Introduction

 This is a document for replacing realhostip.com to your custom domain.

Functionality Impacted

• Console view of virtual machines available through Console Proxy virtual machine (CPVM)
• Copy Template available through Secondary Storage virtual machine (SSVM)
• Download Template/ISO/Volume (SSVM)

Known Issues

Prerequisites

1. A publicly resolvable DNS server for your domain

   1. To replace realhostip.com with your own domain name first you need to setup your own domain in your DNS server. For this example we will assume you are using BIND. But any DNS server will work. In this example we will use yourhostip.com as the new domain name. The way realhostip.com is utilized is for every public IP that is entered into CloudStack it converts that name into a DNS name such as 77.88.99.11 maps to 77-88-99-11.realhostip.com. This is needed for SSL, when the browser connects to this name it matches the wildcard cert *.realhostip.com. So for your environment you need to mimic this setup.

      1) Set up your zone (if it is not already) in your DNS server. In BIND 9 it would look something like this:

      zone "yourhostip.com" IN { 
            type master; 
            file "yourhostip.com.zone"; 
            allow-update { none; }; 
      };

      2) Now you need to populate an A record for every public IP you have entered into CloudStack, that the console proxy could allocate. So lets say you have a range such as 55.66.77.100 to 55.66.77.200. Then in your zone file, you need something like this:

      55-66-77-100      IN      A      55.66.77.100 
      55-66-77-101      IN      A      55.66.77.101 
      55-66-77-102      IN      A      55.66.77.102 
      55-66-77-103      IN      A      55.66.77.103 
      
      etc.. 
      
      55-66-77-200      IN      A      55.66.77.200
      
      
2. A signed wildcard certificate for your domain. This certificate may be obtained from any CA like VeriSign etc. You will need the following handy
   1. Public certificate of root CA in PEM format
   2. Public certificate(s) of intermediate CA(s) (if any) in PEM format
   3. Wildcard domain certificate in PEM format
   4. Private key in PKCS8 format (Note - steps are documented in Admin Guide section "Changing the Console Proxy SSL Certificate and Domain")

Installation Procedure

1. Backup existing systemvm.iso (copy systemvm.iso under /usr/share/cloudstack-common/vms to a temporary location)
2. Upgrade to the Patch build by following Patch install instructions included in the Release Notes or Patch Tar file. 

3. Once MS and Agents are  upgraded successfully. Change the following global configuration parameters and restart the Management Server. .   
   Global settings

   • Change secstorage.encrypt.copy = true (By default, this value set to  true. If not true, change it to true)
   • Change secstorage.ssl.cert.domain = *.yourdomain.com. Eg - *.xyz.com
   • Change consoleproxy.url.domain = *.yourdomain.com. Eg - *.xyz.com
4. Follow the "Uploading Custom Certificates" to replace realhostip with your OWN domain name.

