You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by "Corey, Mike" <mi...@sap.com> on 2020/12/08 18:31:01 UTC
Troubleshooting Console Proxy
Hi,
I believe I have configured the console proxy correctly but I'd like to verify the console proxy is using my wildcard certificate. When I loaded the wildcard cert, root, and sub root, key, etc. through the CS portal I got a "succeed" message and the system vms reloaded, but the console isn't loading.
How can I verify the Console VM is using my custom wildcard cert? Is it an openssl command or a mysql query?
What logs should I be looking for an error message as to why my console window is blank?
The public IP of the console proxy vm is in DNS and resolves. The management log shows that the url is being provided but again just a blank window.
2020-12-08 11:21:58,424 DEBUG [c.c.s.ConsoleProxyServlet] (qtp1497845528-16:null) (logid:) Compose console url: http://<I-P.domain.name>/ajax?token=mORLUQO3R5lrOdIrRZsozUg2LnLTx5jGtgJnhHRX_-1WmlyxDZzQsaZ7nmuU_KFpd9egjZtkx74ftae3wUpF2IdvRKy7HlYodQBtQf9ldJvZhYNr1GOnxWJYZAAxTPatkVhbVg9Q9gJqFVXB5ebphg1MyGzktZgu6I5VwweGtH2tJcBFqOeUH7utMAzOeGdQW6RXZXi3HWjUSnWs4AzxwX53yFGiS1nOB2lCqAkz8-PUkx7qvfDFkxLEs6iVYTNTaowejHS13_yHeSf7t_xQFkXs1MeQNqEUcBAFaevWbSg&guest=windows
2020-12-08 11:21:58,424 DEBUG [c.c.s.ConsoleProxyServlet] (qtp1497845528-16:null) (logid:) the console url is :: <html><title>CV-Oct14-T20</title><frameset><frame src="http://<I-P.domain.name>//ajax?token=mORLUQO3R5lrOdIrRZsozUg2LnLTx5jGtgJnhHRX_-1WmlyxDZzQsaZ7nmuU_KFpd9egjZtkx74ftae3wUpF2IdvRKy7HlYodQBtQf9ldJvZhYNr1GOnxWJYZAAxTPatkVhbVg9Q9gJqFVXB5ebphg1MyGzktZgu6I5VwweGtH2tJcBFqOeUH7utMAzOeGdQW6RXZXi3HWjUSnWs4AzxwX53yFGiS1nOB2lCqAkz8-PUkx7qvfDFkxLEs6iVYTNTaowejHS13_yHeSf7t_xQFkXs1MeQNqEUcBAFaevWbSg&guest=windows"></frame></frameset></html>
From: Corey, Mike <mi...@sap.com>
Sent: Monday, December 7, 2020 12:02 PM
To: users@cloudstack.apache.org
Subject: [CAUTION] Console Proxy on VMware ESXi?
Hi,
Is there still a requirement to modify the ESXi firewall for VM console proxy? Documented process is for older version so I wasn't sure if it was still relevant for ESXi 6.5 and 6.7+. I ask because when I launch the VM proxy I just get a blank window. Any ideas on how I can troubleshoot?
Extend Port Range for CloudStack Console Proxy
(Applies only to VMware vSphere version 4.x)
You need to extend the range of firewall ports that the console proxy works with on the hosts. This is to enable the console proxy to work with VMware-based VMs. The default additional port range is 59000-60000. To extend the port range, log in to the VMware ESX service console on each host and run the following commands:
esxcfg-firewall -o 59000-60000,tcp,in,vncextras
esxcfg-firewall -o 59000-60000,tcp,out,vncextras
Thanks!
Mike
Mike Corey
Technology Senior Consultant, IT CS CTW Operation & Virtualization Service US
SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United States
T +1 610 661 0905, M +1 484 274 2658, E mike.corey@sap.com<ma...@sap.com>
[cid:image001.png@01D6CC90.C0B9D750]
RE: Troubleshooting Console Proxy
Posted by "Corey, Mike" <mi...@sap.com>.
Thanks to those for the feedback.
For whatever reason I thought I'd try destroying and allowing the ConsoleVM to regenerate. Doing so fixed my VM console access.
I don't know if when I modified/added the wildcard certificate if the original ConsoleVM borked or what but regenerating the vm fixed my issue.
Mike
-----Original Message-----
From: Richard Lawley <ri...@richardlawley.com>
Sent: Tuesday, December 8, 2020 3:41 PM
To: users@cloudstack.apache.org
Subject: Re: Troubleshooting Console Proxy
The URL setting should be "*.domain.com" (including the *.)
You will also need working DNS for the name a-b-c-d.domain.com - you can
either add these as static records every time you create a new console
proxy, or if you'll be doing it a lot, you can look at using something like
https://github.com/terbolous/powerdns-cloudstack-proxy-dns/ to make an
automated version (this might be impossible if you're using your main
domain name and don't want to run that under powerdns!).
The certificate loaded through the UI is for console proxy and ssvm only -
management server uses SSL cert defined in config files.
When you open a console window from the cloudstack UI, the window will have
the URL of the management server, but if you check the source of the page
it loads, it will be a frame with src https://a-b-c-d.domain.com. If the
console proxy and the management server are both within the same domain
then you can use the same certificate for them both, but you'll need to
load it in both places.
Regards,
Richard
On Tue, 8 Dec 2020, 19:19 Corey, Mike, <mi...@sap.com> wrote:
> Thanks for the reply Richard.
>
> The consoleproxy.url.domain is set to my wildcard domain name, is that how
> it should be?
>
> I set consoleproxy.sslEnabled as true and now the console window isn't
> total blank. Instead I get <I-P-Address.mydomain.name> refused to
> connect. Logs now say "Compose console url: https://".
>
> Question - the address of the console window is showing as the FQDN of my
> CloudStack Management server. The certificate for my Management UI is what
> loads which is assigned to the FQDN of the management server.
>
> I guess I'm confused as to where the wildcard certificate needs to be
> loaded. Following the console proxy SSL directions, I assume the wildcard
> certificate is for the VM Console functionality (NO?).
>
>
> http://docs.cloudstack.apache.org/en/4.11.1.0/adminguide/systemvm.html?highlight=certificate#changing-the-console-proxy-ssl-certificate-and-domain
>
> So to review I have two CA certificates:
>
> 1- is for my management server UI portal which is a FQDN named
> certificate
> 2- for the console proxy as a wildcard certificate.
>
> Should I have two different certs or should I have used the wildcard for
> both the UI portal and console proxy vm???
>
> Apologizes for my newb questions.
>
> Mike
>
>
>
> -----Original Message-----
> From: Richard Lawley <ri...@richardlawley.com>
> Sent: Tuesday, December 8, 2020 1:55 PM
> To: users@cloudstack.apache.org
> Subject: Re: Troubleshooting Console Proxy
>
> Our documented procedure for updating console proxy SSL is:
>
> 1. Load cert through CloudStack UI, wait for Console Proxy VMs to
> restart
> 2. If this is the first installation of SSL certificate, ensure Settings
> consoleproxy.sslEnabled and consoleproxy.url.domain are set correctly
> 3. Restart CloudStack Management Service
>
> Once it's working you should be able to access the console proxy over
> https, which should be enough for you to confirm the correct cert is there.
>
> Regards,
>
> Richard
>
> On Tue, 8 Dec 2020 at 18:31, Corey, Mike <mi...@sap.com> wrote:
>
> > Hi,
> >
> > I believe I have configured the console proxy correctly but I'd like to
> > verify the console proxy is using my wildcard certificate. When I loaded
> > the wildcard cert, root, and sub root, key, etc. through the CS portal I
> > got a "succeed" message and the system vms reloaded, but the console
> isn't
> > loading.
> >
> > How can I verify the Console VM is using my custom wildcard cert? Is it
> an
> > openssl command or a mysql query?
> >
> > What logs should I be looking for an error message as to why my console
> > window is blank?
> >
> > The public IP of the console proxy vm is in DNS and resolves. The
> > management log shows that the url is being provided but again just a
> blank
> > window.
