From 545ddbbe3948fdc960d486aa24c358c0ea3a6af5 Mon Sep 17 00:00:00 2001
From: vishesh92 <vishesh92@gmail.com>
Date: Wed, 18 Mar 2026 15:31:35 +0530
Subject: [PATCH] Remove realhostip references from the code

---
 .pre-commit-config.yaml                            |   2 +-
 .../resources/META-INF/db/schema-42210to42300.sql  |  11 +++++++++++
 .../com/cloud/server/ConfigurationServerImpl.java  |   4 ++--
 .../storage/download/DownloadMonitorImpl.java      |   5 -----
 .../cloud/storage/upload/UploadMonitorImpl.java    |  13 +++++--------
 .../test/java/com/cloud/keystore/KeystoreTest.java |  12 ++++++------
 services/console-proxy/server/pom.xml              |   2 +-
 services/secondary-storage/server/pom.xml          |   2 +-
 .../agent/certs/{realhostip.crt => systemvm.crt}   |   0
 .../agent/certs/{realhostip.csr => systemvm.csr}   |   0
 .../agent/certs/{realhostip.key => systemvm.key}   |   0
 .../{realhostip.keystore => systemvm.keystore}     | Bin
 systemvm/agent/scripts/_run.sh                     |   2 +-
 systemvm/agent/scripts/config_ssl.sh               |   6 +++---
 systemvm/debian/opt/cloud/bin/setup/bootstrap.sh   |   2 +-
 systemvm/patch-sysvms.sh                           |   2 +-
 systemvm/pom.xml                                   |   2 +-
 .../utils/imagestore/ImageStoreUtilTest.java       |   4 ++--
 18 files changed, 36 insertions(+), 33 deletions(-)
 rename systemvm/agent/certs/{realhostip.crt => systemvm.crt} (100%)
 rename systemvm/agent/certs/{realhostip.csr => systemvm.csr} (100%)
 rename systemvm/agent/certs/{realhostip.key => systemvm.key} (100%)
 rename systemvm/agent/certs/{realhostip.keystore => systemvm.keystore} (100%)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index cf6f8d39027d..b35c19a5f8b9 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -151,7 +151,7 @@ repos:
           ^server/src/test/resources/certs/rsa_self_signed\.key$|
           ^services/console-proxy/rdpconsole/src/test/doc/rdp-key\.pem$|
           ^systemvm/agent/certs/localhost\.key$|
-          ^systemvm/agent/certs/realhostip\.key$|
+          ^systemvm/agent/certs/systemvm\.key$|
           ^test/integration/smoke/test_ssl_offloading\.py$
       - id: end-of-file-fixer
         exclude: \.vhd$|\.svg$
diff --git a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
index d69b524b85d9..890191a3b726 100644
--- a/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
+++ b/engine/schema/src/main/resources/META-INF/db/schema-42210to42300.sql
@@ -114,3 +114,14 @@ CALL `cloud`.`IDEMPOTENT_UPDATE_API_PERMISSION`('Resource Admin', 'deleteUserKey
 
 -- Add conserve mode for VPC offerings
 CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.vpc_offerings','conserve_mode', 'tinyint(1) unsigned NULL DEFAULT 0 COMMENT ''True if the VPC offering is IP conserve mode enabled, allowing public IP services to be used across multiple VPC tiers'' ');
+
+-- Remove stale realhostip.com default values; domain has been dead since ~2015.
+UPDATE `cloud`.`configuration`
+    SET value = NULL
+    WHERE name IN ('consoleproxy.url.domain', 'secstorage.ssl.cert.domain')
+      AND value IN ('realhostip.com', '*.realhostip.com');
+
+UPDATE `cloud`.`configuration`
+    SET value = NULL
+    WHERE name = 'secstorage.secure.copy.cert'
+      AND value LIKE '%realhostip%';
diff --git a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java
index 8f10dd84b54d..1be7e4834767 100644
--- a/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java
+++ b/server/src/main/java/com/cloud/server/ConfigurationServerImpl.java
@@ -222,8 +222,8 @@ public void persistDefaultValues() throws InternalErrorException {
             _configDao.update(Config.SecStorageEncryptCopy.key(), Config.SecStorageEncryptCopy.getCategory(), "false");
             logger.debug("ConfigurationServer made secondary storage copy encrypt set to false.");
 
-            _configDao.update("secstorage.secure.copy.cert", "realhostip");
-            logger.debug("ConfigurationServer made secondary storage copy use realhostip.");
+            _configDao.update("secstorage.secure.copy.cert", "");
+            logger.debug("ConfigurationServer cleared legacy secstorage.secure.copy.cert.");
 