Uploading Custom Certificates

• • Understanding parameters:
    • Make sure the certificates are URL encoded. One way is to use Google chrome - Advanced Rest Client to url encode your certificate (basically it converts the newline into %0A so the certificate becomes 1 line rather than multiple lines ).
    • Make sure the certificates are in PEM format.
    • API invocation has to be in order ie first the root certificate with id=1 then zero or more intermediate certificates with id =2, 3, 4 etc.
    • There is no convention for the name parameter but it would help to name the root certificate as "root", intermediate certificates as "intermediate1", "intermediate2" etc. NOTE - Keep the names always unique.
    • domainsuffix should be same as the global config secstorage.ssl.cert.domain/consoleproxy.url.domain = yourdomain.com and for all the API invocations below.
  • Uploading root certificate API call. This is a mandatory step.   
    • http://123.123.123.123:8080/client/api?command=uploadCustomCertificate&id=1&sessionkey=LAM0wM%2B0cejIYxCHprtGc4w15sg%3D&name=root1&domainsuffix=customabc.com&certificate=-----BEGIN+CERTIFICATE-----%0AMIID%2FzCCAuegAwIBAgIJANX8lVYYPplhMA0GCSqGSIb3DQEBBQUAMIGVMQswCQYD%0AVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAlNDMRQwEgYDVQQKDAtDdXN0%0Ab21BbW9naDEeMBwGA1UECwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRQwEgYDVQQD%0ADAtDdXN0b21BbW9naDEgMB4GCSqGSIb3DQEJARYRYW1vZ2h2a0BnbWFpbC5jb20w%0AHhcNMTQwNDAxMTgwODUzWhcNMjQwMzI5MTgwODUzWjCBlTELMAkGA1UEBhMCVVMx%0ACzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTQzEUMBIGA1UECgwLQ3VzdG9tQW1vZ2gx%0AHjAcBgNVBAsMFUNlcnRpZmljYXRlIEF1dGhvcml0eTEUMBIGA1UEAwwLQ3VzdG9t%0AQW1vZ2gxIDAeBgkqhkiG9w0BCQEWEWFtb2dodmtAZ21haWwuY29tMIIBIjANBgkq%0AhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2Se5P610tI%2B5sz3X3FTjXGZZ3BzjdDIZ%0A5v5FQFcpAI35dBIYXFQv93gDp%2BAjwxETPP2p%2BhOMtWQm1DWAiyDldH7WZm7EDmz9%0A6ymnU00RlkjluUhfhwTtB9l59xo1haCaKcZQpNBPFm7yPlTTEVLSFAMr0QZVPuu3%0AHM4rClZe9KdGkh4%2FcpzIrYAys2MZpoG3mu0fE6EFbqEJYa5M%2Bvgsja1MqVt58TPo%0AqyaI548P6evJZ%2FpHiqDb360nxFDzbZlSqEUugq5UiJzMm5KyLObvhVhzEZcWLbGe%0ASUAYaIdUfvEt%2FKWlqDZ%2BzRW5RpVMTT%2FFZtArZLs%2FZuZJybq97KSj0wIDAQABo1Aw%0ATjAdBgNVHQ4EFgQUgb8VT%2BUqf1d%2BoCgC8Lap7znkx3gwHwYDVR0jBBgwFoAUgb8V%0AT%2BUqf1d%2BoCgC8Lap7znkx3gwDAYDVR0TBAUwAwEB%2FzANBgkqhkiG9w0BAQUFAAOC%0AAQEAbsKknHC6mEmE24eEV9CfAoGqym4aH3aEBS6%2FUWWXQ%2FOjEArM5xUSXVUCnpQR%0APgLTpqxMymi%2Bq%2BdhAPhJFxDq0nqw91kJmUZ9cy2LINs0akapNhWMvsomfy4YbiLR%0ANUHd%2BymaUb0Q%2BlGe5WeL4kh3W7KbVl0STIxFoRccxHKQHOiIcaQT4AzGWO8uCi90%0AbsFxk7Q11RwMUBUgK0qrhwnl31eUD0bBPvXADix0piTBtUjBGJSJR2at9l%2FoI6F0%0AMyHwZer%2FNsN0vr%2FyeCbYdipdvYrDJOniRuhku01uyFzf8U7%2Fa%2BrDVUtxGPxxfQzR%0APCTXX%2Fyam7lFvMT3ITntyF%2BKhg%3D%3D%0A-----END+CERTIFICATE-----
    • Note: when we upload root certificate  through API, only CPVM will be rebooted. Also before applying next certificate. make sure all your system vm agents are in up state.
  • Uploading Intermediate certificate API call. This is an optional step in case you have intermediate certificates.
    • http://123.123.123.123:8080/client/api?command=uploadCustomCertificate&id=2&sessionkey=LAM0wM%2B0cejIYxCHprtGc4w15sg%3D&name=intermed1&domainsuffix=customabc.com&certificate=-----BEGIN+CERTIFICATE-----%0AMIID5TCCAs2gAwIBAgICEAAwDQYJKoZIhvcNAQEFBQAwgZUxCzAJBgNVBAYTAlVT%0AMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0MxFDASBgNVBAoMC0N1c3RvbUFtb2do%0AMR4wHAYDVQQLDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFDASBgNVBAMMC0N1c3Rv%0AbUFtb2doMSAwHgYJKoZIhvcNAQkBFhFhbW9naHZrQGdtYWlsLmNvbTAeFw0xNDA0%0AMDExODQ2MjRaFw0xNTA0MDExODQ2MjRaMIGCMQswCQYDVQQGEwJVUzELMAkGA1UE%0ACAwCQ0ExFDASBgNVBAoMC0N1c3RvbUFtb2doMRgwFgYDVQQLDA9JbnRlcm1lZGlh%0AdGUgQ0ExFDASBgNVBAMMC0N1c3RvbUFtb2doMSAwHgYJKoZIhvcNAQkBFhFhbW9n%0AaHZrQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALRo%0ANFLN%2FJN9iJz79Azb%2FheejbyO7dCFoBguqSgAsG2nW5n6DM2gKEBwu9Pgzu8KrZUz%0Ag69RawdWSQd%2BAQ%2FgNjYWImW%2F%2Bm%2FB6pTkMOXNIkPr1WZK9MunhtHzXzYmrQKHd6u%2F%0Al6TPXTwKlfwab%2FhstXD3pM1OkDM%2BDhqn3qqoF%2BBqgGq1bj9QDmEkq8bXJLWyZgCe%0ABykJvZo4tGEmHjkj0PCjwtJdN%2BOTGFMu0LfQta6SD7LQuof6nw47oeQg6PgrihFI%0AoeN6UV08K01KwSssjKmK5odDFPRBmWHsTaGAeTf9ptfcRNUe9nPDCs8Dq1e0%2BbNX%0A7qTnUoHcTgKfCKHsE4MCAwEAAaNQME4wHQYDVR0OBBYEFHA0lffQm%2BPYkpyUd4o2%0Asy9GM4RqMB8GA1UdIwQYMBaAFIG%2FFU%2FlKn9XfqAoAvC2qe855Md4MAwGA1UdEwQF%0AMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAEL2XLacq5C8Xvlzsl45KyLw9E0ch8NJ%0ALre5pUtSuwqKWnLWJ11HtSA2mqbv%2FKGKjxfwEW65S%2BLTh5Yy7%2Fdds4rp9dUx2bc%2F%0AMIqAh%2BqbpBfRGk882mCPXYFKOprfuPEnlA%2Biep3%2BdFlWLaoDB89BGNntu6cZ49Ph%0ACURC8HrPWWu%2B7zcvd03a7MetjqafIUxI7UXIcDTaO3oZdZfnhK336itCauzXYwxH%0AOd%2FiEoJot6aR%2BNFYVlrgtAUmUNjPQWBt3rOL4yqaE5Z0eaq3%2Buda456Q9SdRUPSZ%0Aya%2FzDhtd458PGtcCWvBQoswDMBjDBJWGP0QvW3eNCRR7ZIliUsfJ%2B6Y%3D%0A-----END+CERTIFICATE-----
    • Note/observation: when we upload intermediate certificate  through API, only CPVM will be rebooted. Also before applying next certificate. make sure all your system vm agents are in up state.
  • Go to  UI --> Infastructure –> Upload SSL certificate to upload the server certificate, private key and the same domain name and press OK. You will get the "Update SSL certificate succeeded" as  a  response once its successfully uploaded. (Note - this should not be URL encoded certificate and key)
  • SSVM and CPVM get rebooted to get programmed with the certificates.

