cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amogh Vasekar <amogh.vase...@citrix.com>
Subject Re: Unable to upload SSL certificate for realhostip replacement
Date Sat, 27 Sep 2014 19:32:34 GMT
Hi,

For the encoding, in your case it was the space character causing the
issue - it should be replaced by %20. The correct encoding would be
(hoping mail clients don't screw up the blob):
-----BEGIN%20CERTIFICATE-----%0AMIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQU
AME4xCzAJBgNVBAYTAlVT%0AMRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFN
lY3VyZSBDZXJ0%0AaWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQ
wMDAw%0AWjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE%0A
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB%0ACgKCAQEA
2swYYzD99BcjGlZ%2BW988bDjkcbd4kdS8odhM%2BKhDtgPpTSEHCIjaWC9m%0AOSm9BXiLnTjo
BbdqfnGk5sRgprDvgOSJKA%2BeJdbtg%2FOtppHHmMlCGDUUna2YRpIu%0AT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU%2BBQVNdnARqN7csiRv8lVK83Qlz6c%0AJmTM386DGXHKTubU1XupGc
1V3sjs0l44U%2BVcT4wt%2FlAjNvxm5suOpDkZALeVAjmR%0ACw7%2BOC7RHQWa9k0%2Bbw8HHa
8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz%0APeE4uwc2hGKceeoWMPRfwCvocWvk%2
BQIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm%0AaPkr0rKV10fYIyAQTzOYkJ%2FUMB0GA1UdDg
QWBBTAephojYn7qwVkDBF9qn1luMrM%0ATjAPBgNVHRMBAf8EBTADAQH%2FMA4GA1UdDwEB%2Fw
QEAwIBBjA6BgNVHR8EMzAxMC%2Bg%0ALaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxz
L3NlY3VyZWNhLmNybDBO%0ABgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6
Ly93d3cuZ2Vv%0AdHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUA
A4GB%0AAHbhEm5OSxYShjAGsoEIz%2FAIx8dxfmbuwu3UOx%2F%2F8PDITtZDOLC5MH0Y0FWDom
rL%0ANhGc6Ehmo21%2FuBPUR%2F6LWlxz%2FK7ZGzIZOKuXNBSqltLroxwUCEm2u%2BWR74M26x
1W%0Ab8ravHNjkOR%2Fez4iyz0H7V84dJzjA1BOoa%2BY7mHyhD8S%0A-----END%20CERTIFIC
ATE-----

As for the global parameter, you can set it to something like a few
seconds and reset to original value when the URLs have been expired.

Thanks
Amogh


On 9/27/14 10:53 AM, "Indra Pramana" <indra@sg.or.id> wrote:

>Hi Wido,
>
>I have changed the value of secstorage.ssl.cert.domain and restart
>management server, before I start uploading all the certificates.
>
>I found this article, which might be related to the problem:
>
>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Troubleshooting+-+u
>ploading+custom+domain+certificate+instead+of+using+realhostip.com
>
>====
>
>*Specific Issues seen*
>
>   1. Download urls point to the old domain.
>      1. Reduce the expiration duration of the urls by changing global
>      config extract.url.expiration.interval
>      2. And change the frequency for cleanup thread
>      through extract.url.cleanup.interval restart MS.
>      3. Wait for the cleanup thread duration and try downloading again.
>      See whether the url is deleted.
>      4. DB tables to check (don¹t recommend but worst case)
>      Version < 4.2 ­ upload table persists url. Entry is hard deleted on
>      expiration of url.
>      Version >= 4.2 ­
>      template_store_ref, download_url is made null on expiration of url.
>      volume_store_ref, entry hard deleted on expiration of url.
>
>====
>
>But I'm not too sure what is the recommended values I need to set for
>extract.url.expiration.interval and extract.url.cleanup.interval. Any
>advise?
>
>Thank you.
>
>
>
>On Sun, Sep 28, 2014 at 1:39 AM, Wido den Hollander <wido@widodh.nl>
>wrote:
>
>>
>>
>>
>>
>> > Op 27 sep. 2014 om 19:25 heeft Indra Pramana <indra@sg.or.id> het
>> volgende geschreven:
>> >
>> > Dear all,
>> >
>> > FYI, I managed to complete the tasks and install the certificates. As
>>a
>> > workaround to the unable to upload the root/intermediate cert via API
>> > issue, I uploaded a certificate with just "BEGIN" as text via API, and
>> then
>> > proceed to update the keystore table on the MySQL database directly to
>> > input the whole cert.
>> >
>> > It seems to be working, after I uploaded the cert and private key via
>> GUI,
>> > I can see that both CPVM and SSVM are being restarted. When I test:
>> >
>> > - Console is working, using my own domain now. Yay! :)
>> >
>> > - However, when I try to test downloading a template, it's still
>>showing
>> > realhostip.com as the URL to download. I have tried destroying the
>>SSVM
>> and
>> > a new SSVM was created, up and running. However, it's still showing
>> > realhostip.com when I test again.
>> >
>> > Anyone knows why it's still referring to realhostip.com for
>>downloading
>> > templates?
>> >
>>
>> Look at the global settings. There is a domain for the sec storage as
>>well.
>>
>> Maybe restart the mgmt server?
>>
>> > Looking forward to your reply, thank you.
>> >
>> > Cheers.
>> >
>> >
>> >> On Sun, Sep 28, 2014 at 12:49 AM, Indra Pramana <indra@sg.or.id>
>>wrote:
>> >>
>> >> Dear all,
>> >>
>> >> Apologise for sending quite a lot of emails tonight. Anyone knows if
>> it's
>> >> safe for me to update the keystore table on the database directly?
>>Since
>> >> the API call doesn't work.
>> >>
>> >> Thank you.
>> >>
>> >>
>> >>> On Sun, Sep 28, 2014 at 12:39 AM, Indra Pramana <indra@sg.or.id>
>> wrote:
>> >>>
>> >>> Only if I key in the certificate as "BEGIN", then it seems to be
>> >>> accepting. But of course, the certificate is invalid.
>> >>>
>> >>> <uploadcustomcertificateresponse cloud-stack-version="4.2.0">
>> >>> <jobid>1efe722a-e7c7-4c43-9f6b-67ce860dbe34</jobid>
>> >>> </uploadcustomcertificateresponse>
>> >>>
>> >>> Is it my browser issue? I have tried using two different browsers:
>> >>> Firefox and Chrome, and both are having the same problem.
>> >>>
>> >>>
>> >>>> On Sun, Sep 28, 2014 at 12:36 AM, Indra Pramana <indra@sg.or.id>
>> wrote:
>> >>>>
>> >>>> I tried to key in just "BEGIN CERTIFICATE\nEND CERTIFICATE" without
>> the
>> >>>> "-----" and the content of the certificate itself. Same problem
>> persists,
>> >>>> it says parameter certificate is invalid, contains illegal ASCII
>> >>>> non-printable characters.
>> >>>>
>> >>>> <uploadcustomcertificateresponse cloud-stack-version="4.2.0">
>> >>>> <errorcode>431</errorcode>
>> >>>> <cserrorcode>9999</cserrorcode>
>> >>>> <errortext>
>> >>>> Received value BEGIN CERTIFICATE END CERTIFICATE for parameter
>> >>>> certificate is invalid, contains illegal ASCII non-printable
>> characters
>> >>>> </errortext>
>> >>>> </uploadcustomcertificateresponse>
>> >>>>
>> >>>>
>> >>>> Seems the issue was not actually on the certificate itself, but
>>may be
>> >>>> on the API call handler?
>> >>>>
>> >>>> Any advice is greatly appreciated.
>> >>>>
