Re: How to configure multicell vcd LB certificate

legioon · ‎02-04-2019

Hi all,

I have Installed multiple cell vCloud Director 9.5 with signed wildcard certificate ( Issuer GeoTrust )

Cell 1 HTTPS : cell01.subdomain.domain.com

Cell 1 CONSOLE : cell01-console.subdomain.domain.com

Cell 2 HTTPS : cell02.subdomain.domain.com

Cell 2 CONSOLE : cell02-console.subdomain.domain.com

My signed wildcard certificate is *.subdomain.domain.com

tomorrow I'll configure my Load balancer without sub domain like this ;

cloud.domain.com - With SSL Ofloading

cloud-console.domain.com - pass through ssl

Then I will configure my Public URLs with dns above on vCloud Director.

Is there any mismatch at configuration above ?

Thanks

andreaspa · ‎02-06-2019

Hi,

The only issue I can think of is that you will have a mismatch for the cloud-console.domain.com since you will be doing ssl passthrough, unless you change the local certificates of each cell as well.

/Andreas

JonathanThorpe · ‎04-03-2019

You will need to ensure that cloud-console.domain.com is also using SSL Offload. Depending on what you're using for load balancing, you'll need to ensure that it supports doing SSL Offload for websockets connections.

It's important that the console certificates are valid as browsers such as Chrome will not connect to a websocket with a non-valid/trusted certificate (developer console will show this).

We run this as follows:

1. Run internal CA which has a single certificate on all cells which covers the cell and console FQDNs. You could just as easily use a wildcard in this case. The thing to be careful of is that all cells need to use the same internal certificate as this used to sign material that is sent to the client. If your request to the console went to a different cell to than what received the vCD request, things break.

2. Have a public facing SSL (in our case, LetsEncrypt because short-lived certificates are good) handled by the load balancer.

Hope this helps.

All

How to configure multicell vcd LB certificate