cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard

Published 20 hours ago verified publisher icon apache

Webgui SSL import does not check on root certificate

Open pcfriek1987 opened this issue 9 months ago • 5 comments

ISSUE TYPE
  • Bug Report
COMPONENT NAME
UI
CLOUDSTACK VERSION
4.19.0.1
CONFIGURATION

N/A

OS / ENVIRONMENT

N/A

SUMMARY

Uploading an invalid root certificate doesn't error out.

STEPS TO REPRODUCE
Using the portal -> Infrastructure -> Summary -> SSL Certificates.

Upload a root certificate but do not paste the:
-----END CERTIFICATE----

Fill in the rest correctly like the certificate and key. 
Then Submit it.

It will try reloading the secondary storage and console proxy but the console proxy will never have it's agent connected again without the correct root certificate.
EXPECTED RESULTS
To get an error the root certificate is not correct.
ACTUAL RESULTS
It went through without errors, but mentioned an incomplete certfificate in the management log when the consoleproxy agent tries to connect.

Apr 29 12:25:48 v-144-VM _run.sh[58945]: 12:25:48,249 ERROR ConsoleProxySecureServerFactoryImpl:104 - java.lang.NullPointerException: null SSLContext
Apr 29 12:25:48 v-144-VM _run.sh[58945]: 12:25:48,227  INFO ConsoleProxySecureServerFactoryImpl:51 - No certificates passed, recheck global configuration and certificates
Apr 29 12:25:48 v-144-VM _run.sh[58945]: 12:25:48,227  INFO ConsoleProxySecureServerFactoryImpl:47 - Start initializing SSL
Apr 29 12:25:48 v-144-VM _run.sh[58945]: 12:25:48,226  INFO ConsoleProxySecureServerFactoryImpl:51 - No certificates passed, recheck global configuration and certificates
Apr 29 12:25:48 v-144-VM _run.sh[58945]: 12:25:48,225  INFO ConsoleProxySecureServerFactoryImpl:47 - Start initializing SSL
Apr 29 12:25:48 v-144-VM _run.sh[58945]: 12:25:48,222  INFO ConsoleProxyResource:104 - Receive ReadyCommand, response with ReadyAnswer

pcfriek1987 avatar Apr 29 '24 15:04 pcfriek1987

@pcfriek1987 , can you re-upload the certificate without error?

DaanHoogland avatar May 02 '24 12:05 DaanHoogland

Hi Daan,

Afters hours I found out that it's certificate was incomplete, after uploading the correct one it started working, so uploading the correct one works as it should.

pcfriek1987 avatar May 02 '24 12:05 pcfriek1987

Thanks for sharing @pcfriek1987 there isn’t a functional issue though the certificate validation could have been improved.

rohityadavcloud avatar May 02 '24 13:05 rohityadavcloud

@pcfriek1987 I've tried to reproduce the scenario by uploading the incomplete certificate but I'm getting the validation error like below

image

I've uploaded the certificate from here by providing these example values, following certificate does not have the END CERTIFICATE footer

image

Can you please confirm or tell us what you've tried

harikrishna-patnala avatar Jun 18 '24 06:06 harikrishna-patnala

@harikrishna-patnala For me it was only the root certificate, the other 2 we're already correct. Only the root certificate had the end certificate part missing.

pcfriek1987 avatar Jun 18 '24 08:06 pcfriek1987

Thanks @pcfriek1987 added a check for the root certificate in my PR, that should fix the issue.

harikrishna-patnala avatar Aug 22 '24 04:08 harikrishna-patnala

fixed in #9255

DaanHoogland avatar Aug 28 '24 09:08 DaanHoogland