You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Erik Weber <te...@gmail.com> on 2015/03/31 14:04:43 UTC
Unable to upload customer certificate
I've been following a bunch of guides to upload a custom cpvm / ssvm
certificate, but i end up with the following errors.
I've tried the key in x509 pem format, pkcs8 encrypted format and pkcs8
non-encrypted format but they all give the same.
I've tried to use the gui in 4.5 branch, as well as the api, tried both
urlencoded version and not..
Has anyone succeeded with this recently?
Guide followed:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name
plus the admin guide
2015-03-31 14:00:40,292 INFO [c.c.s.s.SecondaryStorageListener]
(AgentConnectTaskPool-166:ctx-90c75ff2) Received a host startup
notification com.cloud.agent.api.StartupSecondaryStorageCommand
2015-03-31 14:00:40,308 DEBUG [c.c.u.c.DBEncryptionUtil]
(AgentConnectTaskPool-166:ctx-90c75ff2) Error while decrypting: -----BEGIN
RSA PRIVATE KEY-----
[snip key]
-----END RSA PRIVATE KEY-----
2015-03-31 14:00:40,308 ERROR [c.c.a.m.AgentManagerImpl]
(AgentConnectTaskPool-166:ctx-90c75ff2) Monitor SecondaryStorageListener
says there is an error in the connect process for 8 due to Caught:
com.mysql.jdbc.PreparedStatement@c89a884: SELECT keystore.id, keystore.name,
keystore.certificate, keystore.key, keystore.domain_suffix, keystore.seq
FROM keystore WHERE keystore.name = _binary'CPVMCertificate' ORDER BY
RAND() LIMIT 1
com.cloud.utils.exception.CloudRuntimeException: Caught:
com.mysql.jdbc.PreparedStatement@c89a884: SELECT keystore.id, keystore.name,
keystore.certificate, keystore.key, keystore.domain_suffix, keystore.seq
FROM keystore WHERE keystore.name = _binary'CPVMCertificate' ORDER BY
RAND() LIMIT 1
at
com.cloud.utils.db.GenericDaoBase.searchIncludingRemoved(GenericDaoBase.java:427)
at
com.cloud.utils.db.GenericDaoBase.searchIncludingRemoved(GenericDaoBase.java:361)
at
com.cloud.utils.db.GenericDaoBase.findOneIncludingRemovedBy(GenericDaoBase.java:889)
at com.cloud.utils.db.GenericDaoBase.findOneBy(GenericDaoBase.java:900)
at
org.apache.cloudstack.framework.security.keystore.KeystoreDaoImpl.findByName(KeystoreDaoImpl.java:92)
at sun.reflect.GeneratedMethodAccessor120.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at
com.cloud.utils.db.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:34)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy211.findByName(Unknown Source)
at
org.apache.cloudstack.framework.security.keystore.KeystoreManagerImpl.getCertificates(KeystoreManagerImpl.java:128)
at
org.apache.cloudstack.secondarystorage.SecondaryStorageManagerImpl.generateSetupCommand(SecondaryStorageManagerImpl.java:309)
at
com.cloud.storage.secondary.SecondaryStorageListener.processConnect(SecondaryStorageListener.java:81)
at
com.cloud.agent.manager.AgentManagerImpl.notifyMonitorsOfConnection(AgentManagerImpl.java:539)
at
com.cloud.agent.manager.AgentManagerImpl.handleConnectedAgent(AgentManagerImpl.java:1030)
at
com.cloud.agent.manager.AgentManagerImpl.access$000(AgentManagerImpl.java:119)
at
com.cloud.agent.manager.AgentManagerImpl$HandleAgentConnectTask.runInContext(AgentManagerImpl.java:1114)
at
org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53)
at
org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.jasypt.exceptions.EncryptionOperationNotPossibleException
at
org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:981)
at
org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:725)
at
com.cloud.utils.crypt.DBEncryptionUtil.decrypt(DBEncryptionUtil.java:63)
at com.cloud.utils.db.GenericDaoBase.setField(GenericDaoBase.java:528)
at com.cloud.utils.db.GenericDaoBase.setField(GenericDaoBase.java:1743)
at
com.cloud.utils.db.GenericDaoBase.toEntityBean(GenericDaoBase.java:1633)
at
com.cloud.utils.db.GenericDaoBase.toEntityBean(GenericDaoBase.java:1594)
at
com.cloud.utils.db.GenericDaoBase.searchIncludingRemoved(GenericDaoBase.java:421)
... 31 more
Re: Unable to upload customer certificate
Posted by Erik Weber <te...@gmail.com>.
Thanks Sadhu.
That was the first thing i tried before researching how to do it. Still
same error.
One thing, i haven't set up db encryption, could that affect this?
Erik
Den onsdag 1. april 2015 skrev Suresh Sadhu <Su...@citrix.com>
følgende:
> HI Erik,
>
> It seems while uploading the server certificate through UI, you might
> have provided the url encoded value in the server certificate .. that is
> the reason you have seeing this exception.[I just reproduce your issue by
> providing encoded value in the UI wizard ]
>
> You no need to perform url encode while uploading the certificate from UI
> because internally CS will do for you while uploading the certificate from
> UI.
> you have to encode keys only when you are uploading the keys using
> API.(i.e for uploading root and intermediate through API )
>
> Steps:
> 1.first upload root/intermediate certificate through api by providing
> encoded values( refer this link to encode keys
> http://www.url-encode-decode.com/)
> .
> 2.for server certificate -go to UI -provide Server certificate, PKCS#8
> Private Key and domain name [Here don't encode the certificates because CS
> will do it for u internally.]
>
>
> It seems my blog misses this information will update it now(
> http://sadhusuresh.blogspot.in/2015/01/t-hings-you-should-consider-while.html
> ) . thank you.
>
>
> If you still see the issues, please provide the full logs .
>
>
> Regards
> sadhu
>
>
>
>
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Erik Weber [mailto:terbolous@gmail.com <javascript:;>]
> Sent: 01 April 2015 03:35
> To: users@cloudstack.apache.org <javascript:;>
> Cc: dev
> Subject: Re: Unable to upload customer certificate
>
> On Tue, Mar 31, 2015 at 11:52 PM, Erik Weber <terbolous@gmail.com
> <javascript:;>> wrote:
>
> > On Tue, Mar 31, 2015 at 2:57 PM, Suresh Sadhu
> > <Suresh.Sadhu@citrix.com <javascript:;>>
> > wrote:
> >
> >> HI,
> >>
> >> Code not changed recently and try uploading the
> >> keys(root,intermediate) using api which was mentioned by you (Guide
> followed:
> >>
> >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+R
> >> eplace+realhostip.com+with+Your+Own+Domain+Name)
> >> and server certifictate through UI.
> >>
> >>
> > This is beginning to drive me mad.
> >
> > - I have converted the original PEM key to PKCS#8 (twice according to
> > docs).
> > - I've tried both with pythons urllib.quote to encode, as well as
> > using advanced rest client in chrome.
> > - I've verified with openssl that the key matches the cert (and to be
> > frank, we're using this in a lot of other places, including another
> > cloudstack install...)
> >
> >
> Heck, that got me thinking that I could copy the keystore table, and so I
> did, but it still fails.... with the exact same error message as previously.
>
> --
> Erik
>
Re: Unable to upload customer certificate
Posted by Erik Weber <te...@gmail.com>.
Thanks Sadhu.
That was the first thing i tried before researching how to do it. Still
same error.
One thing, i haven't set up db encryption, could that affect this?
Erik
Den onsdag 1. april 2015 skrev Suresh Sadhu <Su...@citrix.com>
følgende:
> HI Erik,
>
> It seems while uploading the server certificate through UI, you might
> have provided the url encoded value in the server certificate .. that is
> the reason you have seeing this exception.[I just reproduce your issue by
> providing encoded value in the UI wizard ]
>
> You no need to perform url encode while uploading the certificate from UI
> because internally CS will do for you while uploading the certificate from
> UI.
> you have to encode keys only when you are uploading the keys using
> API.(i.e for uploading root and intermediate through API )
>
> Steps:
> 1.first upload root/intermediate certificate through api by providing
> encoded values( refer this link to encode keys
> http://www.url-encode-decode.com/)
> .
> 2.for server certificate -go to UI -provide Server certificate, PKCS#8
> Private Key and domain name [Here don't encode the certificates because CS
> will do it for u internally.]
>
>
> It seems my blog misses this information will update it now(
> http://sadhusuresh.blogspot.in/2015/01/t-hings-you-should-consider-while.html
> ) . thank you.
>
>
> If you still see the issues, please provide the full logs .
>
>
> Regards
> sadhu
>
>
>
>
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Erik Weber [mailto:terbolous@gmail.com <javascript:;>]
> Sent: 01 April 2015 03:35
> To: users@cloudstack.apache.org <javascript:;>
> Cc: dev
> Subject: Re: Unable to upload customer certificate
>
> On Tue, Mar 31, 2015 at 11:52 PM, Erik Weber <terbolous@gmail.com
> <javascript:;>> wrote:
>
> > On Tue, Mar 31, 2015 at 2:57 PM, Suresh Sadhu
> > <Suresh.Sadhu@citrix.com <javascript:;>>
> > wrote:
> >
> >> HI,
> >>
> >> Code not changed recently and try uploading the
> >> keys(root,intermediate) using api which was mentioned by you (Guide
> followed:
> >>
> >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+R
> >> eplace+realhostip.com+with+Your+Own+Domain+Name)
> >> and server certifictate through UI.
> >>
> >>
> > This is beginning to drive me mad.
> >
> > - I have converted the original PEM key to PKCS#8 (twice according to
> > docs).
> > - I've tried both with pythons urllib.quote to encode, as well as
> > using advanced rest client in chrome.
> > - I've verified with openssl that the key matches the cert (and to be
> > frank, we're using this in a lot of other places, including another
> > cloudstack install...)
> >
> >
> Heck, that got me thinking that I could copy the keystore table, and so I
> did, but it still fails.... with the exact same error message as previously.
>
> --
> Erik
>
RE: Unable to upload customer certificate
Posted by Suresh Sadhu <Su...@citrix.com>.
HI Erik,
It seems while uploading the server certificate through UI, you might have provided the url encoded value in the server certificate .. that is the reason you have seeing this exception.[I just reproduce your issue by providing encoded value in the UI wizard ]
You no need to perform url encode while uploading the certificate from UI because internally CS will do for you while uploading the certificate from UI.
you have to encode keys only when you are uploading the keys using API.(i.e for uploading root and intermediate through API )
Steps:
1.first upload root/intermediate certificate through api by providing encoded values( refer this link to encode keys http://www.url-encode-decode.com/)
.
2.for server certificate -go to UI -provide Server certificate, PKCS#8 Private Key and domain name [Here don't encode the certificates because CS will do it for u internally.]
It seems my blog misses this information will update it now(http://sadhusuresh.blogspot.in/2015/01/t-hings-you-should-consider-while.html
) . thank you.
If you still see the issues, please provide the full logs .
Regards
sadhu
-----Original Message-----
From: Erik Weber [mailto:terbolous@gmail.com]
Sent: 01 April 2015 03:35
To: users@cloudstack.apache.org
Cc: dev
Subject: Re: Unable to upload customer certificate
On Tue, Mar 31, 2015 at 11:52 PM, Erik Weber <te...@gmail.com> wrote:
> On Tue, Mar 31, 2015 at 2:57 PM, Suresh Sadhu
> <Su...@citrix.com>
> wrote:
>
>> HI,
>>
>> Code not changed recently and try uploading the
>> keys(root,intermediate) using api which was mentioned by you (Guide followed:
>>
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+R
>> eplace+realhostip.com+with+Your+Own+Domain+Name)
>> and server certifictate through UI.
>>
>>
> This is beginning to drive me mad.
>
> - I have converted the original PEM key to PKCS#8 (twice according to
> docs).
> - I've tried both with pythons urllib.quote to encode, as well as
> using advanced rest client in chrome.
> - I've verified with openssl that the key matches the cert (and to be
> frank, we're using this in a lot of other places, including another
> cloudstack install...)
>
>
Heck, that got me thinking that I could copy the keystore table, and so I did, but it still fails.... with the exact same error message as previously.
--
Erik
RE: Unable to upload customer certificate
Posted by Suresh Sadhu <Su...@citrix.com>.
HI Erik,
It seems while uploading the server certificate through UI, you might have provided the url encoded value in the server certificate .. that is the reason you have seeing this exception.[I just reproduce your issue by providing encoded value in the UI wizard ]
You no need to perform url encode while uploading the certificate from UI because internally CS will do for you while uploading the certificate from UI.
you have to encode keys only when you are uploading the keys using API.(i.e for uploading root and intermediate through API )
Steps:
1.first upload root/intermediate certificate through api by providing encoded values( refer this link to encode keys http://www.url-encode-decode.com/)
.
2.for server certificate -go to UI -provide Server certificate, PKCS#8 Private Key and domain name [Here don't encode the certificates because CS will do it for u internally.]
It seems my blog misses this information will update it now(http://sadhusuresh.blogspot.in/2015/01/t-hings-you-should-consider-while.html
) . thank you.
If you still see the issues, please provide the full logs .
Regards
sadhu
-----Original Message-----
From: Erik Weber [mailto:terbolous@gmail.com]
Sent: 01 April 2015 03:35
To: users@cloudstack.apache.org
Cc: dev
Subject: Re: Unable to upload customer certificate
On Tue, Mar 31, 2015 at 11:52 PM, Erik Weber <te...@gmail.com> wrote:
> On Tue, Mar 31, 2015 at 2:57 PM, Suresh Sadhu
> <Su...@citrix.com>
> wrote:
>
>> HI,
>>
>> Code not changed recently and try uploading the
>> keys(root,intermediate) using api which was mentioned by you (Guide followed:
>>
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+R
>> eplace+realhostip.com+with+Your+Own+Domain+Name)
>> and server certifictate through UI.
>>
>>
> This is beginning to drive me mad.
>
> - I have converted the original PEM key to PKCS#8 (twice according to
> docs).
> - I've tried both with pythons urllib.quote to encode, as well as
> using advanced rest client in chrome.
> - I've verified with openssl that the key matches the cert (and to be
> frank, we're using this in a lot of other places, including another
> cloudstack install...)
>
>
Heck, that got me thinking that I could copy the keystore table, and so I did, but it still fails.... with the exact same error message as previously.
--
Erik
Re: Unable to upload customer certificate
Posted by Nux! <nu...@li.nux.ro>.
Erik,
Haven't actually read all the thread, but here's how I enabled custom certs and domain:
http://www.nux.ro/archive/2014/03/Run_your_own_realhostip.html
(in production I have a wildcard cert from Comodo)
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Erik Weber" <te...@gmail.com>
> To: users@cloudstack.apache.org
> Cc: "dev" <de...@cloudstack.apache.org>
> Sent: Tuesday, 31 March, 2015 23:04:45
> Subject: Re: Unable to upload customer certificate
> On Tue, Mar 31, 2015 at 11:52 PM, Erik Weber <te...@gmail.com> wrote:
>
>> On Tue, Mar 31, 2015 at 2:57 PM, Suresh Sadhu <Su...@citrix.com>
>> wrote:
>>
>>> HI,
>>>
>>> Code not changed recently and try uploading the keys(root,intermediate)
>>> using api which was mentioned by you (Guide followed:
>>>
>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name)
>>> and server certifictate through UI.
>>>
>>>
>> This is beginning to drive me mad.
>>
>> - I have converted the original PEM key to PKCS#8 (twice according to
>> docs).
>> - I've tried both with pythons urllib.quote to encode, as well as using
>> advanced rest client in chrome.
>> - I've verified with openssl that the key matches the cert (and to be
>> frank, we're using this in a lot of other places, including another
>> cloudstack install...)
>>
>>
> Heck, that got me thinking that I could copy the keystore table, and so I
> did, but it still fails.... with the exact same error message as previously.
>
> --
> Erik
Re: Unable to upload customer certificate
Posted by Nux! <nu...@li.nux.ro>.
Erik,
Haven't actually read all the thread, but here's how I enabled custom certs and domain:
http://www.nux.ro/archive/2014/03/Run_your_own_realhostip.html
(in production I have a wildcard cert from Comodo)
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
----- Original Message -----
> From: "Erik Weber" <te...@gmail.com>
> To: users@cloudstack.apache.org
> Cc: "dev" <de...@cloudstack.apache.org>
> Sent: Tuesday, 31 March, 2015 23:04:45
> Subject: Re: Unable to upload customer certificate
> On Tue, Mar 31, 2015 at 11:52 PM, Erik Weber <te...@gmail.com> wrote:
>
>> On Tue, Mar 31, 2015 at 2:57 PM, Suresh Sadhu <Su...@citrix.com>
>> wrote:
>>
>>> HI,
>>>
>>> Code not changed recently and try uploading the keys(root,intermediate)
>>> using api which was mentioned by you (Guide followed:
>>>
>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name)
>>> and server certifictate through UI.
>>>
>>>
>> This is beginning to drive me mad.
>>
>> - I have converted the original PEM key to PKCS#8 (twice according to
>> docs).
>> - I've tried both with pythons urllib.quote to encode, as well as using
>> advanced rest client in chrome.
>> - I've verified with openssl that the key matches the cert (and to be
>> frank, we're using this in a lot of other places, including another
>> cloudstack install...)
>>
>>
> Heck, that got me thinking that I could copy the keystore table, and so I
> did, but it still fails.... with the exact same error message as previously.
>
> --
> Erik
Re: Unable to upload customer certificate
Posted by Erik Weber <te...@gmail.com>.
On Tue, Mar 31, 2015 at 11:52 PM, Erik Weber <te...@gmail.com> wrote:
> On Tue, Mar 31, 2015 at 2:57 PM, Suresh Sadhu <Su...@citrix.com>
> wrote:
>
>> HI,
>>
>> Code not changed recently and try uploading the keys(root,intermediate)
>> using api which was mentioned by you (Guide followed:
>>
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name)
>> and server certifictate through UI.
>>
>>
> This is beginning to drive me mad.
>
> - I have converted the original PEM key to PKCS#8 (twice according to
> docs).
> - I've tried both with pythons urllib.quote to encode, as well as using
> advanced rest client in chrome.
> - I've verified with openssl that the key matches the cert (and to be
> frank, we're using this in a lot of other places, including another
> cloudstack install...)
>
>
Heck, that got me thinking that I could copy the keystore table, and so I
did, but it still fails.... with the exact same error message as previously.
--
Erik
Re: Unable to upload customer certificate
Posted by Erik Weber <te...@gmail.com>.
On Tue, Mar 31, 2015 at 11:52 PM, Erik Weber <te...@gmail.com> wrote:
> On Tue, Mar 31, 2015 at 2:57 PM, Suresh Sadhu <Su...@citrix.com>
> wrote:
>
>> HI,
>>
>> Code not changed recently and try uploading the keys(root,intermediate)
>> using api which was mentioned by you (Guide followed:
>>
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name)
>> and server certifictate through UI.
>>
>>
> This is beginning to drive me mad.
>
> - I have converted the original PEM key to PKCS#8 (twice according to
> docs).
> - I've tried both with pythons urllib.quote to encode, as well as using
> advanced rest client in chrome.
> - I've verified with openssl that the key matches the cert (and to be
> frank, we're using this in a lot of other places, including another
> cloudstack install...)
>
>
Heck, that got me thinking that I could copy the keystore table, and so I
did, but it still fails.... with the exact same error message as previously.
--
Erik
Re: Unable to upload customer certificate
Posted by Erik Weber <te...@gmail.com>.
On Tue, Mar 31, 2015 at 2:57 PM, Suresh Sadhu <Su...@citrix.com>
wrote:
> HI,
>
> Code not changed recently and try uploading the keys(root,intermediate)
> using api which was mentioned by you (Guide followed:
>
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name)
> and server certifictate through UI.
>
>
This is beginning to drive me mad.