> >
> > 2020-12-08 11:21:58,424 DEBUG [c.c.s.ConsoleProxyServlet]
> > (qtp1497845528-16:null) (logid:) Compose console url: http://<
> > I-P.domain.name
> >
> >/ajax?token=mORLUQO3R5lrOdIrRZsozUg2LnLTx5jGtgJnhHRX_-1WmlyxDZzQsaZ7nmuU_KFpd9egjZtkx74ftae3wUpF2IdvRKy7HlYodQBtQf9ldJvZhYNr1GOnxWJYZAAxTPatkVhbVg9Q9gJqFVXB5ebphg1MyGzktZgu6I5VwweGtH2tJcBFqOeUH7utMAzOeGdQW6RXZXi3HWjUSnWs4AzxwX53yFGiS1nOB2lCqAkz8-PUkx7qvfDFkxLEs6iVYTNTaowejHS13_yHeSf7t_xQFkXs1MeQNqEUcBAFaevWbSg&guest=windows
> > 2020-12-08 11:21:58,424 DEBUG [c.c.s.ConsoleProxyServlet]
> > (qtp1497845528-16:null) (logid:) the console url is ::
> > <html><title>CV-Oct14-T20</title><frameset><frame src="http://<
> > I-P.domain.name
> >
> >//ajax?token=mORLUQO3R5lrOdIrRZsozUg2LnLTx5jGtgJnhHRX_-1WmlyxDZzQsaZ7nmuU_KFpd9egjZtkx74ftae3wUpF2IdvRKy7HlYodQBtQf9ldJvZhYNr1GOnxWJYZAAxTPatkVhbVg9Q9gJqFVXB5ebphg1MyGzktZgu6I5VwweGtH2tJcBFqOeUH7utMAzOeGdQW6RXZXi3HWjUSnWs4AzxwX53yFGiS1nOB2lCqAkz8-PUkx7qvfDFkxLEs6iVYTNTaowejHS13_yHeSf7t_xQFkXs1MeQNqEUcBAFaevWbSg&guest=windows"></frame></frameset></html>
> >
> > From: Corey, Mike <mi...@sap.com>
> > Sent: Monday, December 7, 2020 12:02 PM
> > To: users@cloudstack.apache.org
> > Subject: [CAUTION] Console Proxy on VMware ESXi?
> >
> > Hi,
> >
> > Is there still a requirement to modify the ESXi firewall for VM console
> > proxy? Documented process is for older version so I wasn't sure if it
> was
> > still relevant for ESXi 6.5 and 6.7+. I ask because when I launch the VM
> > proxy I just get a blank window. Any ideas on how I can troubleshoot?
> >
> > Extend Port Range for CloudStack Console Proxy
> > (Applies only to VMware vSphere version 4.x)
> > You need to extend the range of firewall ports that the console proxy
> > works with on the hosts. This is to enable the console proxy to work with
> > VMware-based VMs. The default additional port range is 59000-60000. To
> > extend the port range, log in to the VMware ESX service console on each
> > host and run the following commands:
> > esxcfg-firewall -o 59000-60000,tcp,in,vncextras
> > esxcfg-firewall -o 59000-60000,tcp,out,vncextras
> >
> >
> > Thanks!
> >
> > Mike
> >
> >
> > Mike Corey
> >
> > Technology Senior Consultant, IT CS CTW Operation & Virtualization
> Service
> > US
> >
> > SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United
> > States
> >
> > T +1 610 661 0905, M +1 484 274 2658, E mike.corey@sap.com<mailto:
> > mike.corey@sap.com>
> >
> >
> > [cid:image001.png@01D6CC90.C0B9D750]
> >
> >
> >
>
Re: Troubleshooting Console Proxy
Posted by Richard Lawley <ri...@richardlawley.com>.
The URL setting should be "*.domain.com" (including the *.)
You will also need working DNS for the name a-b-c-d.domain.com - you can
either add these as static records every time you create a new console
proxy, or if you'll be doing it a lot, you can look at using something like
https://github.com/terbolous/powerdns-cloudstack-proxy-dns/ to make an
automated version (this might be impossible if you're using your main
domain name and don't want to run that under powerdns!).
The certificate loaded through the UI is for console proxy and ssvm only -
management server uses SSL cert defined in config files.
When you open a console window from the cloudstack UI, the window will have
the URL of the management server, but if you check the source of the page
it loads, it will be a frame with src https://a-b-c-d.domain.com. If the
console proxy and the management server are both within the same domain
then you can use the same certificate for them both, but you'll need to
load it in both places.
Regards,
Richard
On Tue, 8 Dec 2020, 19:19 Corey, Mike, <mi...@sap.com> wrote:
> Thanks for the reply Richard.