>> >>>>
>> >>>>> On Sat, Sep 27, 2014 at 11:35 PM, Indra Pramana <indra@sg.or.id>
>> wrote:
>> >>>>>
>> >>>>> Hi Amogh and all,
>> >>>>>
>> >>>>> To add, I am using RapidSSL and I got the root and intermediate
>>CAs
>> >>>>> from here:
>> >>>>>
>> >>>>>
>> >>>>>
>> 
>>https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page
>>=content&actp=CROSSLINK&id=SO26457
>> >>>>>
>> >>>>> I have ensured that the encoding is done correctly, but still
>>there's
>> >>>>> issue when I tried to upload it. Is it because I am still using
>> version
>> >>>>> 4.2.0, may be there's a different method on how to upload?
>> >>>>>
>> >>>>> Error messages:
>> >>>>>
>> >>>>> <uploadcustomcertificateresponse cloud-stack-version="4.2.0">
>> >>>>> <errorcode>431</errorcode>
>> >>>>> <cserrorcode>9999</cserrorcode>
>> >>>>> <errortext>
>> >>>>> Received value -----BEGIN CERTIFICATE-----
>> >>>>> MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
>> >>>>> MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
>> >>>>> aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
>> >>>>> WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
>> >>>>> AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
>> >>>>> CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
>> >>>>> OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
>> >>>>> T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
>> >>>>> JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
>> >>>>> Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
>> >>>>> PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
>> >>>>> aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
>> >>>>> TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
>> >>>>> LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
>> >>>>> BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
>> >>>>> dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
>> >>>>> AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
>> >>>>> NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
>> >>>>> b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -----END
>> CERTIFICATE----- for
>> >>>>> parameter certificate is invalid, contains illegal ASCII
>> non-printable
>> >>>>> characters
>> >>>>> </errortext>
>> >>>>> </uploadcustomcertificateresponse>
>> >>>>>
>> >>>>>
>> >>>>> Any advice is greatly appreciated, since 30 Sep is just another
3
>> >>>>> days...
>> >>>>>
>> >>>>>
>> >>>>>> On Sat, Sep 27, 2014 at 11:21 PM, Indra Pramana <indra@sg.or.id>
>> wrote:
>> >>>>>>
>> >>>>>> Hi Amogh,
>> >>>>>>
>> >>>>>> I tried again tonight, still the same. Not too sure why,
is it
>> >>>>>> something wrong with the certificate? But I have confirmed
that
>> it's the
>> >>>>>> correct root certificate from my CA.
>> >>>>>>
>> >>>>>> Any other advice?
>> >>>>>>
>> >>>>>> Looking forward to your reply, thank you.
>> >>>>>>
>> >>>>>> Cheers.
>> >>>>>>
>> >>>>>> On Tue, Sep 23, 2014 at 12:56 AM, Amogh Vasekar <
>> >>>>>> amogh.vasekar@citrix.com> wrote:
>> >>>>>>
>> >>>>>>> Can you try using http://meyerweb.com/eric/tools/dencoder/
>> >>>>>>>
>> >>>>>>> Amogh
>> >>>>>>>
>> >>>>>>>> On 9/22/14 4:36 AM, "Indra Pramana" <indra@sg.or.id>
wrote:
>> >>>>>>>>
>> >>>>>>>> Dear all,
>> >>>>>>>>
>> >>>>>>>> I am following the instruction on this documentation
to replace
>> >>>>>>>> realhostip.com with my own domain.
>> >>>>>>>
>> 
>>https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Repla
>>c
>> >>>>>>>> e+realhostip.com+with+Your+Own+Domain+Name
>> >>>>>>>>
>> >>>>>>>> Everything is fine until I need to upload the root
certificate
>>via
>> >>>>>>> API. I
>> >>>>>>>> have URL-encoded the certificate using online URL
encoder tool
>> such
>> >>>>>>> as:
>> >>>>>>>>
>> >>>>>>>> http://www.url-encode-decode.com/
>> >>>>>>>>
>> >>>>>>>> However, when I run the API command, the certificate
is
>>rejected,
>> >>>>>>> saying
>> >>>>>>>> that it contains illegal ASCII non-printable characters:
>> >>>>>>>>
>> >>>>>>>> for parameter certificate is invalid, contains illegal
ASCII
>> >>>>>>> non-printable
>> >>>>>>>> characters
>> >>>>>>>>
>> >>>>>>>> I have ensured and verified that it only contains
generic ASCII
>> text
>> >>>>>>>> format, no space, symbol etc. Tried using UTF-8,
US-ASCII
>>format
>> >>>>>>> while
>> >>>>>>>> encoding, but still cannot work.
>> >>>>>>>>
>> >>>>>>>> Any advice is greatly appreciated.
>> >>>>>>>>
>> >>>>>>>> Looking forward to your reply, thank you.
>> >>>>>>>>
>> >>>>>>>> Cheers.
>> >>
>>


Mime
View raw message