Skip to content

HTTPS does not initiate #4199

Description

@VincentHermes

ISSUE TYPE

  • Other / HTTPS

COMPONENT NAME

  • Webserver

CLOUDSTACK VERSION

  • 4.14

CONFIGURATION

  • server.properties:
    https.enable=true
    https.port=8443
    https.keystore=/etc/cloudstack/management/thecurrentkeystore.pkcs12
    https.keystore.password=currentkeystorepassword

  • Firewall disabled

OS / ENVIRONMENT

  • CentOS7
  • MGMT Server on VMWare
  • Cloudstack 4.14
  • Java 11
  • OpenSSL 1.0.2k-fips

SUMMARY

We are not able to access the 4.14 Webserver over HTTPS after upgrading from a functioning 4.13. The Webserver seems to not send anything back. If we curl the https it just loads infinitely:
# curl -v https://localhost:8443/client
* About to connect() to localhost port 8443 (#0)
* Trying ::1...
* Connected to localhost (::1) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
....(waits)

Previous investigations regarding networking etc can be seen here:
https://lists.apache.org/thread.html/r50fa6f94dae308a598eb2eeb738f4325e29814d8da83de8558bccfb2%40%3Cusers.cloudstack.apache.org%3E

Using a self-signed certificate actually works, only when using an adequate certificate (wildcard in our case) it stops functioning

Commands used:

Combine Files
cat key.key servercert.crt intermediate.crt root.crt > combined.crt

Create Keystore
openssl pkcs12 -in combined.crt -export -out combined.pkcs12

Import Keystore
keytool -importkeystore -srckeystore combined.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/cloudstack/management/combined.pkcs12 -deststoretype pkcs12

Then change https.keystore= and https.keystore.password= accordingly and restart cloudstack-management

Logs found:

2020-06-29 12:01:02,052 INFO [o.e.j.s.h.ContextHandler] (main:null) (logid:) Started o.e.j.w.WebAppContext@311bf055{/client,file:///usr/share/cloudstack-management/webapp/,AVAILABLE}{/usr/share/cloudstack-management/webapp}
2020-06-29 12:01:02,053 INFO [o.e.j.s.h.ContextHandler] (main:null) (logid:) Started o.e.j.s.h.MovedContextHandler@451001e5{/,null,AVAILABLE}
2020-06-29 12:01:02,076 INFO [o.e.j.s.AbstractConnector] (main:null) (logid:) Started ServerConnector@6f46426d{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
2020-06-29 12:01:02,090 INFO [o.e.j.u.s.SslContextFactory] (main:null) (logid:) x509=X509@25c6abfa(1,h=[our acual domain name],w=[our domain name again]) for SslContextFactory@4991c0f7[provider=null,keyStore=file:///etc/cloudstack/management/combined.pkcs12,trustStore=null]

Things tried:

  • Tested Firefox, Chrome, Edge, IE
  • Cache cleared / Private Mode
  • Multiple Client Systems
  • Numerous combinations of key-cert-intermediate-root when generating the pkcs12
  • Keystore only with key and server certificate without any CA's
  • Different Certificate Vendors (2 different Wildcard Certificates, Sectigo and Digicert/RapidSSL)
  • Generated Certificate via internal Domains Certificate Authority
  • Checked all certificate combinations via certutil in Windows Powershell
  • Changed keystore password to minimal ones without special characters (e.g. 123456)
  • Changed the https.port to any other Port in server.properties
  • Switched back to java-1.8.0 - of course management server failed to start
  • Uploaded certificate chain via 8080 Web GUI - Found working combination of cert-intermediate-root to work with by opening console proxy in separate window and checking certificate validity
  • Definitely working combination (for firefox) gets the same outcome when being used as pkcs12
  • Updating to a newer Openssl Version fails because its the newest for CentOS7
  • Just in case it has an impact - Outcommented jdk.tls.disabledAlgorithms in java.security.ciphers

Further Investigations:

  • If we change the keystore password to nonsense it makes no difference
  • If we change the keystore name or path to nonsense it almost instantly says that the Website is unreachable and does not load infinitely and curl says Connection Refused
  • Fresh Install shows the same behaviour

STEPS TO REPRODUCE

EXPECTED RESULTS

  • A response from 8443 as it has been before the upgrade or at least an SSL error regarding a wrong certificate

ACTUAL RESULTS

  • Webserver not responding / loading forever no matter what certificate is used
  • Actually it isn't really "not responding" as it is in fact trying to communicate but nothing happens

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions