cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rajani Karuturi <raj...@apache.org>
Subject Re: Urgent. Importing certificate to CS 4.3.1 using GUI
Date Tue, 28 Oct 2014 15:37:23 GMT
This might be due the preflighted requests [1]. Changing content type to
text/plain might fix it. Looking at the access log will show if an OPTIONS
request is being sent by Firefox.

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS


On Fri, Oct 24, 2014 at 22:06 PM, Stephen Turner <Stephen.Turner@citrix.com>
wrote:

I'm still puzzled why it would have worked on my Firefox too. There must be
some difference in configuration.

--
Stephen Turner


-----Original Message-----
From: Amogh Vasekar [mailto:amogh.vasekar@citrix.com <javascript:;>]
Sent: 23 October 2014 16:18
To: dev@cloudstack.apache.org <javascript:;>
Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI

Hi,

He certainly is :-)
Can you share the screenshot of firebug request and response so as to
diagnose better?
Also, was the upload call made as admin or regular user?

Thanks,
Amogh

On 10/23/14 3:27 AM, "Suresh Sadhu" <Suresh.Sadhu@citrix.com <javascript:;>>
wrote:

>Thanks France, We(France &myself) have diagnosed the problem and in
>firefox after  uploading the certificate it shows "HTTP Error 501 Not
>implemented" error in api response(firebug  output )and
>
>The request is not reaching the server  itself(CS management server and
>api server logs not shown any API request details ..) so probably the
>failure  is due to client side settings or  due to some other problem.
>
>We need to identify  reasons for "HTTP error 501 not implemented."
>http://www.checkupdown.com/status/E501.html
>
>Amogh/Nitin : can you please check in which cases this 501 not
>implemented will occur.
>
>Regards
>Sadhu
>
>
>
>
>
>
>
>-----Original Message-----
>From: France [mailto:mailinglists@isg.si <javascript:;>]
>Sent: 23 October 2014 15:43
>To: dev@cloudstack.apache.org <javascript:;>
>Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI
>
>Suresh is awesome. Hope Citrix knows that. :-) We diagnosed the issue
>with ACS 4.3.1 and Firefox browser, and Suresh will update this thread
>with details.
>
>Regards,
>F.
>
>
>On 15 Oct 2014, at 13:55, France <mailinglists@isg.si <javascript:;>>
wrote:
>
>> Because i do not check this mailing list every day due to actual
>>payed work, i have not seen your request.
>> I will contact you right now.
>>
>>
>> On 08 Oct 2014, at 20:10, Suresh Sadhu <Suresh.Sadhu@citrix.com
<javascript:;>> wrote:
>>
>>> Sure Nitin and as of now I didn't hear anything from France.
>>>
>>> Regards
>>> sadhu
>>>
>>> -----Original Message-----
>>> From: Nitin Mehta [mailto:Nitin.Mehta@citrix.com <javascript:;>]
>>> Sent: 08 October 2014 21:57
>>> To: dev@cloudstack.apache.org <javascript:;>
>>> Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI
>>>
>>> Sadhu - Please do update the thread once you have some observation.