Verification Procedure

• CPVM - Check console view of user VMs and it should work. They should show the embedded iframe's source URL with HTTP  / HTTPS protocol as configured
• SSVM -
• CopyTemplate - Try copying  a template from one zone to the other see whether it works.
• Download template/volume/iso - The download URL should show the URL with HTTP / HTTPS protocol as configured, and you should be able to download the entity.

Implementation Details

• CPVM acts as a server only and uses Java HTTP server. Hence, it needs a server Java keystore. This is a dynamic in-memory keystore
• SSVM acts as a server for download template/volume/iso operations and during copyTemplate if it is in the source zone. It uses a Apache webserver when acting as server.
• SSVM acts as a client during copyTemplate operation if it is in the destination zone. SSVM uses a Java client when acting as client. It uses "realhostip.keystore" file to store entries. This is different from the place where Java stores the Well-Known CA certificate files by default.

TroubleShooting

1. Download urls point to the old domain.
   1. Reduce the expiration duration of the urls by changing global config extract.url.expiration.interval 
   2. And change the frequency for cleanup thread through extract.url.cleanup.interval restart MS. 
   3. Wait for the cleanup thread duration and try downloading again. See whether the url is deleted.
2. CopyTemplate giving the exception - PKIX certification error
   1. Via browser or any client, check whether Apache Webserver for SSVM is sending the entire chain
   2. Check whether the realhostip.keystore (Java keystore) on SSVM has the root CA certificate : keytool -list -keystore realhostip.keystore -storepass vmops.com
3. Download urls are not working. 
   1. Via browser or any client, check whether Apache Webserver for SSVM is sending the entire chain
4. I changed CPVM to work on HTTPS from HTTP, or vice-versa. It does not change.
   1. You may need to destroy and recreate your CPVM when switching between HTTP and HTTPS protocols
5. Certificate encoding - 
   1. Make sure you have correctly url encoded the certificates. To do this you can check cloud database and check the entries in keystore table and match them with the original certificates you had.
6. Uploaded wrong certificate -
   1. In case you uploaded wrong certificates for root/intermediate, you can undo that by calling the api with same name and domainsuffix. In case you uploaded wrong server certificate upload the right one through the UI keeping the same domain suffix.
7. Any other issues with ssvm -  
   
   1. Check logs - Check MS logs (/var/log/cloudstack/management ) and ssvm logs (under /var/log/cloud/) to see if you can find any exceptions in programming the certificate.
   2. Destroy ssvm - If nothing is apparent from the logs try destroying ssvm as one of the last resorts. Try this in one of the zones and see if the new ssvm which comes up solves the issues.
8. I have already uploaded certificate and chain in a prior CCP version. Am I all good?
   1. Unfortunately, no. You will need to re-upload the whole chain using the same API parameters (name, id etc.)

How to generate my custom root CA and certificate?

In essence, the process is to :

1. Create your own root CA
2. Create your own intermediate CA, who is signed by the root CA
3. Create your domain specific certificate request, and sign it using the intermediate CA
4. Optionally, you will need to add the root CA and intermediate CA in your browser. NOTE that if you created the above using openssl on your machine, they would exist in the OS as well. Hence, a good way to test it is to create the above on a different machine.

For step 1 : https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/

For step 2: https://jamielinux.com/articles/2013/08/create-an-intermediate-certificate-authority/   (BEWARE of a typo in the blog. Refer to the comments section below it)

For step 3: https://jamielinux.com/articles/2013/08/create-and-sign-ssl-certificates-certificate-authority/

For step 4 : Follow your browser / OS specific steps.