             _configDao.update("user.password.encoders.exclude", "MD5,LDAP,PLAINTEXT");
             logger.debug("Configuration server excluded insecure encoders");
diff --git a/server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java b/server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java
index 67d5b091a032..5258f4337550 100644
--- a/server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java
+++ b/server/src/main/java/com/cloud/storage/download/DownloadMonitorImpl.java
@@ -87,11 +87,6 @@ public boolean configure(String name, Map<String, Object> params) {
         final Map<String, String> configs = _configDao.getConfiguration("management-server", params);
         _proxy = configs.get(Config.SecStorageProxy.key());
 
-        String cert = configs.get("secstorage.ssl.cert.domain");
-        if (!"realhostip.com".equalsIgnoreCase(cert)) {
-            logger.warn("Only realhostip.com ssl cert is supported, ignoring self-signed and other certs");
-        }
-
         _copyAuthPasswd = configs.get("secstorage.copy.password");
 
         DownloadListener dl = new DownloadListener(this);
diff --git a/server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java b/server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java
index 7962d9dced9c..a32790c135d2 100644
--- a/server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java
+++ b/server/src/main/java/com/cloud/storage/upload/UploadMonitorImpl.java
@@ -231,8 +231,8 @@ public UploadVO createEntityDownloadURL(VMTemplateVO template, TemplateDataStore
             UploadVO upload = extractURLList.get(0);
             String uploadUrl = extractURLList.get(0).getUploadUrl();
             String[] token = uploadUrl.split("/");
-            // example: uploadUrl = https://10-11-101-112.realhostip.com/userdata/2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
-            // then token[2] = 10-11-101-112.realhostip.com, token[4] = 2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
+            // example: uploadUrl = https://10-11-101-112.example.com/userdata/2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
+            // then token[2] = 10-11-101-112.example.com, token[4] = 2fdd9a70-9c4a-4a04-b1d5-1e41c221a1f9.iso
             String hostname = ep.getPublicAddr().replace(".", "-") + ".";
             if ((token != null) && (token.length == 5) && (token[2].equals(hostname + _ssvmUrlDomain))) // ssvm publicip and domain suffix not changed
                 return extractURLList.get(0);
@@ -365,7 +365,9 @@ private String generateCopyUrl(String ipAddress, String uuid) {
             if (_ssvmUrlDomain != null && _ssvmUrlDomain.length() > 0) {
                 hostname = hostname + "." + _ssvmUrlDomain;
             } else {
-                hostname = hostname + ".realhostip.com";
+                logger.warn("SSL copy is enabled but secstorage.ssl.cert.domain is not configured; "
+                    + "using IP address directly. Configure a wildcard SSL certificate domain for proper HTTPS support.");
+                hostname = ipAddress;
             }
         }
         return scheme + "://" + hostname + "/userdata/" + uuid;
@@ -376,11 +378,6 @@ public boolean configure(String name, Map<String, Object> params) throws Configu
         final Map<String, String> configs = _configDao.getConfiguration("management-server", params);
         _sslCopy = Boolean.parseBoolean(configs.get("secstorage.encrypt.copy"));
 
-        String cert = configs.get("secstorage.secure.copy.cert");
-        if ("realhostip.com".equalsIgnoreCase(cert)) {
-            logger.warn("Only realhostip.com ssl cert is supported, ignoring self-signed and other certs");
-        }
-
         _ssvmUrlDomain = configs.get("secstorage.ssl.cert.domain");
 
         _agentMgr.registerForHostEvents(new UploadListener(this), true, false, false);
diff --git a/server/src/test/java/com/cloud/keystore/KeystoreTest.java b/server/src/test/java/com/cloud/keystore/KeystoreTest.java
index 970892dc325e..2b991d4a4f7c 100644
--- a/server/src/test/java/com/cloud/keystore/KeystoreTest.java
+++ b/server/src/test/java/com/cloud/keystore/KeystoreTest.java
@@ -75,20 +75,20 @@ public void testKeystoreSave() throws Exception {
             ComponentLocator locator = ComponentLocator.getCurrentLocator();
 
             KeystoreDao ksDao = locator.getDao(KeystoreDao.class);
-            ksDao.save("CPVMCertificate", "CPVMCertificate", "KeyForCertificate", "realhostip.com");
+            ksDao.save("CPVMCertificate", "CPVMCertificate", "KeyForCertificate", "example.com");
             ksVo = ksDao.findByName("CPVMCertificate");
             assertTrue(ksVo != null);
             assertTrue(ksVo.getCertificate().equals("CPVMCertificate"));
             assertTrue(ksVo.getKey().equals("KeyForCertificate"));
-            assertTrue(ksVo.getDomainSuffix().equals("realhostip.com"));
+            assertTrue(ksVo.getDomainSuffix().equals("example.com"));
 
