Description
I am currently preparing a cluster and installed a new (the 1st) management server.
That server's network is a fully routed L3-network.
Starting the cloudstack-management service does not create the server certificate from root-ca with the following error:
2025-06-10 08:28:57,082 DEBUG [o.a.c.f.c.i.ConfigDepotImpl] (main:[]) (logid:) Retrieving keys from RootCAProvider
2025-06-10 08:28:58,589 DEBUG [o.a.c.s.l.r.ExtensionRegistry] (main:[]) (logid:) Registering extension [RootCAProvider] in [Ca Providers Registry]
2025-06-10 08:28:58,589 DEBUG [o.a.c.s.l.r.RegistryLifecycle] (main:[]) (logid:) Registered org.apache.cloudstack.ca.provider.RootCAProvider@611f82a8
2025-06-10 08:28:58,589 INFO [o.a.c.s.l.CloudStackExtendedLifeCycle] (main:[]) (logid:) Configuring CloudStack Components
2025-06-10 08:28:58,589 INFO [o.a.c.s.l.CloudStackExtendedLifeCycle] (main:[]) (logid:) configuring bean RootCAProvider.
2025-06-10 08:28:59,037 DEBUG [c.c.u.s.Script] (main:[]) (logid:) Executing command [/bin/bash -c ip route show default 0.0.0.0/0 | head -1 | awk '{print $5}' ].
2025-06-10 08:28:59,043 DEBUG [c.c.u.s.Script] (main:[]) (logid:) Successfully executed process [105870] for command [/bin/bash -c ip route show default 0.0.0.0/0 | head -1 | awk '{print $5}' ].
2025-06-10 08:28:59,127 ERROR [o.a.c.s.l.CloudStackExtendedLifeCycle] (main:[]) (logid:) Error on configuring bean RootCAProvider - Cannot invoke "java.net.NetworkInterface.getInterfaceAddresses()" because "nic" is null java.lang.NullPointerException: Cannot invoke "java.net.NetworkInterface.getInterfaceAddresses()" because "nic" is null
- these are the active network-interfaces, "hostip" is the bgp-announced ip on a virtual interface for networking, eth1* are the ethernet interfaces
~# ip -4 -br a | egrep '(eth1|hostip)'
eth1a UP 10.72.44.198/30
eth1b UP 10.72.45.198/30
hostip UNKNOWN 10.72.44.3/32
- CS did retrieve the correct ip from hostip interface
~# ip route show default 0.0.0.0/0 | head -1 | awk '{print $5}'
10.72.44.3
- certificate check
~# openssl s_client -connect 10.72.44.3:9090 </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltNam
Could not read certificate from <stdin>
4087895B58700000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:../crypto/store/store_result.c:151:
Unable to load certificate
For testing i installed 2 virtual machines with cloudstack-management and a new mysql-database on one of these. Both instances are connected on a layer 2 network.
Here the management servers (one after another) came once with fully functional certificates, both servers see each other as peers in the cs-ui management server overview.
- certificates SAN on one of the test-instances:
~# openssl s_client -connect 10.65.254.48:9090 </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName
X509v3 Subject Alternative Name:
IP Address:FE80:0:0:0:1C00:B1FF:FE00:164, IP Address:10.65.254.48, DNS:<redacted> DNS:cloudstack.internal
I then connected the former server with a fresh installation to the database of my test-setup.
I got the same error as mentioned above.
I suspect some issue with the L3-network and retrieving some networking-stuff by cloudstack-management-server.
Any idea how to proceed here?