Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0DAAC1770F for ; Fri, 26 Sep 2014 14:53:32 +0000 (UTC) Received: (qmail 77670 invoked by uid 500); 26 Sep 2014 14:53:31 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 77620 invoked by uid 500); 26 Sep 2014 14:53:31 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 77607 invoked by uid 99); 26 Sep 2014 14:53:31 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Sep 2014 14:53:31 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of Stephen.Turner@citrix.com designates 185.25.65.24 as permitted sender) Received: from [185.25.65.24] (HELO SMTP.EU.CITRIX.COM) (185.25.65.24) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Sep 2014 14:53:27 +0000 X-IronPort-AV: E=Sophos;i="5.04,604,1406592000"; d="scan'208";a="25319789" From: Stephen Turner To: France CC: "dev@cloudstack.apache.org" Subject: RE: Urgent. Importing certificate to CS 4.3.1 using GUI Thread-Topic: Urgent. Importing certificate to CS 4.3.1 using GUI Thread-Index: AQHP2Aa+Y1BopaNVcESmakI94iVZdJwQhN2AgAEW7oCAABI0AIAAEE0AgAFuYfCAABDLAIAARKcA Date: Fri, 26 Sep 2014 14:53:04 +0000 Message-ID: <85B56B1AEDD2674A82DEC8B61E1218294E43C3@AMSPEX01CL01.citrite.net> References: <9A0DE9AE-FA4B-4182-8547-5B23ADC3AAC5@isg.si> <71E06A58-4258-40D2-89EC-8C9F11C7F925@isg.si> <5C0A9DA9-AAAA-44CF-82E0-A44DE8928924@isg.si> <85B56B1AEDD2674A82DEC8B61E1218294E3BDD@AMSPEX01CL01.citrite.net> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-DLP: AMS1 X-Virus-Checked: Checked by ClamAV on apache.org I'm afraid I couldn't reproduce this, even with your certificate and privat= e key. Everything I tried, I got "Update Certiciate [sic] Succeeded". Does anyone else have a convenient 4.3 and FF 32 that they can try and repr= o this with? France, if you open the developer tools in Firefox and do this again, do yo= u see any errors? --=20 Stephen Turner -----Original Message----- From: France [mailto:mailinglists@isg.si]=20 Sent: 26 September 2014 13:44 To: Stephen Turner Cc: dev@cloudstack.apache.org Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Issue has been created. I would assign it to you, but lack credentials? https://issues.apache.org/jira/browse/CLOUDSTACK-7635 Regards, F. On 26 Sep 2014, at 11:47, Stephen Turner wrote: > Yes, I would like a bug report for this. Please assign it to me. This bit= of UI has been rewritten on master, but it should work the same in all bro= wsers, so I'd like to investigate whether it's fixed on master, and also wh= ether there are any other similar controls that aren't working in FF 32. >=20 > If you can attach a public key and other data that illustrates the proble= m, that would be great just to make sure that we can repro it. Thank you. >=20 > -- > Stephen Turner >=20 >=20 > -----Original Message----- > From: France [mailto:mailinglists@isg.si] > Sent: 25 September 2014 14:52 > To: dev@cloudstack.apache.org > Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI >=20 > There is a bug in ACS 4.3.1 GUI. > The before mentioned process did not work with Firefox 32.0.2, while it w= orked on latest Chrome. > Because