Hello, Thanks for the patch, it works here too. I added a LGTM on the PR.
Best regards, Aurélien On Fri, May 20, 2016 at 2:49 PM, Milamber <[email protected]> wrote: > Hello, > > I confirm this issue. The keystore used by the Java instance of SSVM have > only the custom certs inside (root, realhostip, cross, intermed and > cpvmcertificat). > > So when the SSVM try to download a HTTPS url, the JVM cannot validate the > SSL signs. > > I've posted the PR 1555 to fix this. I've tested this patch with success on > my test installation. > > Milamber > > https://github.com/apache/cloudstack/pull/1555 > > > On 20/05/2016 12:47, Aurélien wrote: >> >> Hello, >> >> In fact, yes, and everything inside CloudStack is working fine (I can >> connect to CPVM correctly, the right certificate is presented, etc). >> The only problem with this procedure is that the certificates you >> upload are put in a custom keystore. This keystore contains only the >> key, chain and root certificate uploaded via the API. >> >> When a custom keystore is provided, the default keystore (ie, the one >> containing generally trusted root CAs included in common browsers) is >> not loaded, and thus the only root CA that would be trusted is the one >> corresponding to the uploaded wildcard. In my case, I want users to be >> able to add templates hosted on HTTPS servers, which present SSL >> certificates from various root CAs. >> >> I think the contents of the “realhostip” keystore should be: >> - contents the default keystore >> - and, additionnally uploaded cert, chain, root and key. >> >> Best regards, >> Aurélien >> >> On Fri, May 20, 2016 at 11:28 AM, Abhinandan Prateek >> <[email protected]> wrote: >>> >>> Have you followed the procedure documented here >>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/Procedure+to+Replace+realhostip.com+with+Your+Own+Domain+Name >>> >>> >>> >>> >>> On 19/05/16, 11:01 PM, "Aurélien" <[email protected]> wrote: >>> >>>> Hello, >>>> >>>> I’m investigating an issue on CloudStack 4.8.0, which is I believe >>>> well described in >>>> https://issues.apache.org/jira/browse/CLOUDSTACK-1475. >>>> >>>> I’m trying to add my ISO from, for example: >>>> https://releases.rancher.com/os/latest/rancheros.iso >>>> >>>> The problem is that I’m using a custom SSL certificate, and because of >>>> this, the java instance on the SSVM (and CPVM) is started with a >>>> custom keystore; doing so also overrides the default certificate trust >>>> store, and the traditional certificate validation mechanisms, so I get >>>> the error (sun.security.validator.ValidatorException: PKIX path >>>> building failed: >>>> sun.security.provider.certpath.SunCertPathBuilderException: unable to >>>> find valid certification path to requested target). >>>> >>>> Would il be possible and advisable to add the contents of the default >>>> certificate store (Option 2 in >>>> >>>> https://issues.apache.org/jira/browse/CLOUDSTACK-1475?focusedCommentId=14537734&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14537734) >>>> to the custom store when a custom SSL certificate is activated ? >>>> >>>> If so (i’m relatively new to CloudStack’s code) where should I peek in >>>> the System VM to add the custom import commands ? >>>> >>>> Is there any existing issue you are aware of that addresses this issue >>>> ? In my opinion, if there isn’t, we should open one. >>>> >>>> What do you think ? >>>> >>>> Thanks ! >>>> >>>> Best regards, >>>> -- >>>> Aurélien Guillaume >>> >>> [email protected] >>> www.shapeblue.com >>> 53 Chandos Place, Covent Garden, London WC2N 4HSUK >>> @shapeblue >>> >>> >> >> > -- Aurélien Guillaume