- I have converted the original PEM key to PKCS#8 (twice according to docs).
- I've tried both with pythons urllib.quote to encode, as well as using
advanced rest client in chrome.
- I've verified with openssl that the key matches the cert (and to be
frank, we're using this in a lot of other places, including another
cloudstack install...)
Currently I end up with the following:
2015-03-31 23:44:38,598 ERROR [o.a.c.f.s.k.KeystoreManagerImpl]
(API-Job-Executor-28:ctx-d0153497 job-426 ctx-443ae0ac) Certificate
validation failed due to exception for domain: xyz.com
java.security.cert.CertificateException: Could not parse certificate:
java.io.IOException: Incomplete data
Adding root and intermediate certs work, it's apparently the wildcard
certificate (or corresponding key) that fails for some reason.
--
Erik
Re: Unable to upload customer certificate
Posted by Erik Weber <te...@gmail.com>.
On Tue, Mar 31, 2015 at 2:57 PM, Suresh Sadhu <Su...@citrix.com>
wrote:
> HI,
>
> Code not changed recently and try uploading the keys(root,intermediate)
> using api which was mentioned by you (Guide followed:
>
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name)
> and server certifictate through UI.
>
>
This is beginning to drive me mad.
- I have converted the original PEM key to PKCS#8 (twice according to docs).
- I've tried both with pythons urllib.quote to encode, as well as using
advanced rest client in chrome.
- I've verified with openssl that the key matches the cert (and to be
frank, we're using this in a lot of other places, including another
cloudstack install...)
Currently I end up with the following:
2015-03-31 23:44:38,598 ERROR [o.a.c.f.s.k.KeystoreManagerImpl]
(API-Job-Executor-28:ctx-d0153497 job-426 ctx-443ae0ac) Certificate
validation failed due to exception for domain: xyz.com
java.security.cert.CertificateException: Could not parse certificate:
java.io.IOException: Incomplete data
Adding root and intermediate certs work, it's apparently the wildcard
certificate (or corresponding key) that fails for some reason.
--
Erik
RE: Unable to upload customer certificate
Posted by Suresh Sadhu <Su...@citrix.com>.
HI,
Code not changed recently and try uploading the keys(root,intermediate) using api which was mentioned by you (Guide followed:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name) and server certifictate through UI.
Generally this error will occur if you have any special character, empty space in your key .Please check your keys.
Also always take the db dump of your keystore table and apply the keys. if you have any problem ,correct it and restore the keystore table and apply the certificate again.
Ref this link: mightuseful
http://sadhusuresh.blogspot.in/
regards
sadhu
-----Original Message-----
From: Erik Weber [mailto:terbolous@gmail.com]
Sent: 31 March 2015 17:35
To: users@cloudstack.apache.org; dev
Subject: Unable to upload customer certificate
I've been following a bunch of guides to upload a custom cpvm / ssvm certificate, but i end up with the following errors.
I've tried the key in x509 pem format, pkcs8 encrypted format and pkcs8 non-encrypted format but they all give the same.
I've tried to use the gui in 4.5 branch, as well as the api, tried both urlencoded version and not..
Has anyone succeeded with this recently?
