Add script to bypass SSL cert errors temporarily

cloudstack/PKGBUILD

@@ -64,6 +64,7 @@ depends=(
 
   'ipmitool'
   'nfs-utils'
+  'openssh'
 )
 makedepends=(
   # CloudStack source retrieval
@@ -297,7 +298,7 @@ libvirt.vif.driver=com.cloud.hypervisor.kvm.resource.BridgeVifDriver
 
 package_cloudstack-management() {
 
-  depends=('python' 'jre11-openjdk' 'mysql' 'systemd' 'ipmitool' 'nfs-utils')
+  depends=('python' 'jre11-openjdk' 'mysql' 'systemd' 'ipmitool' 'nfs-utils' 'openssh')
   pkgdesc='Management for Apache CloudStack'
   install=cloudstack-management.install
   noextract=(

cloudstack/cloudstack-management.install

@@ -4,16 +4,22 @@ post_install() {
 
   if [[ ! -d /var/lib/cloudstack/user ]]; then
     mkdir -p /var/lib/cloudstack/user
-    chown cloud.cloud -R /var/lib/cloudstack/user
   fi
 
-  chown cloud.cloud /var/log/cloudstack
+  chown cloud.cloud -R /var/lib/cloudstack/user
+
+  chown cloud.cloud /var/log/cloudstack/management
+  chown cloud.cloud /var/log/cloudstack/ipallocator
+
   chown cloud.cloud /var/lib/cloudstack/data/
 
   # Apply cloudbr0, cloudbr1 & cloudbr2 network interfaces
   systemctl restart systemd-networkd 
   systemctl restart mysqld
 
+  # Generate ssh keypair for user 'cloud'
+  runuser -l cloud -s /bin/sh -c "ssh-keygen -N '' -f /var/lib/cloudstack/user/.ssh/id_rsa"
+
   msg2 "Configuration info: http://docs.cloudstack.apache.org/en/latest/installguide/management-server/"
 
   msg2 "System VM template files are located at '/usr/share/cloudstack-management/templates/systemvm/'"

cloudstack/management-certificate.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# Temporarily permit non-SSL connections to port 8250
+# Fixes cloudstack-management error 'SSL error caught during wrap data: Empty server certificate chain, for local address ...'
+
+# Use only while setting up CloudStack. Provide proper values for production environment.
+
+mysql -u cloud -pcloud -e \
+"
+USE cloud;
+UPDATE configuration SET value='false' WHERE name='ca.plugin.root.auth.strictness';
+"
+
+# CloudStack Management server configuration for SSL authentication.
+# Recommended to be configured via web UI although direct SQL updates are technically possible.
+
+# ca.framework.provider.plugin 	The configured CA provider plugin
+# ca.framework.cert.keysize 	The key size used for certificate generation
+# ca.framework.cert.signature.algorithm 	The certificate signature algorithm
+# ca.framework.cert.validity.period 	Certificate validity in days
+# ca.framework.cert.automatic.renewal 	Whether to auto-renew expiring certificate on hosts
+# ca.framework.background.task.delay 	The delay between each CA background task round in seconds
+# ca.framework.cert.expiry.alert.period 	The number of days to check and alert expiring certificates
+# ca.plugin.root.private.key 	(hidden/encrypted in database) Auto-generated CA private key
+# ca.plugin.root.public.key 	(hidden/encrypted in database) CA public key
+# ca.plugin.root.ca.certificate 	(hidden/encrypted in database) CA certificate
+# ca.plugin.root.issuer.dn 	The CA issue distinguished name used by the root CA provider
+# ca.plugin.root.auth.strictness 	Setting to enforce two-way SSL authentication and trust validation
+# ca.plugin.root.allow.expired.cert 	Setting to allow clients with expired certificates
+
+# Ref: http://docs.cloudstack.apache.org/en/4.11.2.0/adminguide/hosts.html