cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject Re: Unable to upload SSL certificate for realhostip replacement
Date Wed, 01 Oct 2014 14:55:42 GMT
Hi,

I’ve fixed cloudmonkey to url encode parameters so now you can use cloudmonkey to upload
custom certificate but only in non-interactive mode on shell (bash/zsh). You’ll have to
install cloudmonkey from source for now since the fix is only on master.

Something like:
$ cloudmonkey upload customcertificate id=xx domainsuffix=yy name=zzz certificate=‘asdf
asdfasdf
asdfasdf
asdf---'

I’ve some issues to report while replacing certificates to get rid of realhostip, this is
specific for Xen could apply for other hypervisors as well:

- In case of 4.2, I see in the database that seq is 0 for the root certificate for the realhostip.com
domain. I uploaded certificates in order (root, then intermediate and finally SSL cert from
UI), and I see the old certificate is still there. after CPVM/SSVM restarts and are in UP
state I still get SSL errors and I see that systemvm.iso is not getting patched. How to fix
this? Or force systemvm.iso patching?

- In case of 4.3.0 and above, I see the same issue. I’m confused whether to use *. wildcard
in global setting or not.

On 27-Sep-2014, at 9:32 pm, Amogh Vasekar <amogh.vasekar@citrix.com> wrote:
> Hi,
>
> For the encoding, in your case it was the space character causing the
> issue - it should be replaced by %20. The correct encoding would be
> (hoping mail clients don't screw up the blob):
> -----BEGIN%20CERTIFICATE-----%0AMIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQU
> AME4xCzAJBgNVBAYTAlVT%0AMRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFN
> lY3VyZSBDZXJ0%0AaWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQ
> wMDAw%0AWjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE%0A
> AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB%0ACgKCAQEA
> 2swYYzD99BcjGlZ%2BW988bDjkcbd4kdS8odhM%2BKhDtgPpTSEHCIjaWC9m%0AOSm9BXiLnTjo
> BbdqfnGk5sRgprDvgOSJKA%2BeJdbtg%2FOtppHHmMlCGDUUna2YRpIu%0AT8rxh0PBFpVXLVDv
> iS2Aelet8u5fa9IAjbkU%2BBQVNdnARqN7csiRv8lVK83Qlz6c%0AJmTM386DGXHKTubU1XupGc
> 1V3sjs0l44U%2BVcT4wt%2FlAjNvxm5suOpDkZALeVAjmR%0ACw7%2BOC7RHQWa9k0%2Bbw8HHa
> 8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz%0APeE4uwc2hGKceeoWMPRfwCvocWvk%2
> BQIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm%0AaPkr0rKV10fYIyAQTzOYkJ%2FUMB0GA1UdDg
> QWBBTAephojYn7qwVkDBF9qn1luMrM%0ATjAPBgNVHRMBAf8EBTADAQH%2FMA4GA1UdDwEB%2Fw
> QEAwIBBjA6BgNVHR8EMzAxMC%2Bg%0ALaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxz
> L3NlY3VyZWNhLmNybDBO%0ABgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6
> Ly93d3cuZ2Vv%0AdHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUA
> A4GB%0AAHbhEm5OSxYShjAGsoEIz%2FAIx8dxfmbuwu3UOx%2F%2F8PDITtZDOLC5MH0Y0FWDom
> rL%0ANhGc6Ehmo21%2FuBPUR%2F6LWlxz%2FK7ZGzIZOKuXNBSqltLroxwUCEm2u%2BWR74M26x
> 1W%0Ab8ravHNjkOR%2Fez4iyz0H7V84dJzjA1BOoa%2BY7mHyhD8S%0A-----END%20CERTIFIC
> ATE-----
>
> As for the global parameter, you can set it to something like a few
> seconds and reset to original value when the URLs have been expired.
>
> Thanks
> Amogh
>
>
> On 9/27/14 10:53 AM, "Indra Pramana" <indra@sg.or.id> wrote:
>
>> Hi Wido,
>>
>> I have changed the value of secstorage.ssl.cert.domain and restart
>> management server, before I start uploading all the certificates.
>>
>> I found this article, which might be related to the problem:
>>
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Troubleshooting+-+u
>> ploading+custom+domain+certificate+instead+of+using+realhostip.com
>>
>> ====
>>
>> *Specific Issues seen*
>>
>>  1. Download urls point to the old domain.
>>     1. Reduce the expiration duration of the urls by changing global
>>     config extract.url.expiration.interval
>>     2. And change the frequency for cleanup thread
>>     through extract.url.cleanup.interval restart MS.
>>     3. Wait for the cleanup thread duration and try downloading again.
>>     See whether the url is deleted.
>>     4. DB tables to check (don¹t recommend but worst case)
>>     Version < 4.2 ­ upload table persists url. Entry is hard deleted on
>>     expiration of url.
>>     Version >= 4.2 ­