Guide followed:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name
plus the admin guide
2015-03-31 14:00:40,292 INFO [c.c.s.s.SecondaryStorageListener]
(AgentConnectTaskPool-166:ctx-90c75ff2) Received a host startup notification com.cloud.agent.api.StartupSecondaryStorageCommand
2015-03-31 14:00:40,308 DEBUG [c.c.u.c.DBEncryptionUtil]
(AgentConnectTaskPool-166:ctx-90c75ff2) Error while decrypting: -----BEGIN RSA PRIVATE KEY----- [snip key] -----END RSA PRIVATE KEY-----
2015-03-31 14:00:40,308 ERROR [c.c.a.m.AgentManagerImpl]
(AgentConnectTaskPool-166:ctx-90c75ff2) Monitor SecondaryStorageListener says there is an error in the connect process for 8 due to Caught:
com.mysql.jdbc.PreparedStatement@c89a884: SELECT keystore.id, keystore.name, keystore.certificate, keystore.key, keystore.domain_suffix, keystore.seq FROM keystore WHERE keystore.name = _binary'CPVMCertificate' ORDER BY
RAND() LIMIT 1
com.cloud.utils.exception.CloudRuntimeException: Caught:
com.mysql.jdbc.PreparedStatement@c89a884: SELECT keystore.id, keystore.name, keystore.certificate, keystore.key, keystore.domain_suffix, keystore.seq FROM keystore WHERE keystore.name = _binary'CPVMCertificate' ORDER BY
RAND() LIMIT 1
at
com.cloud.utils.db.GenericDaoBase.searchIncludingRemoved(GenericDaoBase.java:427)
at
com.cloud.utils.db.GenericDaoBase.searchIncludingRemoved(GenericDaoBase.java:361)
at
com.cloud.utils.db.GenericDaoBase.findOneIncludingRemovedBy(GenericDaoBase.java:889)
at com.cloud.utils.db.GenericDaoBase.findOneBy(GenericDaoBase.java:900)
at
org.apache.cloudstack.framework.security.keystore.KeystoreDaoImpl.findByName(KeystoreDaoImpl.java:92)
at sun.reflect.GeneratedMethodAccessor120.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at
com.cloud.utils.db.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:34)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy211.findByName(Unknown Source)
at
org.apache.cloudstack.framework.security.keystore.KeystoreManagerImpl.getCertificates(KeystoreManagerImpl.java:128)
at
org.apache.cloudstack.secondarystorage.SecondaryStorageManagerImpl.generateSetupCommand(SecondaryStorageManagerImpl.java:309)
at
com.cloud.storage.secondary.SecondaryStorageListener.processConnect(SecondaryStorageListener.java:81)
at
com.cloud.agent.manager.AgentManagerImpl.notifyMonitorsOfConnection(AgentManagerImpl.java:539)
at
com.cloud.agent.manager.AgentManagerImpl.handleConnectedAgent(AgentManagerImpl.java:1030)
at
com.cloud.agent.manager.AgentManagerImpl.access$000(AgentManagerImpl.java:119)
at
com.cloud.agent.manager.AgentManagerImpl$HandleAgentConnectTask.runInContext(AgentManagerImpl.java:1114)
at
org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53)
at
org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.jasypt.exceptions.EncryptionOperationNotPossibleException
at
org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:981)
at
org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:725)
at
com.cloud.utils.crypt.DBEncryptionUtil.decrypt(DBEncryptionUtil.java:63)
at com.cloud.utils.db.GenericDaoBase.setField(GenericDaoBase.java:528)
at com.cloud.utils.db.GenericDaoBase.setField(GenericDaoBase.java:1743)
at
com.cloud.utils.db.GenericDaoBase.toEntityBean(GenericDaoBase.java:1633)
at
com.cloud.utils.db.GenericDaoBase.toEntityBean(GenericDaoBase.java:1594)
at
com.cloud.utils.db.GenericDaoBase.searchIncludingRemoved(GenericDaoBase.java:421)
... 31 more
RE: Unable to upload customer certificate
Posted by Suresh Sadhu <Su...@citrix.com>.
HI,
Code not changed recently and try uploading the keys(root,intermediate) using api which was mentioned by you (Guide followed:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name) and server certifictate through UI.
Generally this error will occur if you have any special character, empty space in your key .Please check your keys.
Also always take the db dump of your keystore table and apply the keys. if you have any problem ,correct it and restore the keystore table and apply the certificate again.
Ref this link: mightuseful
http://sadhusuresh.blogspot.in/
regards
sadhu
-----Original Message-----
From: Erik Weber [mailto:terbolous@gmail.com]
Sent: 31 March 2015 17:35
To: users@cloudstack.apache.org; dev
Subject: Unable to upload customer certificate
I've been following a bunch of guides to upload a custom cpvm / ssvm certificate, but i end up with the following errors.
I've tried the key in x509 pem format, pkcs8 encrypted format and pkcs8 non-encrypted format but they all give the same.
I've tried to use the gui in 4.5 branch, as well as the api, tried both urlencoded version and not..
