cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aurélien <footp...@gmail.com>
Subject Re: Download templates and ISOs via HTTPS
Date Fri, 20 May 2016 14:10:48 GMT
Hello,

Thanks for the patch, it works here too. I added a LGTM on the PR.

Best regards,
Aurélien

On Fri, May 20, 2016 at 2:49 PM, Milamber <milamber@apache.org> wrote:
> Hello,
>
> I confirm this issue. The keystore used by the Java instance of SSVM have
> only the custom certs inside (root, realhostip, cross, intermed and
> cpvmcertificat).
>
> So when the SSVM try to download a HTTPS url, the JVM cannot validate the
> SSL signs.
>
> I've posted the PR 1555 to fix this. I've tested this patch with success on
> my test installation.
>
> Milamber
>
> https://github.com/apache/cloudstack/pull/1555
>
>
> On 20/05/2016 12:47, Aurélien wrote:
>>
>> Hello,
>>
>> In fact, yes, and everything inside CloudStack is working fine (I can
>> connect to CPVM correctly, the right certificate is presented, etc).
>> The only problem with this procedure is that the certificates you
>> upload are put in a custom keystore. This keystore contains only the
>> key, chain and root certificate uploaded via the API.
>>
>> When a custom keystore is provided, the default keystore (ie, the one
>> containing generally trusted root CAs included in common browsers) is
>> not loaded, and thus the only root CA that would be trusted is the one
>> corresponding to the uploaded wildcard. In my case, I want users to be
>> able to add templates hosted on HTTPS servers, which present SSL
>> certificates from various root CAs.
>>
>> I think the contents of the “realhostip” keystore should be:
>> - contents the default keystore
>> - and, additionnally uploaded cert, chain, root and key.
>>
>> Best regards,
>> Aurélien
>>
>> On Fri, May 20, 2016 at 11:28 AM, Abhinandan Prateek
>> <abhinandan.prateek@shapeblue.com> wrote:
>>>
>>> Have you followed the procedure documented here
>>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name
>>>
>>>
>>>
>>>
>>> On 19/05/16, 11:01 PM, "Aurélien" <footplus@gmail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> I’m investigating an issue on CloudStack 4.8.0, which is I believe
>>>> well described in
>>>> https://issues.apache.org/jira/browse/CLOUDSTACK-1475.
>>>>
>>>> I’m trying to add my ISO from, for example:
>>>> https://releases.rancher.com/os/latest/rancheros.iso
>>>>
>>>> The problem is that I’m using a custom SSL certificate, and because of
>>>> this, the java instance on the SSVM (and CPVM) is started with a
>>>> custom keystore; doing so also overrides the default certificate trust
>>>> store, and the traditional certificate validation mechanisms, so I get
>>>> the error (sun.security.validator.ValidatorException: PKIX path
>>>> building failed:
>>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>>>> find valid certification path to requested target).
>>>>
>>>> Would il be possible and advisable to add the contents of the default
>>>> certificate store (Option 2 in
>>>>
>>>> https://issues.apache.org/jira/browse/CLOUDSTACK-1475?focusedCommentId=14537734&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14537734)
>>>> to the custom store when a custom SSL certificate is activated ?
>>>>
>>>> If so (i’m relatively new to CloudStack’s code) where should I peek in
>>>> the System VM to add the custom import commands ?
>>>>
>>>> Is there any existing issue you are aware of that addresses this issue
>>>> ? In my opinion, if there isn’t, we should open one.
>>>>
>>>> What do you think ?
>>>>
>>>> Thanks !
>>>>
>>>> Best regards,
>>>> --
>>>> Aurélien Guillaume
>>>
>>> abhinandan.prateek@shapeblue.com
>>> www.shapeblue.com
>>> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
>>> @shapeblue
>>>
>>>
>>
>>
>



-- 
Aurélien Guillaume

Mime
View raw message