>>     template_store_ref, download_url is made null on expiration of url.
>>     volume_store_ref, entry hard deleted on expiration of url.
>>
>> ====
>>
>> But I'm not too sure what is the recommended values I need to set for
>> extract.url.expiration.interval and extract.url.cleanup.interval. Any
>> advise?
>>
>> Thank you.
>>
>>
>>
>> On Sun, Sep 28, 2014 at 1:39 AM, Wido den Hollander <wido@widodh.nl>
>> wrote:
>>
>>>
>>>
>>>
>>>
>>>> Op 27 sep. 2014 om 19:25 heeft Indra Pramana <indra@sg.or.id> het
>>> volgende geschreven:
>>>>
>>>> Dear all,
>>>>
>>>> FYI, I managed to complete the tasks and install the certificates. As
>>> a
>>>> workaround to the unable to upload the root/intermediate cert via API
>>>> issue, I uploaded a certificate with just "BEGIN" as text via API, and
>>> then
>>>> proceed to update the keystore table on the MySQL database directly to
>>>> input the whole cert.
>>>>
>>>> It seems to be working, after I uploaded the cert and private key via
>>> GUI,
>>>> I can see that both CPVM and SSVM are being restarted. When I test:
>>>>
>>>> - Console is working, using my own domain now. Yay! :)
>>>>
>>>> - However, when I try to test downloading a template, it's still
>>> showing
>>>> realhostip.com as the URL to download. I have tried destroying the
>>> SSVM
>>> and
>>>> a new SSVM was created, up and running. However, it's still showing
>>>> realhostip.com when I test again.
>>>>
>>>> Anyone knows why it's still referring to realhostip.com for
>>> downloading
>>>> templates?
>>>>
>>>
>>> Look at the global settings. There is a domain for the sec storage as
>>> well.
>>>
>>> Maybe restart the mgmt server?
>>>
>>>> Looking forward to your reply, thank you.
>>>>
>>>> Cheers.
>>>>
>>>>
>>>>> On Sun, Sep 28, 2014 at 12:49 AM, Indra Pramana <indra@sg.or.id>
>>> wrote:
>>>>>
>>>>> Dear all,
>>>>>
>>>>> Apologise for sending quite a lot of emails tonight. Anyone knows if
>>> it's
>>>>> safe for me to update the keystore table on the database directly?
>>> Since
>>>>> the API call doesn't work.
>>>>>
>>>>> Thank you.
>>>>>
>>>>>
>>>>>> On Sun, Sep 28, 2014 at 12:39 AM, Indra Pramana <indra@sg.or.id>
>>> wrote:
>>>>>>
>>>>>> Only if I key in the certificate as "BEGIN", then it seems to be
>>>>>> accepting. But of course, the certificate is invalid.
>>>>>>
>>>>>> <uploadcustomcertificateresponse cloud-stack-version="4.2.0">
>>>>>> <jobid>1efe722a-e7c7-4c43-9f6b-67ce860dbe34</jobid>
>>>>>> </uploadcustomcertificateresponse>
>>>>>>
>>>>>> Is it my browser issue? I have tried using two different browsers:
>>>>>> Firefox and Chrome, and both are having the same problem.
>>>>>>
>>>>>>
>>>>>>> On Sun, Sep 28, 2014 at 12:36 AM, Indra Pramana <indra@sg.or.id>
>>> wrote:
>>>>>>>
>>>>>>> I tried to key in just "BEGIN CERTIFICATE\nEND CERTIFICATE" without
>>> the
>>>>>>> "-----" and the content of the certificate itself. Same problem
>>> persists,
>>>>>>> it says parameter certificate is invalid, contains illegal ASCII
>>>>>>> non-printable characters.
>>>>>>>
>>>>>>> <uploadcustomcertificateresponse cloud-stack-version="4.2.0">
>>>>>>> <errorcode>431</errorcode>
>>>>>>> <cserrorcode>9999</cserrorcode>
>>>>>>> <errortext>
>>>>>>> Received value BEGIN CERTIFICATE END CERTIFICATE for parameter
>>>>>>> certificate is invalid, contains illegal ASCII non-printable
>>> characters
>>>>>>> </errortext>
>>>>>>> </uploadcustomcertificateresponse>
>>>>>>>
>>>>>>>
>>>>>>> Seems the issue was not actually on the certificate itself, but
>>> may be
>>>>>>> on the API call handler?
>>>>>>>
>>>>>>> Any advice is greatly appreciated.
>>>>>>>
>>>>>>>
>>>>>>>> On Sat, Sep 27, 2014 at 11:35 PM, Indra Pramana <indra@sg.or.id>
>>> wrote:
>>>>>>>>
>>>>>>>> Hi Amogh and all,
>>>>>>>>
>>>>>>>> To add, I am using RapidSSL and I got the root and intermediate
>>> CAs
>>>>>>>> from here:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>
>>> https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page
>>> =content&actp=CROSSLINK&id=SO26457
>>>>>>>>
>>>>>>>> I have ensured that the encoding is done correctly, but still
>>> there's
>>>>>>>> issue when I tried to upload it. Is it because I am still
using
>>> version
>>>>>>>> 4.2.0, may be there's a different method on how to upload?
>>>>>>>>
>>>>>>>> Error messages:
>>>>>>>>
>>>>>>>> <uploadcustomcertificateresponse cloud-stack-version="4.2.0">
>>>>>>>> <errorcode>431</errorcode>
>>>>>>>> <cserrorcode>9999</cserrorcode>
>>>>>>>> <errortext>
>>>>>>>> Received value -----BEGIN CERTIFICATE-----
>>>>>>>> MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
>>>>>>>> MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
>>>>>>>> aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
>>>>>>>> WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
>>>>>>>> AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
>>>>>>>> CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
>>>>>>>> OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
>>>>>>>> T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
>>>>>>>> JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
>>>>>>>> Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
>>>>>>>> PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
>>>>>>>> aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
>>>>>>>> TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
>>>>>>>> LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
>>>>>>>> BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
>>>>>>>> dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
>>>>>>>> AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
>>>>>>>> NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
>>>>>>>> b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -----END
>>> CERTIFICATE----- for
>>>>>>>> parameter certificate is invalid, contains illegal ASCII
>>> non-printable
>>>>>>>> characters
>>>>>>>> </errortext>
>>>>>>>> </uploadcustomcertificateresponse>
>>>>>>>>
>>>>>>>>
>>>>>>>> Any advice is greatly appreciated, since 30 Sep is just another
3
>>>>>>>> days...
>>>>>>>>
>>>>>>>>
>>>>>>>>> On Sat, Sep 27, 2014 at 11:21 PM, Indra Pramana <indra@sg.or.id>
>>> wrote:
>>>>>>>>>
>>>>>>>>> Hi Amogh,
>>>>>>>>>
>>>>>>>>> I tried again tonight, still the same. Not too sure why,
is it
>>>>>>>>> something wrong with the certificate? But I have confirmed
that
>>> it's the
>>>>>>>>> correct root certificate from my CA.
>>>>>>>>>
>>>>>>>>> Any other advice?
>>>>>>>>>
>>>>>>>>> Looking forward to your reply, thank you.
>>>>>>>>>
>>>>>>>>> Cheers.
>>>>>>>>>
>>>>>>>>> On Tue, Sep 23, 2014 at 12:56 AM, Amogh Vasekar <
>>>>>>>>> amogh.vasekar@citrix.com> wrote:
>>>>>>>>>
>>>>>>>>>> Can you try using http://meyerweb.com/eric/tools/dencoder/
>>>>>>>>>>
>>>>>>>>>> Amogh
>>>>>>>>>>
>>>>>>>>>>> On 9/22/14 4:36 AM, "Indra Pramana" <indra@sg.or.id>
wrote:
>>>>>>>>>>>
>>>>>>>>>>> Dear all,
>>>>>>>>>>>
>>>>>>>>>>> I am following the instruction on this documentation
to replace
>>>>>>>>>>> realhostip.com with my own domain.
>>>>>>>>>>
>>>
>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Repla
>>> c
>>>>>>>>>>> e+realhostip.com+with+Your+Own+Domain+Name
>>>>>>>>>>>
>>>>>>>>>>> Everything is fine until I need to upload the
root certificate
>>> via
>>>>>>>>>> API. I
>>>>>>>>>>> have URL-encoded the certificate using online
URL encoder tool
>>> such
>>>>>>>>>> as:
>>>>>>>>>>>
>>>>>>>>>>> http://www.url-encode-decode.com/
>>>>>>>>>>>
>>>>>>>>>>> However, when I run the API command, the certificate
is
>>> rejected,
>>>>>>>>>> saying
>>>>>>>>>>> that it contains illegal ASCII non-printable
characters:
>>>>>>>>>>>
>>>>>>>>>>> for parameter certificate is invalid, contains
illegal ASCII
>>>>>>>>>> non-printable
>>>>>>>>>>> characters
>>>>>>>>>>>
>>>>>>>>>>> I have ensured and verified that it only contains
generic ASCII
>>> text
>>>>>>>>>>> format, no space, symbol etc. Tried using UTF-8,
US-ASCII
>>> format
>>>>>>>>>> while
>>>>>>>>>>> encoding, but still cannot work.
>>>>>>>>>>>
>>>>>>>>>>> Any advice is greatly appreciated.
>>>>>>>>>>>
>>>>>>>>>>> Looking forward to your reply, thank you.
>>>>>>>>>>>
>>>>>>>>>>> Cheers.

Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab



Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use
of the individual to whom it is addressed. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from Shape Blue Ltd.
ShapeBlue is a registered trademark.

Mime
View raw message