2013 14:20, Billy Ramsay wrote:
> I've got this working now. I manually added the root and intermediate
> CA
> certs to the DB as Chiradeep suggested, and then added the domain cert
> using
> the web interface. All is now working properly.
>
> Thanks!
Can you detail which tables/fields you had to modify please?
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
RE: Console Proxy Certificate Chain
Posted by Billy Ramsay <br...@dynamicquest.com>.
I've got this working now. I manually added the root and intermediate CA
certs to the DB as Chiradeep suggested, and then added the domain cert using
the web interface. All is now working properly.
Thanks!
-----Original Message-----
From: Billy Ramsay [mailto:bramsay@dynamicquest.com]
Sent: Friday, December 13, 2013 8:33 AM
To: users@cloudstack.apache.org
Subject: RE: Console Proxy Certificate Chain
I already thought of manually modifying the DB, I just wasn't sure if there
was anything else going on behind the scenes when the API calls are used. Do
the system VMs grab the keystore info from the DB automatically each time
they boot? Would there be anything else I would need to do other than modify
the database? I'm way more comfortable with MySQL than Python, and I don't
plan on changing the cert any time soon, so just getting it to work is fine
with me.
Thanks for the help!
-----Original Message-----
From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
Sent: Thursday, December 12, 2013 6:46 PM
To: users@cloudstack.apache.org
Subject: Re: Console Proxy Certificate Chain
It would appear to be a Cloudmonkey issue then. If you are skilled in
Python, you could try and fix it there. If you just want to get stuff to
work, you could hack it in the DB.
On 12/12/13 2:20 PM, "Billy Ramsay" <br...@dynamicquest.com> wrote:
>All,
>
>I am attempting to install a custom certificate for our console proxy
>VMs, as we have setup our own DNS responder using the RHIP source. The
>uploadCustomCertificate API command is not documented very well, and
>I'm having issues getting the certificate to install correctly. If I am
>not mistaken, a cert that requires an intermediate CA cannot be
>installed from the web interface, and must be done using the API.
>However, when using CloudMonkey, I cannot seem to get the certificate
>(and it's chain) uploaded properly.
>
>I am using the instructions here:
>http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-ce
>rti
>fi
>cate-chains-in-cloudstack.html
>
>However, I am using CloudMonkey and not the old Python wrapper.
>
>The root and intermediate CA certs seem to upload without issue, but
>when I view the "keystore" table in the CS database, the certs are
>formatted wrong (the "\n"s did not get converted to new lines).
>
>Also, the actual certificate will not upload, and the error I receive
>is that the certificate failed validation. The certificate and key work
>fine when I install them via the web interface (although there is not
>intermediate CA installed, obviously).
>
>What am I doing wrong?
>
>Version info:
>
>CloudStack 4.1.1
>CloudMonkey 5.0.0
>
>
RE: Console Proxy Certificate Chain
Posted by Billy Ramsay <br...@dynamicquest.com>.
I already thought of manually modifying the DB, I just wasn't sure if there
was anything else going on behind the scenes when the API calls are used. Do
the system VMs grab the keystore info from the DB automatically each time
they boot? Would there be anything else I would need to do other than modify
the database? I'm way more comfortable with MySQL than Python, and I don't
plan on changing the cert any time soon, so just getting it to work is fine
with me.
Thanks for the help!
-----Original Message-----
From: Chiradeep Vittal [mailto:Chiradeep.Vittal@citrix.com]
Sent: Thursday, December 12, 2013 6:46 PM
To: users@cloudstack.apache.org
Subject: Re: Console Proxy Certificate Chain
It would appear to be a Cloudmonkey issue then. If you are skilled in
Python, you could try and fix it there. If you just want to get stuff to
work, you could hack it in the DB.
On 12/12/13 2:20 PM, "Billy Ramsay" <br...@dynamicquest.com> wrote:
>All,
>
>I am attempting to install a custom certificate for our console proxy
>VMs, as we have setup our own DNS responder using the RHIP source. The
>uploadCustomCertificate API command is not documented very well, and
>I'm having issues getting the certificate to install correctly. If I am
>not mistaken, a cert that requires an intermediate CA cannot be
>installed from the web interface, and must be done using the API.
>However, when using CloudMonkey, I cannot seem to get the certificate
>(and it's chain) uploaded properly.
>
>I am using the instructions here:
>http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-ce
>rti
>fi
>cate-chains-in-cloudstack.html
>
>However, I am using CloudMonkey and not the old Python wrapper.
>
>The root and intermediate CA certs seem to upload without issue, but
>when I view the "keystore" table in the CS database, the certs are
>formatted wrong (the "\n"s did not get converted to new lines).
>
>Also, the actual certificate will not upload, and the error I receive
>is that the certificate failed validation. The certificate and key work
>fine when I install them via the web interface (although there is not
>intermediate CA installed, obviously).
>
>What am I doing wrong?
>
>Version info:
>
>CloudStack 4.1.1
>CloudMonkey 5.0.0
>
>
Re: Console Proxy Certificate Chain
Posted by Chiradeep Vittal <Ch...@citrix.com>.
It would appear to be a Cloudmonkey issue then. If you are skilled in
Python, you could try and fix it there. If you just want to get stuff to
work, you could hack it in the DB.
On 12/12/13 2:20 PM, "Billy Ramsay" <br...@dynamicquest.com> wrote:
>All,
>
>I am attempting to install a custom certificate for our console proxy VMs,
>as we have setup our own DNS responder using the RHIP source. The
>uploadCustomCertificate API command is not documented very well, and I'm
>having issues getting the certificate to install correctly. If I am not
>mistaken, a cert that requires an intermediate CA cannot be installed from
>the web interface, and must be done using the API. However, when using
>CloudMonkey, I cannot seem to get the certificate (and it's chain)
>uploaded
>properly.
>
>I am using the instructions here:
>http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certi
>fi
>cate-chains-in-cloudstack.html
>
>However, I am using CloudMonkey and not the old Python wrapper.
>
>The root and intermediate CA certs seem to upload without issue, but when
>I
>view the "keystore" table in the CS database, the certs are formatted
>wrong
>(the "\n"s did not get converted to new lines).
>
>Also, the actual certificate will not upload, and the error I receive is
>that the certificate failed validation. The certificate and key work fine
>when I install them via the web interface (although there is not
>intermediate CA installed, obviously).
>
>What am I doing wrong?
>
>Version info:
>
>CloudStack 4.1.1
>CloudMonkey 5.0.0
>
>