the problem is on the browser side, it did not reach management s= erver logs at all. > I have done everything correct. Even a couple of times. ;-) >=20 > Hopefully this mail will help someone in the future. I would also advise = to update the documentation on the issue. >=20 > Do you want me to open a bug report for this? I am a little reluctant to = do so, because some of the bug reports i made previously just sit there for= years to come. >=20 > FYI also got contacted off the mailing list by Steve Roles from ShapeBlue= who kindly offered to sell annual 24/7 support to help me sort this issue. > Too bad they did not want to provide help/support for this one incident, = which which they "have come across" already. They could get payed well for = telling me to use another browser. :-) While i appreciate what ShapeBlue do= es for ACS, they could easily just have told us publicly on the mailing lis= t to use a different browser. >=20 > Many thanks to anyone else who actually tried to help on the issue. Realh= ostip.com migration is now officially complete. >=20 > Regards, > F. >=20 > On 25 Sep 2014, at 14:54, France wrote: >=20 >> I have created new key and csr. Signed it, converted key to pkcs8 format= without encryption and added in ACS GUI with *.domain.tld and again with d= omain.tld. I did copy paste the crt and key with and without -----BEGIN CER= TIFICATE-- tags. Nothing works. I have the same GUI error message as before= . Management-log shows no errors or even logs regarding certificate manipul= ation. I have not created CA key and certs again. I have confirmed certific= ate before importing to ACS using: openssl x509 -in private/vse.somedomain.= tls.crt -noout -text (result below). >>=20 >> Maybe i could just insert new certs straight into the database, destroy = console proxy and see what happens. >> Any more ideas? >>=20 >> Also there is a bug in 4.3 documentation, because it says one must=20 >> enter *.domain.tld while you say, it should be just domain.tld >>=20 >> " >> In the Update SSL Certificate screen of the CloudStack UI, paste the fol= lowing: >>=20 >> * The certificate you've just generated. >> * The private key you've just generated. >> * The desired domain name, prefixed with *.; for example,=20 >> *.consoleproxy.company.com " >>=20 >> //// >> [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout=20 >> -text >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 4097 (0x1001) >> Signature Algorithm: sha256WithRSAEncryption >> Issuer: C=3DSI, ST=3DSlovenia, L=3DLjubljana, O=3DXXX d.o.o., OU= =3DIT department, CN=3Doptimus.si/emailAddress=3Dsistem@XXXB.si >> Validity >> Not Before: Sep 25 12:25:32 2014 GMT >> Not After : Jun 3 12:25:32 2028 GMT >> Subject: C=3DSI, ST=3DSlovenia, O=3DXXX d.o.o., OU=3DIT department= , CN=3D*.somedomain.si/emailAddress=3Dsistem@XXXB.si >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> Public-Key: (2048 bit) >> Modulus: >> 00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d: >> 94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4: >> 72:92:5b:d5:43:73:aa:e4:33:48:31:11:5a:62:7e: >> 95:2b:e1:78:11:81:f0:ef:1a:0d:d0:52:90:47:2b: >> fd:ab:0d:89:57:fa:ee:6b:3b:d1:24:c9:a9:6d:d6: >> fb:0f:14:e3:72:63:a7:75:3d:3e:f5:57:45:09:7e: >> 83:18:f1:77:c9:3a:1e:de:6f:cd:43:0f:84:11:08: >> 05:3b:da:ed:3e:a6:65:7c:e9:3f:3b:b9:73:b3:87: >> b6:a2:14:af:fd:3e:a9:6f:0f:e4:fb:4d:91:70:d6: >> 9a:78:b8:00:2e:f0:ad:24:07:01:64:b8:1f:ce:62: >> f6:83:e3:fb:45:b9:3e:a1:c3:e6:de:87:d9:37:d3: >> 28:cf:20:6c:f9:78:5f:24:64:fb:d4:dd:79:90:87: >> 69:36:ad:83:3d:bd:ab:fd:aa:1d:6a:a6:b8:d5:8a: >> f9:d6:e4:f0:db:9a:81:d4:41:e9:19:bf:a5:e8:fb: >> d9:f5:e2:50:3c:4d:01:6d:3d:96:26:59:76:70:99: >> 8c:2e:c0:cf:dd:09:3b:fb:6f:8d:43:29:0c:7e:8a: >> 5c:8d:49:f4:9a:96:ba:54:72:44:d8:fa:aa:64:71: >> 27:21 >> Exponent: 65537 (0x10001) >> X509v3 extensions: >> X509v3 Basic Constraints:=20 >> CA:FALSE >> X509v3 Key Usage:=20 >> Digital Signature, Non Repudiation, Key Encipherment >> Netscape Comment:=20 >> OpenSSL Generated Certificate >> X509v3 Subject Key Identifier:=20 >> 13:B4:E9:B7:EA:67:BC:00:BA:20:F9:9D:AB:02:14:0D:22:B4:F7:5= B >> X509v3 Authority Key Identifier:=20 >>=20 >> keyid:B9:4F:AC:D0:CA:A4:32:E0:A0:49:48:8D:D4:C9:6A:6D:6F:6C:8F:42 >>=20 >> Signature Algorithm: sha256WithRSAEncryption >> a9:f2:77:c2:10:9b:87:f4:44:9c:57:52:1b:dc:70:a7:e2:bf: >> 97:8d:bb:3d:bc:b7:a9:90:55:75:43:47:ac:bf:6f:2a:5e:90: >> b1:5b:8c:41:e7:5a:51:2a:f7:db:2e:6a:37:e5:6e:18:3a:88: >> ae:10:42:1e:97:4c:75:e9:8a:51:37:8f:e9:99:bc:40:46:18: >> 85:18:ce:6f:03:24:c7:b3:43:f2:53:51:34:36:70:d8:3b:84: >> 09:70:91:13:51:a9:b7:30:e4:d3:f7:1a:34:f4:6b:25:b7:46: >> a1:dd:b7:eb:19:b3:03:be:b5:3d:12:b7:ee:a9:47:26:17:89: >> ef:06:9e:90:b4:78:5d:d9:52:1c:b4:0d:14:f2:37:64:9a:d8: >> 4d:89:95:1e:c0:6b:14:93:e8:ea:91:84:69:c5:22:1f:d2:82: >> 54:bd:fe:06:f8:ea:f3:66:a1:27:41:72:88:25:78:eb:2b:1b: >> 73:fb:98:0f:00:58:b0:43:22:5b:3b:ea:89:b5:4f:3e:2a:ed: >> 92:5f:48:37:39:ec:39:6c:b5:73:d3:0d:9c:ff:3b:37:92:5b: >> c6:ef:64:65:7a:99:1a:be:09:0e:bb:62:1b:9f:9e:ad:5d:cf: >> 32:8c:81:42:c2:d9:11:65:64:8d:ce:5e:f5:b4:77:66:74:eb: >> 10:d5:7e:58:d7:ba:70:fe:96:4b:94:f5:66:5c:af:57:ae:e0: >> ad:72:7a:ef:04:80:7e:4b:6d:ee:13:e2:de:20:94:4e:bb:7b: >> a6:87:0f:92:d8:c4:01:9b:50:fd:b4:0b:60:b2:93:91:32:ce: >> 31:f9:b7:4f:a0:72:71:a1:87:b4:02:ff:5b:49:c1:2f:a1:6d: >> 13:98:c1:81:9c:33:f6:61:b9:f9:47:7b:7b:2a:b2:e0:7b:21: >> 4b:67:c0:23:04:b7:08:e5:7d:a3:44:b5:a5:aa:ce:03:be:93: >> cb:78:fe:2d:e5:a7:61:20:03:b2:a1:ac:92:41:54:c0:25:b5: >> 32:c6:c5:83:49:7a:cd:a8:16:4e:80:f2:05:9c:47:17:74:1f: >> 55:63:f2:9c:e3:fa:48:cb:93:40:8f:63:7b:69:2f:2a:22:4e: >> 0e:44:1b:52:3e:70:fb:65:43:be:a2:0a:04:5e:70:cf:d7:fe: >> d5:66:0a:19:81:d5:bf:54:ce:fd:25:cc:d8:f6:cc:be:e8:a9: >> e1:a9:38:ef:81:80:2e:61:52:fb:0a:0c:e5:21:e1:7a:c8:3f: >> 8e:6a:9a:ab:a6:72:81:54:43:08:65:b8:62:00:08:c8:c2:f6: >> 88:82:7e:fb:07:22:67:09:c0:1a:fb:d9:69:17:2a:d8:be:01: >> 7e:e5:ee:3d:1b:f1:bf:3f >> //// >>=20 >>=20 >> Tnx and regards, >> F. >>=20 >>=20 >> On 25 Sep 2014, at 13:48, France wrote: >>=20 >>> Tnx Amogh, >>>=20 >>> i have checked management-server.log and no new entries or errors regar= ding certificate operation are written at