>
> The consoleproxy.url.domain is set to my wildcard domain name, is that how
> it should be?
>
> I set consoleproxy.sslEnabled as true and now the console window isn't
> total blank. Instead I get <I-P-Address.mydomain.name> refused to
> connect. Logs now say "Compose console url: https://".
>
> Question - the address of the console window is showing as the FQDN of my
> CloudStack Management server. The certificate for my Management UI is what
> loads which is assigned to the FQDN of the management server.
>
> I guess I'm confused as to where the wildcard certificate needs to be
> loaded. Following the console proxy SSL directions, I assume the wildcard
> certificate is for the VM Console functionality (NO?).
>
>
> http://docs.cloudstack.apache.org/en/4.11.1.0/adminguide/systemvm.html?highlight=certificate#changing-the-console-proxy-ssl-certificate-and-domain
>
> So to review I have two CA certificates:
>
> 1- is for my management server UI portal which is a FQDN named
> certificate
> 2- for the console proxy as a wildcard certificate.
>
> Should I have two different certs or should I have used the wildcard for
> both the UI portal and console proxy vm???
>
> Apologizes for my newb questions.
>
> Mike
>
>
>
> -----Original Message-----
> From: Richard Lawley <ri...@richardlawley.com>
> Sent: Tuesday, December 8, 2020 1:55 PM
> To: users@cloudstack.apache.org
> Subject: Re: Troubleshooting Console Proxy
>
> Our documented procedure for updating console proxy SSL is:
>
> 1. Load cert through CloudStack UI, wait for Console Proxy VMs to
> restart
> 2. If this is the first installation of SSL certificate, ensure Settings
> consoleproxy.sslEnabled and consoleproxy.url.domain are set correctly
> 3. Restart CloudStack Management Service
>
> Once it's working you should be able to access the console proxy over
> https, which should be enough for you to confirm the correct cert is there.
>
> Regards,
>
> Richard
>
> On Tue, 8 Dec 2020 at 18:31, Corey, Mike <mi...@sap.com> wrote:
>
> > Hi,
> >
> > I believe I have configured the console proxy correctly but I'd like to
> > verify the console proxy is using my wildcard certificate. When I loaded
> > the wildcard cert, root, and sub root, key, etc. through the CS portal I
> > got a "succeed" message and the system vms reloaded, but the console
> isn't
> > loading.
> >
> > How can I verify the Console VM is using my custom wildcard cert? Is it
> an
> > openssl command or a mysql query?
> >
> > What logs should I be looking for an error message as to why my console
> > window is blank?
> >
> > The public IP of the console proxy vm is in DNS and resolves. The
> > management log shows that the url is being provided but again just a
> blank
> > window.
> >
> > 2020-12-08 11:21:58,424 DEBUG [c.c.s.ConsoleProxyServlet]
> > (qtp1497845528-16:null) (logid:) Compose console url: http://<
> > I-P.domain.name
> >
> >/ajax?token=mORLUQO3R5lrOdIrRZsozUg2LnLTx5jGtgJnhHRX_-1WmlyxDZzQsaZ7nmuU_KFpd9egjZtkx74ftae3wUpF2IdvRKy7HlYodQBtQf9ldJvZhYNr1GOnxWJYZAAxTPatkVhbVg9Q9gJqFVXB5ebphg1MyGzktZgu6I5VwweGtH2tJcBFqOeUH7utMAzOeGdQW6RXZXi3HWjUSnWs4AzxwX53yFGiS1nOB2lCqAkz8-PUkx7qvfDFkxLEs6iVYTNTaowejHS13_yHeSf7t_xQFkXs1MeQNqEUcBAFaevWbSg&guest=windows
> > 2020-12-08 11:21:58,424 DEBUG [c.c.s.ConsoleProxyServlet]
> > (qtp1497845528-16:null) (logid:) the console url is ::
> > <html><title>CV-Oct14-T20</title><frameset><frame src="http://<
> > I-P.domain.name
> >
> >//ajax?token=mORLUQO3R5lrOdIrRZsozUg2LnLTx5jGtgJnhHRX_-1WmlyxDZzQsaZ7nmuU_KFpd9egjZtkx74ftae3wUpF2IdvRKy7HlYodQBtQf9ldJvZhYNr1GOnxWJYZAAxTPatkVhbVg9Q9gJqFVXB5ebphg1MyGzktZgu6I5VwweGtH2tJcBFqOeUH7utMAzOeGdQW6RXZXi3HWjUSnWs4AzxwX53yFGiS1nOB2lCqAkz8-PUkx7qvfDFkxLEs6iVYTNTaowejHS13_yHeSf7t_xQFkXs1MeQNqEUcBAFaevWbSg&guest=windows"></frame></frameset></html>
> >
> > From: Corey, Mike <mi...@sap.com>
> > Sent: Monday, December 7, 2020 12:02 PM
> > To: users@cloudstack.apache.org
> > Subject: [CAUTION] Console Proxy on VMware ESXi?
