cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aurélien <footp...@gmail.com>
Subject Re: Download templates and ISOs via HTTPS
Date Fri, 20 May 2016 11:47:02 GMT
Hello,

In fact, yes, and everything inside CloudStack is working fine (I can
connect to CPVM correctly, the right certificate is presented, etc).
The only problem with this procedure is that the certificates you
upload are put in a custom keystore. This keystore contains only the
key, chain and root certificate uploaded via the API.

When a custom keystore is provided, the default keystore (ie, the one
containing generally trusted root CAs included in common browsers) is
not loaded, and thus the only root CA that would be trusted is the one
corresponding to the uploaded wildcard. In my case, I want users to be
able to add templates hosted on HTTPS servers, which present SSL
certificates from various root CAs.

I think the contents of the “realhostip” keystore should be:
- contents the default keystore
- and, additionnally uploaded cert, chain, root and key.

Best regards,
Aurélien

On Fri, May 20, 2016 at 11:28 AM, Abhinandan Prateek
<abhinandan.prateek@shapeblue.com> wrote:
> Have you followed the procedure documented here https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name
>
>
>
>
> On 19/05/16, 11:01 PM, "Aurélien" <footplus@gmail.com> wrote:
>
>>Hello,
>>
>>I’m investigating an issue on CloudStack 4.8.0, which is I believe
>>well described in
>>https://issues.apache.org/jira/browse/CLOUDSTACK-1475.
>>
>>I’m trying to add my ISO from, for example:
>>https://releases.rancher.com/os/latest/rancheros.iso
>>
>>The problem is that I’m using a custom SSL certificate, and because of
>>this, the java instance on the SSVM (and CPVM) is started with a
>>custom keystore; doing so also overrides the default certificate trust
>>store, and the traditional certificate validation mechanisms, so I get
>>the error (sun.security.validator.ValidatorException: PKIX path
>>building failed:
>>sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>find valid certification path to requested target).
>>
>>Would il be possible and advisable to add the contents of the default
>>certificate store (Option 2 in
>>https://issues.apache.org/jira/browse/CLOUDSTACK-1475?focusedCommentId=14537734&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14537734)
>>to the custom store when a custom SSL certificate is activated ?
>>
>>If so (i’m relatively new to CloudStack’s code) where should I peek in
>>the System VM to add the custom import commands ?
>>
>>Is there any existing issue you are aware of that addresses this issue
>>? In my opinion, if there isn’t, we should open one.
>>
>>What do you think ?
>>
>>Thanks !
>>
>>Best regards,
>>--
>>Aurélien Guillaume
>
> abhinandan.prateek@shapeblue.com
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue
>
>



-- 
Aurélien Guillaume

Mime
View raw message