Jorge, There is some issue with your setup, I'm also running Ubuntu 22.04 based x86 KVM with CloudStack 4.19, in adv zone and using bridge-based network on KVM host and it's working for me. Could you re-setup the agent certificates, by setting the auth strictness global setting to false and use provision certificate API through API or UI (Infra -> Host -> select host -> provision certificate action).
For reference, my setup notes are here: https://rohityadav.cloud/blog/cloudstack-kvm/ Regards. ________________________________ From: Jorge Ventura <[email protected]> Sent: Saturday, June 29, 2024 05:28 To: [email protected] <[email protected]> Subject: Certificate Problem using Ubuntu 22.04/Jammy: ===> unsupported certificate purpose I am having a problem related to SSL between the CloudStack Agent and CloudStack Manager. Apparently, Ubuntu using openssl-3.0.2 refuses to accept self-signed certificates. What should I do? Is there a way to workaround this problem? Sincerely, Jorge V root@host1-kvm:~# systemctl status cloudstack-agent.service ● cloudstack-agent.service - CloudStack Agent Loaded: loaded (/lib/systemd/system/cloudstack-agent.service; enabled; > vendor preset: enabled) Active: active (running) since Fri 2024-06-28 22:55:26 UTC; 52min ago Docs: http://www.cloudstack.org/ Main PID: 4002 (java) Tasks: 61 (limit: 77068) Memory: 301.0M CPU: 18.480s CGroup: /system.slice/cloudstack-agent.service └─4002 /usr/bin/java > -Djava.io.tmpdir=/usr/share/cloudstack-agent/tmp -Xms256m -Xmx2048m -cp > "/usr/share/cloudstack-agent/lib/*:/usr/share/cloudstack-agent/plugins/*:/etc/cloud> > Jun 28 23:48:00 host1-kvm java[4002]: at > com.cloud.agent.Agent.start(Agent.java:297) Jun 28 23:48:00 host1-kvm java[4002]: at > com.cloud.agent.AgentShell.launchNewAgent(AgentShell.java:454) Jun 28 23:48:00 host1-kvm java[4002]: at > com.cloud.agent.AgentShell.launchAgentFromClassInfo(AgentShell.java:431) Jun 28 23:48:00 host1-kvm java[4002]: at > com.cloud.agent.AgentShell.launchAgent(AgentShell.java:415) Jun 28 23:48:00 host1-kvm java[4002]: at > com.cloud.agent.AgentShell.start(AgentShell.java:511) Jun 28 23:48:00 host1-kvm java[4002]: at > com.cloud.agent.AgentShell.main(AgentShell.java:541) *Jun 28 23:48:00 host1-kvm java[4002]: Caused by: java.io.IOException: SSL > Handshake failed while connecting to host: 10.0.1.1 port: 8250* Jun 28 23:48:00 host1-kvm java[4002]: at > com.cloud.utils.nio.NioClient.init(NioClient.java:67) Jun 28 23:48:00 host1-kvm java[4002]: at > com.cloud.utils.nio.NioConnection.start(NioConnection.java:95) Jun 28 23:48:00 host1-kvm java[4002]: ... 