Hello, In fact, yes, and everything inside CloudStack is working fine (I can connect to CPVM correctly, the right certificate is presented, etc). The only problem with this procedure is that the certificates you upload are put in a custom keystore. This keystore contains only the key, chain and root certificate uploaded via the API.
When a custom keystore is provided, the default keystore (ie, the one containing generally trusted root CAs included in common browsers) is not loaded, and thus the only root CA that would be trusted is the one corresponding to the uploaded wildcard. In my case, I want users to be able to add templates hosted on HTTPS servers, which present SSL certificates from various root CAs. I think the contents of the “realhostip” keystore should be: - contents the default keystore - and, additionnally uploaded cert, chain, root and key. Best regards, Aurélien On Fri, May 20, 2016 at 11:28 AM, Abhinandan Prateek <[email protected]> wrote: > Have you followed the procedure documented here > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name > > > > > On 19/05/16, 11:01 PM, "Aurélien" <[email protected]> wrote: > >>Hello, >> >>I’m investigating an issue on CloudStack 4.8.0, which is I believe >>well described in >>https://issues.apache.org/jira/browse/CLOUDSTACK-1475. >> >>I’m trying to add my ISO from, for example: >>https://releases.rancher.com/os/latest/rancheros.iso >> >>The problem is that I’m using a custom SSL certificate, and because of >>this, the java instance on the SSVM (and CPVM) is started with a >>custom keystore; doing so also overrides the default certificate trust >>store, and the traditional certificate validation mechanisms, so I get >>the error (sun.security.validator.ValidatorException: PKIX path >>building failed: >>sun.security.provider.certpath.SunCertPathBuilderException: unable to >>find valid certification path to requested target). >> >>Would il be possible and advisable to add the contents of the default >>certificate store (Option 2 in >>https://issues.apache.org/jira/browse/CLOUDSTACK-1475?focusedCommentId=14537734&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14537734) >>to the custom store when a custom SSL certificate is activated ? >> >>If so (i’m relatively new to CloudStack’s code) where should I peek in >>the System VM to add the custom import commands ? >> >>Is there any existing issue you are aware of that addresses this issue >>? In my opinion, if there isn’t, we should open one. >> >>What do you think ? >> >>Thanks ! >> >>Best regards, >>-- >>Aurélien Guillaume > > [email protected] > www.shapeblue.com > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > -- Aurélien Guillaume