Has anyone succeeded with this recently?
Guide followed:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name
plus the admin guide
2015-03-31 14:00:40,292 INFO [c.c.s.s.SecondaryStorageListener]
(AgentConnectTaskPool-166:ctx-90c75ff2) Received a host startup notification com.cloud.agent.api.StartupSecondaryStorageCommand
2015-03-31 14:00:40,308 DEBUG [c.c.u.c.DBEncryptionUtil]
(AgentConnectTaskPool-166:ctx-90c75ff2) Error while decrypting: -----BEGIN RSA PRIVATE KEY----- [snip key] -----END RSA PRIVATE KEY-----
2015-03-31 14:00:40,308 ERROR [c.c.a.m.AgentManagerImpl]
(AgentConnectTaskPool-166:ctx-90c75ff2) Monitor SecondaryStorageListener says there is an error in the connect process for 8 due to Caught:
com.mysql.jdbc.PreparedStatement@c89a884: SELECT keystore.id, keystore.name, keystore.certificate, keystore.key, keystore.domain_suffix, keystore.seq FROM keystore WHERE keystore.name = _binary'CPVMCertificate' ORDER BY
RAND() LIMIT 1
com.cloud.utils.exception.CloudRuntimeException: Caught:
com.mysql.jdbc.PreparedStatement@c89a884: SELECT keystore.id, keystore.name, keystore.certificate, keystore.key, keystore.domain_suffix, keystore.seq FROM keystore WHERE keystore.name = _binary'CPVMCertificate' ORDER BY
RAND() LIMIT 1
at
com.cloud.utils.db.GenericDaoBase.searchIncludingRemoved(GenericDaoBase.java:427)
at
com.cloud.utils.db.GenericDaoBase.searchIncludingRemoved(GenericDaoBase.java:361)
at
com.cloud.utils.db.GenericDaoBase.findOneIncludingRemovedBy(GenericDaoBase.java:889)
at com.cloud.utils.db.GenericDaoBase.findOneBy(GenericDaoBase.java:900)
at
org.apache.cloudstack.framework.security.keystore.KeystoreDaoImpl.findByName(KeystoreDaoImpl.java:92)
at sun.reflect.GeneratedMethodAccessor120.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at
com.cloud.utils.db.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:34)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:91)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at com.sun.proxy.$Proxy211.findByName(Unknown Source)
at
org.apache.cloudstack.framework.security.keystore.KeystoreManagerImpl.getCertificates(KeystoreManagerImpl.java:128)
at
org.apache.cloudstack.secondarystorage.SecondaryStorageManagerImpl.generateSetupCommand(SecondaryStorageManagerImpl.java:309)
at
com.cloud.storage.secondary.SecondaryStorageListener.processConnect(SecondaryStorageListener.java:81)
at
com.cloud.agent.manager.AgentManagerImpl.notifyMonitorsOfConnection(AgentManagerImpl.java:539)
at
com.cloud.agent.manager.AgentManagerImpl.handleConnectedAgent(AgentManagerImpl.java:1030)
at
com.cloud.agent.manager.AgentManagerImpl.access$000(AgentManagerImpl.java:119)
at
com.cloud.agent.manager.AgentManagerImpl$HandleAgentConnectTask.runInContext(AgentManagerImpl.java:1114)
at
org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:49)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103)
at
org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53)
at
org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:46)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.jasypt.exceptions.EncryptionOperationNotPossibleException
at
org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:981)
at
org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:725)
at
com.cloud.utils.crypt.DBEncryptionUtil.decrypt(DBEncryptionUtil.java:63)
at com.cloud.utils.db.GenericDaoBase.setField(GenericDaoBase.java:528)
at com.cloud.utils.db.GenericDaoBase.setField(GenericDaoBase.java:1743)
at
com.cloud.utils.db.GenericDaoBase.toEntityBean(GenericDaoBase.java:1633)
at
com.cloud.utils.db.GenericDaoBase.toEntityBean(GenericDaoBase.java:1594)
at
com.cloud.utils.db.GenericDaoBase.searchIncludingRemoved(GenericDaoBase.java:421)
... 31 more