6 more Test using openssl s_client connect. root@host1-kvm:~# openssl s_client -connect 10.0.1.1:8250 CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = ca.cloudstack.apache.org verify error:num=18:self-signed certificate verify return:1 depth=0 CN = ca.cloudstack.apache.org *verify error:num=26:unsupported certificate purpose* verify return:1 depth=0 CN = ca.cloudstack.apache.org verify return:1 --- Certificate chain 0 s:CN = ca.cloudstack.apache.org i:CN = ca.cloudstack.apache.org a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jun 28 09:52:36 2024 GMT; NotAfter: Jun 21 21:52:36 2054 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIFDTCCAvWgAwIBAgIJANgodhUgiJ1NMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV BAMMGGNhLmNsb3Vkc3RhY2suYXBhY2hlLm9yZzAgFw0yNDA2MjgwOTUyMzZaGA8y MDU0MDYyMTIxNTIzNlowIzEhMB8GA1UEAwwYY2EuY2xvdWRzdGFjay5hcGFjaGUu b3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1qIpgsf847HYtzpY zBEiQHmMJa3sUlIxo2fn07r0099I7Bo8FL8UXyAtMUdaLyEaAsVh2ze71LmmdG50 XwB3myrGZ4n46U4kOHKCfliEo3JIr18Xu8ppiaeTbFOUdpihzTrGuiF0848wIE7S QOygqL5cvFCsi1uodZQ/9uX4S7nAocQLxGfLnOMzqfMOs6cJSns9T/vHB+PhQONl URnNuNx2J2HhiXCS3GTVOlaMQMnOFN5qdvwhCNKSwWzXH7ltaH3+AXnpE7hVvkmb /wJwfseqJtctVjizH8T1oHXWws0fSFDW8S8Bpb+Op/nZLEETkm6ezPUetgfCRKAF dU+7BNnWLyO2WGaq9q4hi0DRr0xEIseeW4Mb0fv+/CrGzp/WyJkzcYgENvAwyMss 7Khrbo237gZ9TpRizGyw04dpcMNHeJyLgan6gCPbMqAEVsimjsHkmdjc8a996MoA WC4/+cJ5aLenEj1sDnHFwLJJegfyBz9GfgoFR/AoWvbIH9zk6JnX+sGdCooJZ69o qaMz8wtwTcvuVRmi8othlCCVrWion/c77sPwZQUCBnuPomgFTayVbYXAVEovJxMN YIPeX+BYAc792Kp/hkCAJLbvocFMaTEcPtT8066oJvVsRgxGWLhHEK8atDxBZ3mm w/meZQ8uSFwHIVqYI0tsGktOTnUCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAO BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCbHnicy/LnSU6Jb3g3zkp+V84vcMA0G CSqGSIb3DQEBCwUAA4ICAQAakeLtS6St5/Ym8nXgQdoiUuAtY4AyEYQhnajtwQhR 39aEjohHp7GPoiUyjekeEzES9sYYYaSvvC5dSEuuxRVrCpfOpk0uzS+SYCUgl7GE 2f8ST+wJxG4Qw8c/7OP9ha5ZL8Gk2tA3QmpaBR7kjqLYz6C1waQ/KMNtly/WuZPn cXFBN0IsTFpHqvKpnWq8HPwSTV0BB829n9EBUU4HxWRLOItqPVfEB1NX92a1Vn96 HtK9WoTBnb53kR6rCK9GDR8ggySrOG0vEjimmKzGNsYK2eH+Ch3ljhtudPg8vhax oNT3x2x5gJbUQtO4KLLJKANBr1psf36W9uxxkCnT9YlEAATr7fYJtyFfu8tF6Lve QnVIl2cmb8GUROMHx8uOocyrBprzarekw+FIsQzlprUossIFURKryOCpxteYO/JE zd7QOirQcQessv2AuEz8szMff11kYUALWhd5pbQq45QAe3ruLkDfzaKqYqSbzY8W j4RCjfVjcK4o4J93fxY1vWkVhNoYdd861/7mRxhZ0H+vX0B8t5EWlLXf2vebdiH+ wkxFhIyySfJZ8CliacKfvPq4W7QIM9cCwgtav26Y4t3VNxdt0pbRjtxodTFzs9Sj nAU8WXi6gH9TrmZyJWjPl0ey5Qv6y+hjThKcxkkcgfb9TMQHmQWx4eKvUEqYAgaM bA== -----END CERTIFICATE----- subject=CN = ca.cloudstack.apache.org issuer=CN = ca.cloudstack.apache.org --- Acceptable client certificate CA names CN = ca.cloudstack.apache.org Requested Signature Algorithms: > ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1 Shared Requested Signature Algorithms: > ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2205 bytes and written 403 bytes Verification error: unsupported certificate purpose --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 26 (unsupported certificate purpose) --- 80DB9517987F0000:error:0A000412:SSL routines:ssl3_read_bytes:sslv3 alert > bad certificate:../ssl/record/rec_layer_s3.c:1584:SSL alert number 42