>>> Thanks
>>>
>>> -Nitin
>>>
>>> On 08/10/14 5:27 AM, "Suresh Sadhu" <Suresh.Sadhu@citrix.com
<javascript:;>> wrote:
>>>
>>>> HI France,
>>>>
>>>> I can help  today .
>>>> My personal email id is mailtosadhu@gmail.com <javascript:;>
>>>>
>>>>
>>>> Regards
>>>> sadhu
>>>>
>>>> -----Original Message-----
>>>> From: Stephen Turner [mailto:Stephen.Turner@citrix.com <javascript:;>]
>>>> Sent: 08 October 2014 17:43
>>>> To: dev@cloudstack.apache.org <javascript:;>
>>>> Subject: RE: Urgent. Importing certificate to CS 4.3.1 using GUI
>>>>
>>>> France, I'm sorry, but I'm about to go away for three weeks, and
>>>> I'm not going to have time to work on this.
>>>>
>>>> Is there anyone else who could help France? Is anyone else seeing
>>>> the problem, because I couldn't reproduce it?
>>>>
>>>> --
>>>> Stephen Turner
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: France [mailto:mailinglists@isg.si <javascript:;>]
>>>> Sent: 08 October 2014 11:44
>>>> To: dev@cloudstack.apache.org <javascript:;>
>>>> Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI
>>>>
>>>> Send me a private email and you can test it on my exact system with
>>>> all development options turned on as you wish.
>>>> We will do it via remote screen sharing, like VNC, RDP, Teamviewer, ..
>>>>
>>>> Regards,
>>>> F.
>>>>
>>>> On 26 Sep 2014, at 16:53, Stephen Turner
>>>> <Stephen.Turner@citrix.com <javascript:;>>
>>>> wrote:
>>>>
>>>>> I'm afraid I couldn't reproduce this, even with your certificate
>>>>> and private key. Everything I tried, I got "Update Certiciate
>>>>> [sic] Succeeded".
>>>>>
>>>>> Does anyone else have a convenient 4.3 and FF 32 that they can try
>>>>> and repro this with?
>>>>>
>>>>> France, if you open the developer tools in Firefox and do this
>>>>> again, do you see any errors?
>>>>>
>>>>> --
>>>>> Stephen Turner
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: France [mailto:mailinglists@isg.si <javascript:;>]
>>>>> Sent: 26 September 2014 13:44
>>>>> To: Stephen Turner
>>>>> Cc: dev@cloudstack.apache.org <javascript:;>
>>>>> Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI
>>>>>
>>>>> Issue has been created.
>>>>> I would assign it to you, but lack credentials?
>>>>>
>>>>> https://issues.apache.org/jira/browse/CLOUDSTACK-7635
>>>>>
>>>>> Regards,
>>>>> F.
>>>>>
>>>>> On 26 Sep 2014, at 11:47, Stephen Turner
>>>>> <Stephen.Turner@citrix.com <javascript:;>>
>>>>> wrote:
>>>>>
>>>>>> Yes, I would like a bug report for this. Please assign it to me.
>>>>>> This bit of UI has been rewritten on master, but it should work
>>>>>> the same in all browsers, so I'd like to investigate whether it's
>>>>>> fixed on master, and also whether there are any other similar
>>>>>> controls that aren't working in FF 32.
>>>>>>
>>>>>> If you can attach a public key and other data that illustrates
>>>>>> the problem, that would be great just to make sure that we can repro
it.
>>>>>> Thank you.
