ISSUE TYPE
COMPONENT NAME
CLOUDSTACK VERSION
CONFIGURATION
OS / ENVIRONMENT
- CentOS7
- MGMT Server on VMWare
- Cloudstack 4.14
- Java 11
- OpenSSL 1.0.2k-fips
SUMMARY
We are not able to access the 4.14 Webserver over HTTPS after upgrading from a functioning 4.13. The Webserver seems to not send anything back. If we curl the https it just loads infinitely:
# curl -v https://localhost:8443/client
* About to connect() to localhost port 8443 (#0)
* Trying ::1...
* Connected to localhost (::1) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
....(waits)
Previous investigations regarding networking etc can be seen here:
https://lists.apache.org/thread.html/r50fa6f94dae308a598eb2eeb738f4325e29814d8da83de8558bccfb2%40%3Cusers.cloudstack.apache.org%3E
Using a self-signed certificate actually works, only when using an adequate certificate (wildcard in our case) it stops functioning
Commands used:
Combine Files
cat key.key servercert.crt intermediate.crt root.crt > combined.crt
Create Keystore
openssl pkcs12 -in combined.crt -export -out combined.pkcs12
Import Keystore
keytool -importkeystore -srckeystore combined.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/cloudstack/management/combined.pkcs12 -deststoretype pkcs12
Then change https.keystore= and https.keystore.password= accordingly and restart cloudstack-management
Logs found:
2020-06-29 12:01:02,052 INFO [o.e.j.s.h.ContextHandler] (main:null) (logid:) Started o.e.j.w.WebAppContext@311bf055{/client,file:///usr/share/cloudstack-management/webapp/,AVAILABLE}{/usr/share/cloudstack-management/webapp}
2020-06-29 12:01:02,053 INFO [o.e.j.s.h.ContextHandler] (main:null) (logid:) Started o.e.j.s.h.MovedContextHandler@451001e5{/,null,AVAILABLE}
2020-06-29 12:01:02,076 INFO [o.e.j.s.AbstractConnector] (main:null) (logid:) Started ServerConnector@6f46426d{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
2020-06-29 12:01:02,090 INFO [o.e.j.u.s.SslContextFactory] (main:null) (logid:) x509=X509@25c6abfa(1,h=[our acual domain name],w=[our domain name again]) for SslContextFactory@4991c0f7[provider=null,keyStore=file:///etc/cloudstack/management/combined.pkcs12,trustStore=null]
Things tried:
- Tested Firefox, Chrome, Edge, IE
- Cache cleared / Private Mode
- Multiple Client Systems
- Numerous combinations of key-cert-intermediate-root when generating the pkcs12
- Keystore only with key and server certificate without any CA's
- Different Certificate Vendors (2 different Wildcard Certificates, Sectigo and Digicert/RapidSSL)
- Generated Certificate via internal Domains Certificate Authority
- Checked all certificate combinations via certutil in Windows Powershell
- Changed keystore password to minimal ones without special characters (e.g. 123456)
- Changed the
https.port to any other Port in server.properties
- Switched back to java-1.8.0 - of course management server failed to start
- Uploaded certificate chain via 8080 Web GUI - Found working combination of cert-intermediate-root to work with by opening console proxy in separate window and checking certificate validity
- Definitely working combination (for firefox) gets the same outcome when being used as pkcs12
- Updating to a newer Openssl Version fails because its the newest for CentOS7
- Just in case it has an impact - Outcommented
jdk.tls.disabledAlgorithms in java.security.ciphers
Further Investigations:
- If we change the keystore password to nonsense it makes no difference
- If we change the keystore name or path to nonsense it almost instantly says that the Website is unreachable and does not load infinitely and curl says Connection Refused
- Fresh Install shows the same behaviour
STEPS TO REPRODUCE
EXPECTED RESULTS
- A response from 8443 as it has been before the upgrade or at least an SSL error regarding a wrong certificate
ACTUAL RESULTS
- Webserver not responding / loading forever no matter what certificate is used
- Actually it isn't really "not responding" as it is in fact trying to communicate but nothing happens
ISSUE TYPE
COMPONENT NAME
CLOUDSTACK VERSION
CONFIGURATION
server.properties:
https.enable=truehttps.port=8443https.keystore=/etc/cloudstack/management/thecurrentkeystore.pkcs12https.keystore.password=currentkeystorepasswordFirewall disabled
OS / ENVIRONMENT
SUMMARY
We are not able to access the 4.14 Webserver over HTTPS after upgrading from a functioning 4.13. The Webserver seems to not send anything back. If we curl the https it just loads infinitely:
# curl -v https://localhost:8443/client* About to connect() to localhost port 8443 (#0)* Trying ::1...* Connected to localhost (::1) port 8443 (#0)* Initializing NSS with certpath: sql:/etc/pki/nssdb* CAfile: /etc/pki/tls/certs/ca-bundle.crtCApath: none....(waits)Previous investigations regarding networking etc can be seen here:
https://lists.apache.org/thread.html/r50fa6f94dae308a598eb2eeb738f4325e29814d8da83de8558bccfb2%40%3Cusers.cloudstack.apache.org%3E
Using a self-signed certificate actually works, only when using an adequate certificate (wildcard in our case) it stops functioning
Commands used:
Combine Files
cat key.key servercert.crt intermediate.crt root.crt > combined.crtCreate Keystore
openssl pkcs12 -in combined.crt -export -out combined.pkcs12Import Keystore
keytool -importkeystore -srckeystore combined.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/cloudstack/management/combined.pkcs12 -deststoretype pkcs12Then change https.keystore= and https.keystore.password= accordingly and restart cloudstack-management
Logs found:
2020-06-29 12:01:02,052 INFO [o.e.j.s.h.ContextHandler] (main:null) (logid:) Started o.e.j.w.WebAppContext@311bf055{/client,file:///usr/share/cloudstack-management/webapp/,AVAILABLE}{/usr/share/cloudstack-management/webapp}2020-06-29 12:01:02,053 INFO [o.e.j.s.h.ContextHandler] (main:null) (logid:) Started o.e.j.s.h.MovedContextHandler@451001e5{/,null,AVAILABLE}2020-06-29 12:01:02,076 INFO [o.e.j.s.AbstractConnector] (main:null) (logid:) Started ServerConnector@6f46426d{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}2020-06-29 12:01:02,090 INFO [o.e.j.u.s.SslContextFactory] (main:null) (logid:) x509=X509@25c6abfa(1,h=[our acual domain name],w=[our domain name again]) for SslContextFactory@4991c0f7[provider=null,keyStore=file:///etc/cloudstack/management/combined.pkcs12,trustStore=null]Things tried:
https.portto any other Port inserver.propertiesjdk.tls.disabledAlgorithmsinjava.security.ciphersFurther Investigations:
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS