cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Indra Pramana <in...@sg.or.id>
Subject Re: Unable to upload SSL certificate for realhostip replacement
Date Sat, 27 Sep 2014 17:53:38 GMT
Hi Wido,

I have changed the value of secstorage.ssl.cert.domain and restart
management server, before I start uploading all the certificates.

I found this article, which might be related to the problem:

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Troubleshooting+-+uploading+custom+domain+certificate+instead+of+using+realhostip.com

====

*Specific Issues seen*

   1. Download urls point to the old domain.
      1. Reduce the expiration duration of the urls by changing global
      config extract.url.expiration.interval
      2. And change the frequency for cleanup thread
      through extract.url.cleanup.interval restart MS.
      3. Wait for the cleanup thread duration and try downloading again.
      See whether the url is deleted.
      4. DB tables to check (don’t recommend but worst case)
      Version < 4.2 – upload table persists url. Entry is hard deleted on
      expiration of url.
      Version >= 4.2 –
      template_store_ref, download_url is made null on expiration of url.
      volume_store_ref, entry hard deleted on expiration of url.

====

But I'm not too sure what is the recommended values I need to set for
extract.url.expiration.interval and extract.url.cleanup.interval. Any
advise?

Thank you.



On Sun, Sep 28, 2014 at 1:39 AM, Wido den Hollander <wido@widodh.nl> wrote:

>
>
>
>
> > Op 27 sep. 2014 om 19:25 heeft Indra Pramana <indra@sg.or.id> het
> volgende geschreven:
> >
> > Dear all,
> >
> > FYI, I managed to complete the tasks and install the certificates. As a
> > workaround to the unable to upload the root/intermediate cert via API
> > issue, I uploaded a certificate with just "BEGIN" as text via API, and
> then
> > proceed to update the keystore table on the MySQL database directly to
> > input the whole cert.
> >
> > It seems to be working, after I uploaded the cert and private key via
> GUI,
> > I can see that both CPVM and SSVM are being restarted. When I test:
> >
> > - Console is working, using my own domain now. Yay! :)
> >
> > - However, when I try to test downloading a template, it's still showing
> > realhostip.com as the URL to download. I have tried destroying the SSVM
> and
> > a new SSVM was created, up and running. However, it's still showing
> > realhostip.com when I test again.
> >
> > Anyone knows why it's still referring to realhostip.com for downloading
> > templates?
> >
>
> Look at the global settings. There is a domain for the sec storage as well.
>
> Maybe restart the mgmt server?
>
> > Looking forward to your reply, thank you.
> >
> > Cheers.
> >
> >
> >> On Sun, Sep 28, 2014 at 12:49 AM, Indra Pramana <indra@sg.or.id> wrote:
> >>
> >> Dear all,
> >>
> >> Apologise for sending quite a lot of emails tonight. Anyone knows if
> it's
> >> safe for me to update the keystore table on the database directly? Since
> >> the API call doesn't work.
> >>
> >> Thank you.
> >>
> >>
> >>> On Sun, Sep 28, 2014 at 12:39 AM, Indra Pramana <indra@sg.or.id>
> wrote:
> >>>
> >>> Only if I key in the certificate as "BEGIN", then it seems to be
> >>> accepting. But of course, the certificate is invalid.
> >>>
> >>> <uploadcustomcertificateresponse cloud-stack-version="4.2.0">
> >>> <jobid>1efe722a-e7c7-4c43-9f6b-67ce860dbe34</jobid>
> >>> </uploadcustomcertificateresponse>
> >>>
> >>> Is it my browser issue? I have tried using two different browsers:
> >>> Firefox and Chrome, and both are having the same problem.
> >>>
> >>>
> >>>> On Sun, Sep 28, 2014 at 12:36 AM, Indra Pramana <indra@sg.or.id>
> wrote:
> >>>>
> >>>> I tried to key in just "BEGIN CERTIFICATE\nEND CERTIFICATE" without
> the
> >>>> "-----" and the content of the certificate itself. Same problem
> persists,
> >>>> it says parameter certificate is invalid, contains illegal ASCII
> >>>> non-printable characters.
> >>>>
> >>>> <uploadcustomcertificateresponse cloud-stack-version="4.2.0">
> >>>> <errorcode>431</errorcode>
> >>>> <cserrorcode>9999</cserrorcode>
> >>>> <errortext>
> >>>> Received value BEGIN CERTIFICATE END CERTIFICATE for parameter
> >>>> certificate is invalid, contains illegal ASCII non-printable
> characters
> >>>> </errortext>
> >>>> </uploadcustomcertificateresponse>
> >>>>
> >>>>
> >>>> Seems the issue was not actually on the certificate itself, but may
be
> >>>> on the API call handler?
> >>>>
> >>>> Any advice is greatly appreciated.
> >>>>
> >>>>
> >>>>> On Sat, Sep 27, 2014 at 11:35 PM, Indra Pramana <indra@sg.or.id>
> wrote:
> >>>>>
> >>>>> Hi Amogh and all,
> >>>>>
> >>>>> To add, I am using RapidSSL and I got the root and intermediate
CAs
> >>>>> from here:
> >>>>>
> >>>>>
> >>>>>
> https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO26457
> >>>>>
> >>>>> I have ensured that the encoding is done correctly, but still there's
> >>>>> issue when I tried to upload it. Is it because I am still using
> version
> >>>>> 4.2.0, may be there's a different method on how to upload?
> >>>>>
> >>>>> Error messages:
> >>>>>
> >>>>> <uploadcustomcertificateresponse cloud-stack-version="4.2.0">
> >>>>> <errorcode>431</errorcode>
> >>>>> <cserrorcode>9999</cserrorcode>
> >>>>> <errortext>
> >>>>> Received value -----BEGIN CERTIFICATE-----
> >>>>> MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
> >>>>> MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
> >>>>> aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
> >>>>> WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
> >>>>> AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
> >>>>> CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
> >>>>> OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
> >>>>> T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
> >>>>> JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
> >>>>> Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
> >>>>> PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
> >>>>> aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
> >>>>> TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
> >>>>> LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
> >>>>> BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
> >>>>> dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
> >>>>> AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
> >>>>> NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
> >>>>> b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -----END
> CERTIFICATE----- for
> >>>>> parameter certificate is invalid, contains illegal ASCII
> non-printable
> >>>>> characters
> >>>>> </errortext>
> >>>>> </uploadcustomcertificateresponse>
> >>>>>
> >>>>>
> >>>>> Any advice is greatly appreciated, since 30 Sep is just another
3
> >>>>> days...
> >>>>>
> >>>>>
> >>>>>> On Sat, Sep 27, 2014 at 11:21 PM, Indra Pramana <indra@sg.or.id>
> wrote:
> >>>>>>
> >>>>>> Hi Amogh,
> >>>>>>
> >>>>>> I tried again tonight, still the same. Not too sure why, is
it
> >>>>>> something wrong with the certificate? But I have confirmed that
> it's the
> >>>>>> correct root certificate from my CA.
> >>>>>>
> >>>>>> Any other advice?
> >>>>>>
> >>>>>> Looking forward to your reply, thank you.
> >>>>>>
> >>>>>> Cheers.
> >>>>>>
> >>>>>> On Tue, Sep 23, 2014 at 12:56 AM, Amogh Vasekar <
> >>>>>> amogh.vasekar@citrix.com> wrote:
> >>>>>>
> >>>>>>> Can you try using http://meyerweb.com/eric/tools/dencoder/
> >>>>>>>
> >>>>>>> Amogh
> >>>>>>>
> >>>>>>>> On 9/22/14 4:36 AM, "Indra Pramana" <indra@sg.or.id>
wrote:
> >>>>>>>>
> >>>>>>>> Dear all,
> >>>>>>>>
> >>>>>>>> I am following the instruction on this documentation
to replace
> >>>>>>>> realhostip.com with my own domain.
> >>>>>>>
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replac
> >>>>>>>> e+realhostip.com+with+Your+Own+Domain+Name
> >>>>>>>>
> >>>>>>>> Everything is fine until I need to upload the root certificate
via
> >>>>>>> API. I
> >>>>>>>> have URL-encoded the certificate using online URL encoder
tool
> such
> >>>>>>> as:
> >>>>>>>>
> >>>>>>>> http://www.url-encode-decode.com/
> >>>>>>>>
> >>>>>>>> However, when I run the API command, the certificate
is rejected,
> >>>>>>> saying
> >>>>>>>> that it contains illegal ASCII non-printable characters:
> >>>>>>>>
> >>>>>>>> for parameter certificate is invalid, contains illegal
ASCII
> >>>>>>> non-printable
> >>>>>>>> characters
> >>>>>>>>
> >>>>>>>> I have ensured and verified that it only contains generic
ASCII
> text
> >>>>>>>> format, no space, symbol etc. Tried using UTF-8, US-ASCII
format
> >>>>>>> while
> >>>>>>>> encoding, but still cannot work.
> >>>>>>>>
> >>>>>>>> Any advice is greatly appreciated.
> >>>>>>>>
> >>>>>>>> Looking forward to your reply, thank you.
> >>>>>>>>
> >>>>>>>> Cheers.
> >>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message