search

apache / cloudstack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform
https://cloudstack.apache.org/
Apache License 2.0
1.95k stars 1.09k forks source link

Webgui SSL import does not check on root certificate #9004

Closed pcfriek1987 closed 1 day ago

pcfriek1987 commented 4 months ago
ISSUE TYPE
COMPONENT NAME
UI
CLOUDSTACK VERSION
4.19.0.1
CONFIGURATION

N/A

OS / ENVIRONMENT

N/A

SUMMARY

Uploading an invalid root certificate doesn't error out.

STEPS TO REPRODUCE
Using the portal -> Infrastructure -> Summary -> SSL Certificates.

Upload a root certificate but do not paste the:
-----END CERTIFICATE----

Fill in the rest correctly like the certificate and key. 
Then Submit it.

It will try reloading the secondary storage and console proxy but the console proxy will never have it's agent connected again without the correct root certificate.
EXPECTED RESULTS
To get an error the root certificate is not correct.
ACTUAL RESULTS
It went through without errors, but mentioned an incomplete certfificate in the management log when the consoleproxy agent tries to connect.

Apr 29 12:25:48 v-144-VM _run.sh[58945]: 12:25:48,249 ERROR ConsoleProxySecureServerFactoryImpl:104 - java.lang.NullPointerException: null SSLContext
Apr 29 12:25:48 v-144-VM _run.sh[58945]: 12:25:48,227  INFO ConsoleProxySecureServerFactoryImpl:51 - No certificates passed, recheck global configuration and certificates
Apr 29 12:25:48 v-144-VM _run.sh[58945]: 12:25:48,227  INFO ConsoleProxySecureServerFactoryImpl:47 - Start initializing SSL
Apr 29 12:25:48 v-144-VM _run.sh[58945]: 12:25:48,226  INFO ConsoleProxySecureServerFactoryImpl:51 - No certificates passed, recheck global configuration and certificates
Apr 29 12:25:48 v-144-VM _run.sh[58945]: 12:25:48,225  INFO ConsoleProxySecureServerFactoryImpl:47 - Start initializing SSL
Apr 29 12:25:48 v-144-VM _run.sh[58945]: 12:25:48,222  INFO ConsoleProxyResource:104 - Receive ReadyCommand, response with ReadyAnswer
DaanHoogland commented 3 months ago

@pcfriek1987 , can you re-upload the certificate without error?

pcfriek1987 commented 3 months ago

Hi Daan,

Afters hours I found out that it's certificate was incomplete, after uploading the correct one it started working, so uploading the correct one works as it should.

rohityadavcloud commented 3 months ago

Thanks for sharing @pcfriek1987 there isn’t a functional issue though the certificate validation could have been improved.

harikrishna-patnala commented 2 months ago

@pcfriek1987 I've tried to reproduce the scenario by uploading the incomplete certificate but I'm getting the validation error like below

image

I've uploaded the certificate from here by providing these example values, following certificate does not have the END CERTIFICATE footer

image

Can you please confirm or tell us what you've tried

pcfriek1987 commented 2 months ago

@harikrishna-patnala For me it was only the root certificate, the other 2 we're already correct. Only the root certificate had the end certificate part missing.

harikrishna-patnala commented 1 week ago

Thanks @pcfriek1987 added a check for the root certificate in my PR, that should fix the issue.

DaanHoogland commented 1 day ago

fixed in #9255