diff --git a/cloudstack/management-certificate.sh b/cloudstack/management-certificate.sh new file mode 100755 index 0000000..ca5a569 --- /dev/null +++ b/cloudstack/management-certificate.sh @@ -0,0 +1,31 @@ +#!/bin/sh + +# Temporarily permit non-SSL connections to port 8250 +# Fixes cloudstack-management error 'SSL error caught during wrap data: Empty server certificate chain, for local address ...' + +# Use only while setting up CloudStack. Provide proper values for production environment. + +mysql -u cloud -pcloud -e \ +" +USE cloud; +UPDATE configuration SET value='false' WHERE name='ca.plugin.root.auth.strictness'; +" + +# CloudStack Management server configuration for SSL authentication. +# Recommended to be configured via web UI although direct SQL updates are technically possible. + +# ca.framework.provider.plugin The configured CA provider plugin +# ca.framework.cert.keysize The key size used for certificate generation +# ca.framework.cert.signature.algorithm The certificate signature algorithm +# ca.framework.cert.validity.period Certificate validity in days +# ca.framework.cert.automatic.renewal Whether to auto-renew expiring certificate on hosts +# ca.framework.background.task.delay The delay between each CA background task round in seconds +# ca.framework.cert.expiry.alert.period The number of days to check and alert expiring certificates +# ca.plugin.root.private.key (hidden/encrypted in database) Auto-generated CA private key +# ca.plugin.root.public.key (hidden/encrypted in database) CA public key +# ca.plugin.root.ca.certificate (hidden/encrypted in database) CA certificate +# ca.plugin.root.issuer.dn The CA issue distinguished name used by the root CA provider +# ca.plugin.root.auth.strictness Setting to enforce two-way SSL authentication and trust validation +# ca.plugin.root.allow.expired.cert Setting to allow clients with expired certificates + +# Ref: http://docs.cloudstack.apache.org/en/4.11.2.0/adminguide/hosts.html