>>>>>>
>>>>>> --
>>>>>> Stephen Turner
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: France [mailto:mailinglists@isg.si <javascript:;>]
>>>>>> Sent: 25 September 2014 14:52
>>>>>> To: dev@cloudstack.apache.org <javascript:;>
>>>>>> Subject: Re: Urgent. Importing certificate to CS 4.3.1 using GUI
>>>>>>
>>>>>> There is a bug in ACS 4.3.1 GUI.
>>>>>> The before mentioned process did not work with Firefox 32.0.2,
>>>>>> while it worked on latest Chrome.
>>>>>> Because the problem is on the browser side, it did not reach
>>>>>> management server logs at all.
>>>>>> I have done everything correct. Even a couple of times. ;-)
>>>>>>
>>>>>> Hopefully this mail will help someone in the future. I would also
>>>>>> advise to update the documentation on the issue.
>>>>>>
>>>>>> Do you want me to open a bug report for this? I am a little
>>>>>> reluctant to do so, because some of the bug reports i made
>>>>>> previously just sit there for years to come.
>>>>>>
>>>>>> FYI also got contacted off the mailing list by Steve Roles from
>>>>>>ShapeBlue who kindly offered to sell annual 24/7 support to help
>>>>>>me sort this issue.
>>>>>> Too bad they did not want to provide help/support for this one
>>>>>>incident, which which they "have come across" already. They could
>>>>>>get payed well for telling me to use another browser. :-) While i
>>>>>>appreciate what ShapeBlue does for ACS, they could easily just
>>>>>>have told us publicly on the mailing list to use a different
>>>>>>browser.
>>>>>>
>>>>>> Many thanks to anyone else who actually tried to help on the issue.
>>>>>> Realhostip.com migration is now officially complete.
>>>>>>
>>>>>> Regards,
>>>>>> F.
>>>>>>
>>>>>> On 25 Sep 2014, at 14:54, France <mailinglists@isg.si <javascript:;>>
wrote:
>>>>>>
>>>>>>> I have created new key and csr. Signed it, converted key to
>>>>>>> pkcs8 format without encryption and added in ACS GUI with
>>>>>>> *.domain.tld and again with domain.tld. I did copy paste the
crt
>>>>>>> and key with and without -----BEGIN CERTIFICATE-- tags. Nothing
>>>>>>> works. I have the same GUI error message as before.
>>>>>>> Management-log shows no errors or even logs regarding
>>>>>>> certificate manipulation. I have not created CA key and certs
>>>>>>> again. I have confirmed certificate before importing to ACS
>>>>>>> using: openssl x509 -in private/vse.somedomain.tls.crt -noout
>>>>>>> -text (result below).
>>>>>>>
>>>>>>> Maybe i could just insert new certs straight into the database,
>>>>>>> destroy console proxy and see what happens.
>>>>>>> Any more ideas?
>>>>>>>
>>>>>>> Also there is a bug in 4.3 documentation, because it says one
>>>>>>> must enter *.domain.tld while you say, it should be just
>>>>>>> domain.tld
>>>>>>>
>>>>>>> "
>>>>>>> In the Update SSL Certificate screen of the CloudStack UI, paste
>>>>>>> the
>>>>>>> following:
>>>>>>>
>>>>>>>         * The certificate you've just generated.
