Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3E89817BB7 for ; Thu, 25 Sep 2014 16:37:54 +0000 (UTC) Received: (qmail 1595 invoked by uid 500); 25 Sep 2014 16:37:53 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 1535 invoked by uid 500); 25 Sep 2014 16:37:53 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 1521 invoked by uid 99); 25 Sep 2014 16:37:53 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Sep 2014 16:37:53 +0000 X-ASF-Spam-Status: No, hits=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of amogh.vasekar@citrix.com designates 66.165.176.89 as permitted sender) Received: from [66.165.176.89] (HELO SMTP.CITRIX.COM) (66.165.176.89) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Sep 2014 16:37:28 +0000 X-IronPort-AV: E=Sophos;i="5.04,598,1406592000"; d="scan'208";a="175173533" From: Amogh Vasekar To: "dev@cloudstack.apache.org" Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI Thread-Topic: Urgent. Importing certificate to CS 4.3.1 using GUI Thread-Index: AQHP2AWYuX6ZCMXx/UuGEIplqkOc8JwQpjYAgAGMeICAABIzAIAAEE0A//+4vgA= Date: Thu, 25 Sep 2014 16:37:24 +0000 Message-ID: In-Reply-To: <5C0A9DA9-AAAA-44CF-82E0-A44DE8928924@isg.si> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="Windows-1252" Content-ID: <8BD99BA4E3DA1640A2E8789E717926B9@citrix.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org Thanks for letting us know, I will follow-up with the doc folks to fix the notes published. Funny that the GUI is not working right with FF 32.0.2. I know they changed the pkix libraries they use (I hit it while testing something on ACS), but this bug may call for more testing on FF to see if anything else is broken. Thanks Amogh=20 On 9/25/14 6:52 AM, "France" wrote: >There is a bug in ACS 4.3.1 GUI. >The before mentioned process did not work with Firefox 32.0.2, while it >worked on latest Chrome. >Because the problem is on the browser side, it did not reach management >server logs at all. >I have done everything correct. Even a couple of times. ;-) > >Hopefully this mail will help someone in the future. I would also advise >to update the documentation on the issue. > >Do you want me to open a bug report for this? I am a little reluctant to >do so, because some of the bug reports i made previously just sit there >for years to come. > >FYI also got contacted off the mailing list by Steve Roles from ShapeBlue >who kindly offered to sell annual 24/7 support to help me sort this issue. >Too bad they did not want to provide help/support for this one incident, >which which they "have come across" already. They could get payed well >for telling me to use another browser. :-) >While i appreciate what ShapeBlue does for ACS, they could easily just >have told us publicly on the mailing list to use a different browser. > >Many thanks to anyone else who actually tried to help on the issue. >Realhostip.com migration is now officially complete. > >Regards, >F. > >On 25 Sep 2014, at 14:54, France wrote: > >> I have created new key and csr. Signed it, converted key to pkcs8 >>format without encryption and added in ACS GUI with *.domain.tld and >>again with domain.tld. I did copy paste the crt and key with and without >>-----BEGIN CERTIFICATE=8B=8B tags. Nothing works. I have the same GUI err= or >>message as before. Management-log shows no errors or even logs regarding >>certificate manipulation. I have not created CA key and certs again. I >>have confirmed certificate before importing to ACS using: openssl x509 >>-in private/vse.somedomain.tls.crt -noout -text (result below). >>=20 >> Maybe i could just insert new certs straight into the database, destroy >>console proxy and see what happens. >> Any more ideas? >>=20 >> Also there is a bug in 4.3 documentation, because it says one must >>enter *.domain.tld while you say, it should be just domain.tld >>=20 >> =B3 >> In the Update SSL Certificate screen of the CloudStack UI, paste the >>following: >>=20 >> =80 The certificate you=B9ve just generated. >> =80 The private key you=B9ve just generated. >> =80 The desired domain name, prefixed with *.; for example, >>*.consoleproxy.company.com >> =B3 >>=20 >> //// >> [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt -noout -text >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 4097 (0x1001) >> Signature Algorithm: sha256WithRSAEncryption >> Issuer: C=3DSI, ST=3DSlovenia, L=3DLjubljana, O=3DXXX d.o.o., OU= =3DIT >>department, CN=3Doptimus.si/emailAddress=3Dsistem@XXXB.si >> Validity >> Not Before: Sep 25 12:25:32 2014 GMT >> Not After : Jun 3 12:25:32 2028 GMT >> Subject: C=3DSI, ST=3DSlovenia, O=3DXXX d.o.o., OU=3DIT departmen= t, >>CN=3D*.somedomain.si/emailAddress=3Dsistem@XXXB.si >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> Public-Key: (2048 bit) >> Modulus: >> 00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d: >> 94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4: >> 72:92:5b:d5:43:73:aa:e4:33:48:31:11:5a:62:7e: >> 95:2b:e1:78:11:81:f0:ef:1a:0d:d0:52:90:47:2b: >> fd:ab:0d:89:57:fa:ee:6b:3b:d1:24:c9:a9:6d:d6: >> fb:0f:14:e3:72:63:a7:75:3d:3e:f5:57:45:09:7e: >> 83:18:f1:77:c9:3a:1e:de:6f:cd:43:0f:84:11:08: >> 05:3b:da:ed:3e:a6:65:7c:e9:3f:3b:b9:73:b3:87: >> b6:a2:14:af:fd:3e:a9:6f:0f:e4:fb:4d:91:70:d6: >> 9a:78:b8:00:2e:f0:ad:24:07:01:64:b8:1f:ce:62: >> f6:83:e3:fb:45:b9:3e:a1:c3:e6:de:87:d9:37:d3: >> 28:cf:20:6c:f9:78:5f:24:64:fb:d4:dd:79:90:87: >> 69:36:ad:83:3d:bd:ab:fd:aa:1d:6a:a6:b8:d5:8a: >> f9:d6:e4:f0:db:9a:81:d4:41:e9:19:bf:a5:e8:fb: >> d9:f5:e2:50:3c:4d:01:6d:3d:96:26:59:76:70:99: >> 8c:2e:c0:cf:dd:09:3b:fb:6f:8d:43:29:0c:7e:8a: >> 5c:8d:49:f4:9a:96:ba:54:72:44:d8:fa:aa:64:71: >> 27:21 >> Exponent: 65537 (0x10001) >> X509v3 extensions: >> X509v3 Basic Constraints: >> CA:FALSE >> X509v3 Key Usage: >> Digital Signature, Non Repudiation, Key Encipherment >> Netscape Comment: >> OpenSSL Generated Certificate >> X509v3 Subject Key Identifier: >> =20 >>13:B4:E9:B7:EA:67:BC:00:BA:20:F9:9D:AB:02:14:0D:22:B4:F7:5B >> X509v3 Authority Key Identifier: >> =20 >>keyid:B9:4F:AC:D0:CA:A4:32:E0:A0:49:48:8D:D4:C9:6A:6D:6F:6C:8F:42 >>=20 >> Signature Algorithm: sha256WithRSAEncryption >> a9:f2:77:c2:10:9b:87:f4:44:9c:57:52:1b:dc:70:a7:e2:bf: >> 97:8d:bb:3d:bc:b7:a9:90:55:75:43:47:ac:bf:6f:2a:5e:90: >> b1:5b:8c:41:e7:5a:51:2a:f7:db:2e:6a:37:e5:6e:18:3a:88: >> ae:10:42:1e:97:4c:75:e9:8a:51:37:8f:e9:99:bc:40:46:18: >> 85:18:ce:6f:03:24:c7:b3:43:f2:53:51:34:36:70:d8:3b:84: >> 09:70:91:13:51:a9:b7:30:e4:d3:f7:1a:34:f4:6b:25:b7:46: >> a1:dd:b7:eb:19:b3:03:be:b5:3d:12:b7:ee:a9:47:26:17:89: >> ef:06:9e:90:b4:78:5d:d9:52:1c:b4:0d:14:f2:37:64:9a:d8: >> 4d:89:95:1e:c0:6b:14:93:e8:ea:91:84:69:c5:22:1f:d2:82: >> 54:bd:fe:06:f8:ea:f3:66:a1:27:41:72:88:25:78:eb:2b:1b: >> 73:fb:98:0f:00:58:b0:43:22:5b:3b:ea:89:b5:4f:3e:2a:ed: >> 92:5f:48:37:39:ec:39:6c:b5:73:d3:0d:9c:ff:3b:37:92:5b: >> c6:ef:64:65:7a:99:1a:be:09:0e:bb:62:1b:9f:9e:ad:5d:cf: >> 32:8c:81:42:c2:d9:11:65:64:8d:ce:5e:f5:b4:77:66:74:eb: >> 10:d5:7e:58:d7:ba:70:fe:96:4b:94:f5:66:5c:af:57:ae:e0: >> ad:72:7a:ef:04:80:7e:4b:6d:ee:13:e2:de:20:94:4e:bb:7b: >> a6:87:0f:92:d8:c4:01:9b:50:fd:b4:0b:60:b2:93:91:32:ce: >> 31:f9:b7:4f:a0:72:71:a1:87:b4:02:ff:5b:49:c1:2f:a1:6d: >> 13:98:c1:81:9c:33:f6:61:b9:f9:47:7b:7b:2a:b2:e0:7b:21: >> 4b:67:c0:23:04:b7:08:e5:7d:a3:44:b5:a5:aa:ce:03:be:93: >> cb:78:fe:2d:e5:a7:61:20:03:b2:a1:ac:92:41:54:c0:25:b5: >> 32:c6:c5:83:49:7a:cd:a8:16:4e:80:f2:05:9c:47:17:74:1f: >> 55:63:f2:9c:e3:fa:48:cb:93:40:8f:63:7b:69:2f:2a:22:4e: >> 0e:44:1b:52:3e:70:fb:65:43:be:a2:0a:04:5e:70:cf:d7:fe: >> d5:66:0a:19:81:d5:bf:54:ce:fd:25:cc:d8:f6:cc:be:e8:a9: >> e1:a9:38:ef:81:80:2e:61:52:fb:0a:0c:e5:21:e1:7a:c8:3f: >> 8e:6a:9a:ab:a6:72:81:54:43:08:65:b8:62:00:08:c8:c2:f6: >> 88:82:7e:fb:07:22:67:09:c0:1a:fb:d9:69:17:2a:d8:be:01: >> 7e:e5:ee:3d:1b:f1:bf:3f >> //// >>=20 >>=20 >> Tnx and regards, >> F. >>=20 >>=20 >> On 25 Sep 2014, at 13:48, France wrote: >>=20 >>> Tnx Amogh, >>>=20 >>> i have checked management-server.log and no new entries or errors >>>regarding certificate operation are written at the time when i get >>>"Failed to update SSL Certificate." error message. I tried it a couple >>>of times. I also used somedomain.tld in the GUI. Certificate is for >>>*.somedomain.tld. >>> I will go thru whole create CA and certificate process again and retry. >>> There must be some simple mistake in my process somewhere. Lack of >>>errors in logs, is also strange. :-/ >>>=20 >>> Regards, >>> F. >>>=20 >>> On 24 Sep 2014, at 21:10, Amogh Vasekar >>>wrote: >>>=20 >>>> Hi, >>>>=20 >>>> Couple of things : >>>>=20 >>>> 1. The error will be logged to the cloudstack management server log >>>>file >>>> (management-server.log) and would really help to know what it is. >>>> 2. While uploading the certificate, the domain_suffix should be >>>> somedomain.tld and not *.somedomain.tld (the asterisk is only for >>>>global >>>> config so that cloudstack can distinguish between HTTP and HTTPS >>>>modes) >>>>=20 >>>> Thanks >>>> Amogh >>>>=20 >>>> On 9/24/14 7:40 AM, "France" wrote: >>>>=20 >>>>> Hi guys, >>>>>=20 >>>>> i want to migrate away from realhostip.com. I have set up DNS >>>>>service in >>>>> no time, but am having problems importing certificates to ACS 3.4.1. >>>>>=20 >>>>> I created my own CA like this: >>>>>=20 >>>>> cd /etc/pki/CA >>>>> touch index.txt >>>>> echo 1000 > serial >>>>> openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem 4096 >>>>> chmod 400 /etc/pki/CA/private/ca.key.pem >>>>> nano -w /etc/pki/tls/openssl.cnf >>>>> openssl req -new -x509 -days 63650 -key >>>>>/etc/pki/CA/private/ca.key.pem >>>>> -sha256 -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem >>>>>=20 >>>>>=20 >>>>> Signed my own keys and converted them to pkcs8 format like this: >>>>>=20 >>>>> cd /etc/pki/CA >>>>> openssl genrsa -out private/vse.somedomain.tld.key.pem 4096 >>>>> chmod 400 private/vse.somedomain.tld.key.pem >>>>> openssl req -sha256 -new -key private/vse.somedomain.tld.key.pem >>>>>-out >>>>> certs/vse.somedomain.tld.csr.pem >>>>> openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem >>>>> -extensions usr_cert -notext -md sha256 -days 63649 -in >>>>> certs/vse.somedomain.tld.csr.pem -out >>>>>certs/vse.somedomain.tld.cert.pem >>>>> openssl pkcs8 -topk8 -in private/vse.somedomain.tld.key.pem -out >>>>> private/vse.somedomain.tld.key.encrypted.pkcs8 >>>>> openssl pkcs8 -in private/vse.somedomain.tld.key.encrypted.pkcs8 -out >>>>> private/vse.somedomain.tld.key.pkcs8 >>>>> chmod 400 private/vse.somedomain.tld.key.encrypted.pkcs8 >>>>> chmod 400 private/vse.somedomain.tld.key.pkcs8 >>>>>=20 >>>>>=20 >>>>>=20 >>>>> But when trying to import it via GUI: infrastructure -> SSL >>>>>Certificate: >>>>> Certificate from vse.somedomain.tld.cert.pem >>>>> PKCS8 from private/vse.somedomain.tld.key.pkcs8 >>>>> DNS domain suffix to: *.somedomain.tld >>>>>=20 >>>>> But it fails with: >>>>> "Failed to update SSL Certificate." >>>>>=20 >>>>> Please help me upload the new certificate. >>>>> Catalina.out shows no error. I have no idea what else to check. >>>>>=20 >>>>> Thank you. >>>>> F. >>>>>=20 >>>>>=20 >>>>=20 >>>=20 >>=20 >