> >
> > Hi,
> >
> > Is there still a requirement to modify the ESXi firewall for VM console
> > proxy? Documented process is for older version so I wasn't sure if it
> was
> > still relevant for ESXi 6.5 and 6.7+. I ask because when I launch the VM
> > proxy I just get a blank window. Any ideas on how I can troubleshoot?
> >
> > Extend Port Range for CloudStack Console Proxy
> > (Applies only to VMware vSphere version 4.x)
> > You need to extend the range of firewall ports that the console proxy
> > works with on the hosts. This is to enable the console proxy to work with
> > VMware-based VMs. The default additional port range is 59000-60000. To
> > extend the port range, log in to the VMware ESX service console on each
> > host and run the following commands:
> > esxcfg-firewall -o 59000-60000,tcp,in,vncextras
> > esxcfg-firewall -o 59000-60000,tcp,out,vncextras
> >
> >
> > Thanks!
> >
> > Mike
> >
> >
> > Mike Corey
> >
> > Technology Senior Consultant, IT CS CTW Operation & Virtualization
> Service
> > US
> >
> > SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United
> > States
> >
> > T +1 610 661 0905, M +1 484 274 2658, E mike.corey@sap.com<mailto:
> > mike.corey@sap.com>
> >
> >
> > [cid:image001.png@01D6CC90.C0B9D750]
> >
> >
> >
>
RE: Troubleshooting Console Proxy
Posted by "Corey, Mike" <mi...@sap.com>.
Thanks for the reply Richard.
The consoleproxy.url.domain is set to my wildcard domain name, is that how it should be?
I set consoleproxy.sslEnabled as true and now the console window isn't total blank. Instead I get <I-P-Address.mydomain.name> refused to connect. Logs now say "Compose console url: https://".
Question - the address of the console window is showing as the FQDN of my CloudStack Management server. The certificate for my Management UI is what loads which is assigned to the FQDN of the management server.
I guess I'm confused as to where the wildcard certificate needs to be loaded. Following the console proxy SSL directions, I assume the wildcard certificate is for the VM Console functionality (NO?).
http://docs.cloudstack.apache.org/en/4.11.1.0/adminguide/systemvm.html?highlight=certificate#changing-the-console-proxy-ssl-certificate-and-domain
So to review I have two CA certificates:
1- is for my management server UI portal which is a FQDN named certificate
2- for the console proxy as a wildcard certificate.
Should I have two different certs or should I have used the wildcard for both the UI portal and console proxy vm???
Apologizes for my newb questions.
Mike
-----Original Message-----
From: Richard Lawley <ri...@richardlawley.com>
Sent: Tuesday, December 8, 2020 1:55 PM
To: users@cloudstack.apache.org
Subject: Re: Troubleshooting Console Proxy
Our documented procedure for updating console proxy SSL is:
1. Load cert through CloudStack UI, wait for Console Proxy VMs to restart
2. If this is the first installation of SSL certificate, ensure Settings
consoleproxy.sslEnabled and consoleproxy.url.domain are set correctly
3. Restart CloudStack Management Service
Once it's working you should be able to access the console proxy over
https, which should be enough for you to confirm the correct cert is there.
Regards,
Richard
On Tue, 8 Dec 2020 at 18:31, Corey, Mike <mi...@sap.com> wrote:
> Hi,
>
> I believe I have configured the console proxy correctly but I'd like to
> verify the console proxy is using my wildcard certificate. When I loaded
> the wildcard cert, root, and sub root, key, etc. through the CS portal I
> got a "succeed" message and the system vms reloaded, but the console isn't
> loading.