>>>>>>>         * The private key you've just generated.
>>>>>>>         * The desired domain name, prefixed with *.; for example,
>>>>>>> *.consoleproxy.company.com "
>>>>>>>
>>>>>>> ////
>>>>>>> [root@mc1 private]# openssl x509 -in vse.somedomain.si.crt
>>>>>>> -noout -text
>>>>>>> Certificate:
>>>>>>> Data:
>>>>>>>    Version: 3 (0x2)
>>>>>>>    Serial Number: 4097 (0x1001)
>>>>>>> Signature Algorithm: sha256WithRSAEncryption
>>>>>>>    Issuer: C=SI, ST=Slovenia, L=Ljubljana, O=XXX d.o.o., OU=IT
>>>>>>> department, CN=optimus.si/emailAddress=sistem@XXXB.si
>>>>>>>    Validity
>>>>>>>        Not Before: Sep 25 12:25:32 2014 GMT
>>>>>>>        Not After : Jun  3 12:25:32 2028 GMT
>>>>>>>    Subject: C=SI, ST=Slovenia, O=XXX d.o.o., OU=IT department,
>>>>>>> CN=*.somedomain.si/emailAddress=sistem@XXXB.si
>>>>>>>    Subject Public Key Info:
>>>>>>>        Public Key Algorithm: rsaEncryption
>>>>>>>            Public-Key: (2048 bit)
>>>>>>>            Modulus:
>>>>>>>                00:a8:50:02:21:7a:49:b1:48:07:96:21:87:69:1d:
>>>>>>>                94:6f:d8:4f:0b:31:f4:8f:6f:e4:b2:78:94:38:d4:
>>>>>>>                72:92:5b:d5:43:73:aa:e4:33:48:31:11:5a:62:7e:
>>>>>>>                95:2b:e1:78:11:81:f0:ef:1a:0d:d0:52:90:47:2b:
>>>>>>>                fd:ab:0d:89:57:fa:ee:6b:3b:d1:24:c9:a9:6d:d6:
>>>>>>>                fb:0f:14:e3:72:63:a7:75:3d:3e:f5:57:45:09:7e:
>>>>>>>                83:18:f1:77:c9:3a:1e:de:6f:cd:43:0f:84:11:08:
>>>>>>>                05:3b:da:ed:3e:a6:65:7c:e9:3f:3b:b9:73:b3:87:
>>>>>>>                b6:a2:14:af:fd:3e:a9:6f:0f:e4:fb:4d:91:70:d6:
>>>>>>>                9a:78:b8:00:2e:f0:ad:24:07:01:64:b8:1f:ce:62:
>>>>>>>                f6:83:e3:fb:45:b9:3e:a1:c3:e6:de:87:d9:37:d3:
>>>>>>>                28:cf:20:6c:f9:78:5f:24:64:fb:d4:dd:79:90:87:
>>>>>>>                69:36:ad:83:3d:bd:ab:fd:aa:1d:6a:a6:b8:d5:8a:
>>>>>>>                f9:d6:e4:f0:db:9a:81:d4:41:e9:19:bf:a5:e8:fb:
>>>>>>>                d9:f5:e2:50:3c:4d:01:6d:3d:96:26:59:76:70:99:
>>>>>>>                8c:2e:c0:cf:dd:09:3b:fb:6f:8d:43:29:0c:7e:8a:
>>>>>>>                5c:8d:49:f4:9a:96:ba:54:72:44:d8:fa:aa:64:71:
>>>>>>>                27:21
>>>>>>>            Exponent: 65537 (0x10001)
>>>>>>>    X509v3 extensions:
>>>>>>>        X509v3 Basic Constraints:
>>>>>>>            CA:FALSE
>>>>>>>        X509v3 Key Usage:
>>>>>>>            Digital Signature, Non Repudiation, Key Encipherment
>>>>>>>        Netscape Comment:
>>>>>>>            OpenSSL Generated Certificate
>>>>>>>        X509v3 Subject Key Identifier:
>>>>>>>
>>>>>>> 13:B4:E9:B7:EA:67:BC:00:BA:20:F9:9D:AB:02:14:0D:22:B4:F7:5B
>>>>>>>        X509v3 Authority Key Identifier:
>>>>>>>
>>>>>>> keyid:B9:4F:AC:D0:CA:A4:32:E0:A0:49:48:8D:D4:C9:6A:6D:6F:6C:8F:4
>>>>>>> 2
>>>>>>>
>>>>>>> Signature Algorithm: sha256WithRSAEncryption
>>>>>>>     a9:f2:77:c2:10:9b:87:f4:44:9c:57:52:1b:dc:70:a7:e2:bf:
>>>>>>>     97:8d:bb:3d:bc:b7:a9:90:55:75:43:47:ac:bf:6f:2a:5e:90:
>>>>>>>     b1:5b:8c:41:e7:5a:51:2a:f7:db:2e:6a:37:e5:6e:18:3a:88:
>>>>>>>     ae:10:42:1e:97:4c:75:e9:8a:51:37:8f:e9:99:bc:40:46:18:
>>>>>>>     85:18:ce:6f:03:24:c7:b3:43:f2:53:51:34:36:70:d8:3b:84:
>>>>>>>     09:70:91:13:51:a9:b7:30:e4:d3:f7:1a:34:f4:6b:25:b7:46:
>>>>>>>     a1:dd:b7:eb:19:b3:03:be:b5:3d:12:b7:ee:a9:47:26:17:89:
>>>>>>>     ef:06:9e:90:b4:78:5d:d9:52:1c:b4:0d:14:f2:37:64:9a:d8:
>>>>>>>     4d:89:95:1e:c0:6b:14:93:e8:ea:91:84:69:c5:22:1f:d2:82:
>>>>>>>     54:bd:fe:06:f8:ea:f3:66:a1:27:41:72:88:25:78:eb:2b:1b:
>>>>>>>     73:fb:98:0f:00:58:b0:43:22:5b:3b:ea:89:b5:4f:3e:2a:ed:
>>>>>>>     92:5f:48:37:39:ec:39:6c:b5:73:d3:0d:9c:ff:3b:37:92:5b:
>>>>>>>     c6:ef:64:65:7a:99:1a:be:09:0e:bb:62:1b:9f:9e:ad:5d:cf:
>>>>>>>     32:8c:81:42:c2:d9:11:65:64:8d:ce:5e:f5:b4:77:66:74:eb:
>>>>>>>     10:d5:7e:58:d7:ba:70:fe:96:4b:94:f5:66:5c:af:57:ae:e0:
>>>>>>>     ad:72:7a:ef:04:80:7e:4b:6d:ee:13:e2:de:20:94:4e:bb:7b:
>>>>>>>     a6:87:0f:92:d8:c4:01:9b:50:fd:b4:0b:60:b2:93:91:32:ce:
>>>>>>>     31:f9:b7:4f:a0:72:71:a1:87:b4:02:ff:5b:49:c1:2f:a1:6d:
>>>>>>>     13:98:c1:81:9c:33:f6:61:b9:f9:47:7b:7b:2a:b2:e0:7b:21:
>>>>>>>     4b:67:c0:23:04:b7:08:e5:7d:a3:44:b5:a5:aa:ce:03:be:93:
>>>>>>>     cb:78:fe:2d:e5:a7:61:20:03:b2:a1:ac:92:41:54:c0:25:b5:
>>>>>>>     32:c6:c5:83:49:7a:cd:a8:16:4e:80:f2:05:9c:47:17:74:1f:
>>>>>>>     55:63:f2:9c:e3:fa:48:cb:93:40:8f:63:7b:69:2f:2a:22:4e:
>>>>>>>     0e:44:1b:52:3e:70:fb:65:43:be:a2:0a:04:5e:70:cf:d7:fe:
>>>>>>>     d5:66:0a:19:81:d5:bf:54:ce:fd:25:cc:d8:f6:cc:be:e8:a9:
>>>>>>>     e1:a9:38:ef:81:80:2e:61:52:fb:0a:0c:e5:21:e1:7a:c8:3f:
>>>>>>>     8e:6a:9a:ab:a6:72:81:54:43:08:65:b8:62:00:08:c8:c2:f6:
>>>>>>>     88:82:7e:fb:07:22:67:09:c0:1a:fb:d9:69:17:2a:d8:be:01:
>>>>>>>     7e:e5:ee:3d:1b:f1:bf:3f
>>>>>>> ////
>>>>>>>
>>>>>>>
>>>>>>> Tnx and regards,
>>>>>>> F.
>>>>>>>
>>>>>>>
>>>>>>> On 25 Sep 2014, at 13:48, France <mailinglists@isg.si <javascript:;>>
wrote:
>>>>>>>
>>>>>>>> Tnx Amogh,
>>>>>>>>
>>>>>>>> i have checked management-server.log and no new entries or
>>>>>>>> errors regarding certificate operation are written at the
time
>>>>>>>> when i get "Failed to update SSL Certificate." error message.
I
>>>>>>>> tried it a couple of times. I also used somedomain.tld in
the
>>>>>>>> GUI. Certificate is for *.somedomain.tld.
>>>>>>>> I will go thru whole create CA and certificate process again
>>>>>>>> and retry.
>>>>>>>> There must be some simple mistake in my process somewhere.
Lack
>>>>>>>> of errors in logs, is also strange. :-/
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> F.
>>>>>>>>
>>>>>>>> On 24 Sep 2014, at 21:10, Amogh Vasekar
>>>>>>>> <amogh.vasekar@citrix.com <javascript:;>>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Couple of things :
>>>>>>>>>
>>>>>>>>> 1. The error will be logged to the cloudstack management
>>>>>>>>> server log file
