Thanks for the reply Richard. The consoleproxy.url.domain is set to my wildcard domain name, is that how it should be?
I set consoleproxy.sslEnabled as true and now the console window isn't total blank. Instead I get <I-P-Address.mydomain.name> refused to connect. Logs now say "Compose console url: https://";. Question - the address of the console window is showing as the FQDN of my CloudStack Management server. The certificate for my Management UI is what loads which is assigned to the FQDN of the management server. I guess I'm confused as to where the wildcard certificate needs to be loaded. Following the console proxy SSL directions, I assume the wildcard certificate is for the VM Console functionality (NO?). http://docs.cloudstack.apache.org/en/4.11.1.0/adminguide/systemvm.html?highlight=certificate#changing-the-console-proxy-ssl-certificate-and-domain So to review I have two CA certificates: 1- is for my management server UI portal which is a FQDN named certificate 2- for the console proxy as a wildcard certificate. Should I have two different certs or should I have used the wildcard for both the UI portal and console proxy vm??? Apologizes for my newb questions. Mike -----Original Message----- From: Richard Lawley <[email protected]> Sent: Tuesday, December 8, 2020 1:55 PM To: [email protected] Subject: Re: Troubleshooting Console Proxy Our documented procedure for updating console proxy SSL is: 1. Load cert through CloudStack UI, wait for Console Proxy VMs to restart 2. If this is the first installation of SSL certificate, ensure Settings consoleproxy.sslEnabled and consoleproxy.url.domain are set correctly 3. Restart CloudStack Management Service Once it's working you should be able to access the console proxy over https, which should be enough for you to confirm the correct cert is there. Regards, Richard On Tue, 8 Dec 2020 at 18:31, Corey, Mike <[email protected]> wrote: > Hi, > > I believe I have configured the console proxy correctly but I'd like to > verify the console proxy is using my wildcard certificate. When I loaded > the wildcard cert, root, and sub root, key, etc. through the CS portal I > got a "succeed" message and the system vms reloaded, but the console isn't > loading. > > How can I verify the Console VM is using my custom wildcard cert? Is it an > openssl command or a mysql query? > > What logs should I be looking for an error message as to why my console > window is blank? > > The public IP of the console proxy vm is in DNS and resolves. The > management log shows that the url is being provided but again just a blank > window. > > 2020-12-08 11:21:58,424 DEBUG [c.c.s.ConsoleProxyServlet] > (qtp1497845528-16:null) (logid:) Compose console url: http://< > I-P.domain.name > >/ajax?token=mORLUQO3R5lrOdIrRZsozUg2LnLTx5jGtgJnhHRX_-1WmlyxDZzQsaZ7nmuU_KFpd9egjZtkx74ftae3wUpF2IdvRKy7HlYodQBtQf9ldJvZhYNr1GOnxWJYZAAxTPatkVhbVg9Q9gJqFVXB5ebphg1MyGzktZgu6I5VwweGtH2tJcBFqOeUH7utMAzOeGdQW6RXZXi3HWjUSnWs4AzxwX53yFGiS1nOB2lCqAkz8-PUkx7qvfDFkxLEs6iVYTNTaowejHS13_yHeSf7t_xQFkXs1MeQNqEUcBAFaevWbSg&guest=windows > 2020-12-08 11:21:58,424 DEBUG [c.c.s.ConsoleProxyServlet] > (qtp1497845528-16:null) (logid:) the console url is :: > <html><title>CV-Oct14-T20</title><frameset><frame src="http://< > I-P.domain.name > >//ajax?token=mORLUQO3R5lrOdIrRZsozUg2LnLTx5jGtgJnhHRX_-1WmlyxDZzQsaZ7nmuU_KFpd9egjZtkx74ftae3wUpF2IdvRKy7HlYodQBtQf9ldJvZhYNr1GOnxWJYZAAxTPatkVhbVg9Q9gJqFVXB5ebphg1MyGzktZgu6I5VwweGtH2tJcBFqOeUH7utMAzOeGdQW6RXZXi3HWjUSnWs4AzxwX53yFGiS1nOB2lCqAkz8-PUkx7qvfDFkxLEs6iVYTNTaowejHS13_yHeSf7t_xQFkXs1MeQNqEUcBAFaevWbSg&guest=windows"></frame></frameset></html> > > From: Corey, Mike <[email protected]> > Sent: Monday, December 7, 2020 12:02 PM > To: [email protected] > Subject: [CAUTION] Console Proxy on VMware ESXi? > > Hi, > > Is there still a requirement to modify the ESXi firewall for VM console > proxy? Documented process is for older version so I wasn't sure if it was > still relevant for ESXi 6.5 and 6.7+. I ask because when I launch the VM > proxy I just get a blank window. Any ideas on how I can troubleshoot? > > Extend Port Range for CloudStack Console Proxy > (Applies only to VMware vSphere version 4.x) > You need to extend the range of firewall ports that the console proxy > works with on the hosts. This is to enable the console proxy to work with > VMware-based VMs. The default additional port range is 59000-60000. To > extend the port range, log in to the VMware ESX service console on each > host and run the following commands: > esxcfg-firewall -o 59000-60000,tcp,in,vncextras > esxcfg-firewall -o 59000-60000,tcp,out,vncextras > > > Thanks! > > Mike > > > Mike Corey > > Technology Senior Consultant, IT CS CTW Operation & Virtualization Service > US > > SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United > States > > T +1 610 661 0905, M +1 484 274 2658, E [email protected]<mailto: > [email protected]> > > > [cid:[email protected]] > > >