>
> How can I verify the Console VM is using my custom wildcard cert? Is it an
> openssl command or a mysql query?
>
> What logs should I be looking for an error message as to why my console
> window is blank?
>
> The public IP of the console proxy vm is in DNS and resolves. The
> management log shows that the url is being provided but again just a blank
> window.
>
> 2020-12-08 11:21:58,424 DEBUG [c.c.s.ConsoleProxyServlet]
> (qtp1497845528-16:null) (logid:) Compose console url: http://<
> I-P.domain.name
> >/ajax?token=mORLUQO3R5lrOdIrRZsozUg2LnLTx5jGtgJnhHRX_-1WmlyxDZzQsaZ7nmuU_KFpd9egjZtkx74ftae3wUpF2IdvRKy7HlYodQBtQf9ldJvZhYNr1GOnxWJYZAAxTPatkVhbVg9Q9gJqFVXB5ebphg1MyGzktZgu6I5VwweGtH2tJcBFqOeUH7utMAzOeGdQW6RXZXi3HWjUSnWs4AzxwX53yFGiS1nOB2lCqAkz8-PUkx7qvfDFkxLEs6iVYTNTaowejHS13_yHeSf7t_xQFkXs1MeQNqEUcBAFaevWbSg&guest=windows
> 2020-12-08 11:21:58,424 DEBUG [c.c.s.ConsoleProxyServlet]
> (qtp1497845528-16:null) (logid:) the console url is ::
> <html><title>CV-Oct14-T20</title><frameset><frame src="http://<
> I-P.domain.name
> >//ajax?token=mORLUQO3R5lrOdIrRZsozUg2LnLTx5jGtgJnhHRX_-1WmlyxDZzQsaZ7nmuU_KFpd9egjZtkx74ftae3wUpF2IdvRKy7HlYodQBtQf9ldJvZhYNr1GOnxWJYZAAxTPatkVhbVg9Q9gJqFVXB5ebphg1MyGzktZgu6I5VwweGtH2tJcBFqOeUH7utMAzOeGdQW6RXZXi3HWjUSnWs4AzxwX53yFGiS1nOB2lCqAkz8-PUkx7qvfDFkxLEs6iVYTNTaowejHS13_yHeSf7t_xQFkXs1MeQNqEUcBAFaevWbSg&guest=windows"></frame></frameset></html>
>
> From: Corey, Mike <mi...@sap.com>
> Sent: Monday, December 7, 2020 12:02 PM
> To: users@cloudstack.apache.org
> Subject: [CAUTION] Console Proxy on VMware ESXi?
>
> Hi,
>
> Is there still a requirement to modify the ESXi firewall for VM console
> proxy? Documented process is for older version so I wasn't sure if it was
> still relevant for ESXi 6.5 and 6.7+. I ask because when I launch the VM
> proxy I just get a blank window. Any ideas on how I can troubleshoot?
>
> Extend Port Range for CloudStack Console Proxy
> (Applies only to VMware vSphere version 4.x)
> You need to extend the range of firewall ports that the console proxy
> works with on the hosts. This is to enable the console proxy to work with
> VMware-based VMs. The default additional port range is 59000-60000. To
> extend the port range, log in to the VMware ESX service console on each
> host and run the following commands:
> esxcfg-firewall -o 59000-60000,tcp,in,vncextras
> esxcfg-firewall -o 59000-60000,tcp,out,vncextras
>
>
> Thanks!
>
> Mike
>
>
> Mike Corey
>
> Technology Senior Consultant, IT CS CTW Operation & Virtualization Service
> US
>
> SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United
> States
>
> T +1 610 661 0905, M +1 484 274 2658, E mike.corey@sap.com<mailto:
> mike.corey@sap.com>
>
>
> [cid:image001.png@01D6CC90.C0B9D750]
>
>
>
Re: Troubleshooting Console Proxy
Posted by Richard Lawley <ri...@richardlawley.com>.
Our documented procedure for updating console proxy SSL is:
1. Load cert through CloudStack UI, wait for Console Proxy VMs to restart
2. If this is the first installation of SSL certificate, ensure Settings
consoleproxy.sslEnabled and consoleproxy.url.domain are set correctly
3. Restart CloudStack Management Service
Once it's working you should be able to access the console proxy over
https, which should be enough for you to confirm the correct cert is there.