>>>>>>>>> (management-server.log) and would really help to know
what it is.
>>>>>>>>> 2. While uploading the certificate, the domain_suffix
should
>>>>>>>>> be somedomain.tld and not *.somedomain.tld (the asterisk
is
>>>>>>>>> only for global config so that cloudstack can distinguish
>>>>>>>>> between HTTP and HTTPS modes)
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>> Amogh
>>>>>>>>>
>>>>>>>>> On 9/24/14 7:40 AM, "France" <mailinglists@isg.si
<javascript:;>>
wrote:
>>>>>>>>>
>>>>>>>>>> Hi guys,
>>>>>>>>>>
>>>>>>>>>> i want to migrate away from realhostip.com. I have
set up DNS
>>>>>>>>>> service in no time, but am having problems importing
>>>>>>>>>> certificates to ACS 3.4.1.
>>>>>>>>>>
>>>>>>>>>> I created my own CA like this:
>>>>>>>>>>
>>>>>>>>>> cd /etc/pki/CA
>>>>>>>>>> touch index.txt
>>>>>>>>>> echo 1000 > serial
>>>>>>>>>> openssl genrsa -aes256 -out /etc/pki/CA/private/ca.key.pem
>>>>>>>>>> 4096 chmod 400 /etc/pki/CA/private/ca.key.pem nano
-w
>>>>>>>>>> /etc/pki/tls/openssl.cnf openssl req -new -x509 -days
63650
>>>>>>>>>> -key /etc/pki/CA/private/ca.key.pem
>>>>>>>>>> -sha256 -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Signed my own keys and converted them to pkcs8 format
like this:
>>>>>>>>>>
>>>>>>>>>> cd /etc/pki/CA
>>>>>>>>>> openssl genrsa -out private/vse.somedomain.tld.key.pem
4096
>>>>>>>>>> chmod
>>>>>>>>>> 400 private/vse.somedomain.tld.key.pem
>>>>>>>>>> openssl req -sha256 -new -key
>>>>>>>>>> private/vse.somedomain.tld.key.pem
>>>>>>>>>> -out certs/vse.somedomain.tld.csr.pem openssl ca
-keyfile
>>>>>>>>>> private/ca.key.pem -cert certs/ca.cert.pem -extensions
>>>>>>>>>> usr_cert -notext -md sha256 -days 63649 -in
>>>>>>>>>> certs/vse.somedomain.tld.csr.pem -out
>>>>>>>>>> certs/vse.somedomain.tld.cert.pem openssl pkcs8 -topk8
-in
>>>>>>>>>> private/vse.somedomain.tld.key.pem -out
>>>>>>>>>> private/vse.somedomain.tld.key.encrypted.pkcs8
>>>>>>>>>> openssl pkcs8 -in
>>>>>>>>>> private/vse.somedomain.tld.key.encrypted.pkcs8
>>>>>>>>>> -out
>>>>>>>>>> private/vse.somedomain.tld.key.pkcs8
>>>>>>>>>> chmod 400 private/vse.somedomain.tld.key.encrypted.pkcs8
>>>>>>>>>> chmod 400 private/vse.somedomain.tld.key.pkcs8
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> But when trying to import it via GUI: infrastructure
-> SSL
>>>>>>>>>> Certificate:
>>>>>>>>>> Certificate from vse.somedomain.tld.cert.pem
>>>>>>>>>> PKCS8 from private/vse.somedomain.tld.key.pkcs8
>>>>>>>>>> DNS domain suffix to: *.somedomain.tld
>>>>>>>>>>
>>>>>>>>>> But it fails with:
>>>>>>>>>> "Failed to update SSL Certificate."
>>>>>>>>>>
>>>>>>>>>> Please help me upload the new certificate.
>>>>>>>>>> Catalina.out shows no error. I have no idea what
else to check.
>>>>>>>>>>
>>>>>>>>>> Thank you.
>>>>>>>>>> F.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>



-- 
Sent from Windows Phone

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message