the time when i get "Failed to up= date SSL Certificate." error message. I tried it a couple of times. I also = used somedomain.tld in the GUI. Certificate is for *.somedomain.tld. >>> I will go thru whole create CA and certificate process again and retry. >>> There must be some simple mistake in my process somewhere. Lack of=20 >>> errors in logs, is also strange. :-/ >>>=20 >>> Regards, >>> F. >>>=20 >>> On 24 Sep 2014, at 21:10, Amogh Vasekar wrot= e: >>>=20 >>>> Hi, >>>>=20 >>>> Couple of things : >>>>=20 >>>> 1. The error will be logged to the cloudstack management server log=20 >>>> file >>>> (management-server.log) and would really help to know what it is. >>>> 2. While uploading the certificate, the domain_suffix should be=20 >>>> somedomain.tld and not *.somedomain.tld (the asterisk is only for=20 >>>> global config so that cloudstack can distinguish between HTTP and=20 >>>> HTTPS modes) >>>>=20 >>>> Thanks >>>> Amogh >>>>=20 >>>> On 9/24/14 7:40 AM, "France" wrote: >>>>=20 >>>>> Hi guys, >>>>>=20 >>>>> i want to migrate away from realhostip.com. I have set up DNS=20 >>>>> service in no time, but am having problems importing certificates to = ACS 3.4.1. >>>>>=20 >>>>> I created my own CA like this: >>>>>=20 >>>>> cd /etc/pki/CA >>>>> touch index.txt >>>>> echo 1000 > serial >>>>> openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem 4096=20 >>>>> chmod 400 /etc/pki/CA/private/ca.key.pem nano -w=20 >>>>> /etc/pki/tls/openssl.cnf openssl req -new -x509 -days 63650 -key=20 >>>>> /etc/pki/CA/private/ca.key.pem >>>>> -sha256 -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem >>>>>=20 >>>>>=20 >>>>> Signed my own keys and converted them to pkcs8 format like this: >>>>>=20 >>>>> cd /etc/pki/CA >>>>> openssl genrsa -out private/vse.somedomain.tld.key.pem 4096 chmod >>>>> 400 private/vse.somedomain.tld.key.pem >>>>> openssl req -sha256 -new -key private/vse.somedomain.tld.key.pem >>>>> -out certs/vse.somedomain.tld.csr.pem openssl ca -keyfile=20 >>>>> private/ca.key.pem -cert certs/ca.cert.pem -extensions usr_cert=20 >>>>> -notext -md sha256 -days 63649 -in=20 >>>>> certs/vse.somedomain.tld.csr.pem -out=20 >>>>> certs/vse.somedomain.tld.cert.pem openssl pkcs8 -topk8 -in=20 >>>>> private/vse.somedomain.tld.key.pem -out >>>>> private/vse.somedomain.tld.key.encrypted.pkcs8 >>>>> openssl pkcs8 -in private/vse.somedomain.tld.key.encrypted.pkcs8 >>>>> -out >>>>> private/vse.somedomain.tld.key.pkcs8 >>>>> chmod 400 private/vse.somedomain.tld.key.encrypted.pkcs8 >>>>> chmod 400 private/vse.somedomain.tld.key.pkcs8 >>>>>=20 >>>>>=20 >>>>>=20 >>>>> But when trying to import it via GUI: infrastructure -> SSL Certifica= te: >>>>> Certificate from vse.somedomain.tld.cert.pem >>>>> PKCS8 from private/vse.somedomain.tld.key.pkcs8 >>>>> DNS domain suffix to: *.somedomain.tld >>>>>=20 >>>>> But it fails with: >>>>> "Failed to update SSL Certificate." >>>>>=20 >>>>> Please help me upload the new certificate. >>>>> Catalina.out shows no error. I have no idea what else to check. >>>>>=20 >>>>> Thank you. >>>>> F. >>>>>=20 >>>>>=20 >>>>=20 >>>=20 >>=20 >=20