Regards,
Richard
On Tue, 8 Dec 2020 at 18:31, Corey, Mike <mi...@sap.com> wrote:
> Hi,
>
> I believe I have configured the console proxy correctly but I'd like to
> verify the console proxy is using my wildcard certificate. When I loaded
> the wildcard cert, root, and sub root, key, etc. through the CS portal I
> got a "succeed" message and the system vms reloaded, but the console isn't
> loading.
>
> How can I verify the Console VM is using my custom wildcard cert? Is it an
> openssl command or a mysql query?
>
> What logs should I be looking for an error message as to why my console
> window is blank?
>
> The public IP of the console proxy vm is in DNS and resolves. The
> management log shows that the url is being provided but again just a blank
> window.
>
> 2020-12-08 11:21:58,424 DEBUG [c.c.s.ConsoleProxyServlet]
> (qtp1497845528-16:null) (logid:) Compose console url: http://<
> I-P.domain.name
> >/ajax?token=mORLUQO3R5lrOdIrRZsozUg2LnLTx5jGtgJnhHRX_-1WmlyxDZzQsaZ7nmuU_KFpd9egjZtkx74ftae3wUpF2IdvRKy7HlYodQBtQf9ldJvZhYNr1GOnxWJYZAAxTPatkVhbVg9Q9gJqFVXB5ebphg1MyGzktZgu6I5VwweGtH2tJcBFqOeUH7utMAzOeGdQW6RXZXi3HWjUSnWs4AzxwX53yFGiS1nOB2lCqAkz8-PUkx7qvfDFkxLEs6iVYTNTaowejHS13_yHeSf7t_xQFkXs1MeQNqEUcBAFaevWbSg&guest=windows
> 2020-12-08 11:21:58,424 DEBUG [c.c.s.ConsoleProxyServlet]
> (qtp1497845528-16:null) (logid:) the console url is ::
> <html><title>CV-Oct14-T20</title><frameset><frame src="http://<
> I-P.domain.name
> >//ajax?token=mORLUQO3R5lrOdIrRZsozUg2LnLTx5jGtgJnhHRX_-1WmlyxDZzQsaZ7nmuU_KFpd9egjZtkx74ftae3wUpF2IdvRKy7HlYodQBtQf9ldJvZhYNr1GOnxWJYZAAxTPatkVhbVg9Q9gJqFVXB5ebphg1MyGzktZgu6I5VwweGtH2tJcBFqOeUH7utMAzOeGdQW6RXZXi3HWjUSnWs4AzxwX53yFGiS1nOB2lCqAkz8-PUkx7qvfDFkxLEs6iVYTNTaowejHS13_yHeSf7t_xQFkXs1MeQNqEUcBAFaevWbSg&guest=windows"></frame></frameset></html>
>
> From: Corey, Mike <mi...@sap.com>
> Sent: Monday, December 7, 2020 12:02 PM
> To: users@cloudstack.apache.org
> Subject: [CAUTION] Console Proxy on VMware ESXi?
>
> Hi,
>
> Is there still a requirement to modify the ESXi firewall for VM console
> proxy? Documented process is for older version so I wasn't sure if it was
> still relevant for ESXi 6.5 and 6.7+. I ask because when I launch the VM
> proxy I just get a blank window. Any ideas on how I can troubleshoot?
>
> Extend Port Range for CloudStack Console Proxy
> (Applies only to VMware vSphere version 4.x)
> You need to extend the range of firewall ports that the console proxy
> works with on the hosts. This is to enable the console proxy to work with
> VMware-based VMs. The default additional port range is 59000-60000. To
> extend the port range, log in to the VMware ESX service console on each
> host and run the following commands:
> esxcfg-firewall -o 59000-60000,tcp,in,vncextras
> esxcfg-firewall -o 59000-60000,tcp,out,vncextras
>
>
> Thanks!
>
> Mike
>
>
> Mike Corey
>
> Technology Senior Consultant, IT CS CTW Operation & Virtualization Service
> US
>
> SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United
> States
>
> T +1 610 661 0905, M +1 484 274 2658, E mike.corey@sap.com<mailto:
> mike.corey@sap.com>
>
>
> [cid:image001.png@01D6CC90.C0B9D750]
>
>
>