I went down the route with custom DNS service (already working) and custom certificate, because it feels safer than rolling out my RPM packages.
So, the instructions (https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name#ProceduretoReplacerealhostip.comwithYourOwnDomainName-HowtogeneratemycustomrootCAandcertificate?) point me to creating an intermediate certificate, which i do not think is required. If I am my own CA, why should i create an intermediate certificate and sign with that to complicate things? I guess i could sign my CSR with CA directly. Can’t I? Then just use the GUI and no API calls, to add the certificate, the key and domain info. As long as i keep secstorage.encrypt.copy to false, all shoud work. Right? Regards, F. On 20 Sep 2014, at 21:17, Amogh Vasekar <[email protected]> wrote: > ConsoleProxyInfo and ConsoleProxyManagerImpl.assignProxy has the relevant > code to generate the URL for accessing console. > The ConsoleProxyServlet handles the requests, and might be a good starting > point if you wish to change the code. > > Amogh > > On 9/20/14 12:01 PM, "France" <[email protected]> wrote: > >> Hi Amogh, >> >> thank you for your suggestions and instructions on disabling. >> >> We will not run a wildcard DNS resolver on certain subdomain as required >> for this option. >> Once ACS supports single domain for console proxy access, we shall enable >> https once again with our signed/bought certificate. >> >> In the mean time, we either have to move to http from https making access >> to whole admin interface insecure or hack the code to display a link to >> console instead of iframe. >> I would rather go for the latter option. Does anyone who is following >> this, know where is the code for that iframe link? >> >> Thank you. >> >> F. >> >> On 20 Sep 2014, at 20:33, Amogh Vasekar <[email protected]> wrote: >> >>> Hi, >>> >>> I believe this is by design for SSL - a user would see a HTTPS site >>> thinking everything is secure and encrypted, only to realize later that >>> some part is in fact insecure. Hence, instead of trying to circumvent >>> the >>> security mechanism, you can try the steps at : >>> >>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Repla >>> ce >>> >>> +realhostip.com+with+Your+Own+Domain+Name#ProceduretoReplacerealhostip.co >>> mw >>> ithYourOwnDomainName-HowtogeneratemycustomrootCAandcertificate? >>> >>> This would help create your own certificate chain. The downside being >>> your >>> users would need to add the custom root CA in the browser (a practice >>> followed by many companies for internal network), or simply accept the >>> security warning the first time they access your domain. >>> Please note that this would still need a publicly resolvable domain (or >>> add the mappings directly in /etc/hosts if it is more convenient) >>> >>> Thanks, >>> Amogh >>> >>> On 9/20/14 11:22 AM, "France" <[email protected]> wrote: >>> >>>> It worked for us. Well kind of. >>>> >>>> The problem is now, that we have https for default admin interface, >>>> while >>>> console opens as iframe to http content and browsers such as firefox >>>> will >>>> not load content, because it is not on https. >>>> They call it: "Mixed Content Blocking Enabled²: >>>> >>>> https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled >>>> -i >>>> n-firefox-23/ >>>> >>>> Do you have any recommendations what to do in order to get around this? >>>> >>>> We will not buy a wildcard certificate, because it is to expensive for >>>> us. >>>> >>>> Regards, >>>> F. >>>> >>>> On 20 Sep 2014, at 15:21, France <[email protected]> wrote: >>>> >>>>> I will just empty these two fields in global config: >>>>> >>>>> secstorage.ssl.cert.domain >>>>> consoleproxy.url.domain >>>>> >>>>> restart CS and restart the console proxy.. >>>>> >>>>> Š and hope for the best. :-) >>>>> >>>>> If you do not hear from me on this, then this worked and others can do >>>>> it too. >>>>> >>>>> Regards, >>>>> F. >>>>> >>>>> >>>>> On 20 Sep 2014, at 15:16, Aldis Gerhards <[email protected]> wrote: >>>>> >>>>>> We got the same problem. It seemed like a bug :) we downgraded back >>>>>> to >>>>>> 4.3.0 because pf this issue. >>>>>> >>>>>> Sent from my iPhone >>>>>> >>>>>>> On 2014. gada 20. sept., at 15:39, France <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> Hi guys, >>>>>>> >>>>>>> how do we disable realhostip.com service with its certificates on >>>>>>> ACS >>>>>>> 4.3.1, to get consoleproxy working without ties to realhostip.com >>>>>>> service? >>>>>>> We are happy with HTTP only for now. >>>>>>> >>>>>>> Regards, >>>>>>> F. >>>>> >>>> >>> >> >