-            ksDao.save("CPVMCertificate", "CPVMCertificate Again", "KeyForCertificate Again", "again.realhostip.com");
+            ksDao.save("CPVMCertificate", "CPVMCertificate Again", "KeyForCertificate Again", "again.example.com");
 
             ksVo = ksDao.findByName("CPVMCertificate");
             assertTrue(ksVo != null);
             assertTrue(ksVo.getCertificate().equals("CPVMCertificate Again"));
             assertTrue(ksVo.getKey().equals("KeyForCertificate Again"));
-            assertTrue(ksVo.getDomainSuffix().equals("again.realhostip.com"));
+            assertTrue(ksVo.getDomainSuffix().equals("again.example.com"));
 
             ksDao.expunge(ksVo.getId());
         }
@@ -112,9 +112,9 @@ public void testKeystoreManager() throws Exception {
             assertTrue(ksMgr.configure("TaskManager", new HashMap<String, Object>()));
             assertTrue(ksMgr.start());
 
-            ksMgr.saveCertificate("CPVMCertificate", certContent, keyContent, "realhostip.com");
+            ksMgr.saveCertificate("CPVMCertificate", certContent, keyContent, "example.com");
 
-            byte[] ksBits = ksMgr.getKeystoreBits("CPVMCertificate", "realhostip", "vmops.com");
+            byte[] ksBits = ksMgr.getKeystoreBits("CPVMCertificate", "example", "vmops.com");
             assertTrue(ksBits != null);
 
             try {
diff --git a/services/console-proxy/server/pom.xml b/services/console-proxy/server/pom.xml
index 3f5b9db68c2e..6e18a13bc57b 100644
--- a/services/console-proxy/server/pom.xml
+++ b/services/console-proxy/server/pom.xml
@@ -80,7 +80,7 @@
             <resource>
                 <directory>certs</directory>
                 <excludes>
-                    <exclude>realhostip.csr</exclude>
+                    <exclude>systemvm.csr</exclude>
                 </excludes>
             </resource>
         </resources>
diff --git a/services/secondary-storage/server/pom.xml b/services/secondary-storage/server/pom.xml
index e6aec8a42f70..ca26bf2bbbe9 100644
--- a/services/secondary-storage/server/pom.xml
+++ b/services/secondary-storage/server/pom.xml
@@ -107,7 +107,7 @@
                     <systemProperties>
                         <systemProperty>
                             <key>javax.net.ssl.trustStore</key>
-                            <value>certs/realhostip.keystore</value>
+                            <value>certs/systemvm.keystore</value>
                             <key>log.home</key>
                             <value>${PWD}/</value>
                         </systemProperty>
diff --git a/systemvm/agent/certs/realhostip.crt b/systemvm/agent/certs/systemvm.crt
similarity index 100%
rename from systemvm/agent/certs/realhostip.crt
rename to systemvm/agent/certs/systemvm.crt
diff --git a/systemvm/agent/certs/realhostip.csr b/systemvm/agent/certs/systemvm.csr
similarity index 100%
rename from systemvm/agent/certs/realhostip.csr
rename to systemvm/agent/certs/systemvm.csr
diff --git a/systemvm/agent/certs/realhostip.key b/systemvm/agent/certs/systemvm.key
similarity index 100%
rename from systemvm/agent/certs/realhostip.key
rename to systemvm/agent/certs/systemvm.key
diff --git a/systemvm/agent/certs/realhostip.keystore b/systemvm/agent/certs/systemvm.keystore
similarity index 100%
rename from systemvm/agent/certs/realhostip.keystore
rename to systemvm/agent/certs/systemvm.keystore
diff --git a/systemvm/agent/scripts/_run.sh b/systemvm/agent/scripts/_run.sh
index 11158ecf5bd1..bb024f71c08b 100755
--- a/systemvm/agent/scripts/_run.sh
+++ b/systemvm/agent/scripts/_run.sh
@@ -60,4 +60,4 @@ if [ "$(uname -m | grep '64')" == "" ]; then
   fi
 fi
 
-java -Djavax.net.ssl.trustStore=./certs/realhostip.keystore -Djdk.tls.ephemeralDHKeySize=2048 -Dlog.home=$LOGHOME -mx${maxmem}m -cp $CP com.cloud.agent.AgentShell $keyvalues $@
+java -Djavax.net.ssl.trustStore=./certs/systemvm.keystore -Djdk.tls.ephemeralDHKeySize=2048 -Dlog.home=$LOGHOME -mx${maxmem}m -cp $CP com.cloud.agent.AgentShell $keyvalues $@
diff --git a/systemvm/agent/scripts/config_ssl.sh b/systemvm/agent/scripts/config_ssl.sh
index e9340b099f62..3968b2617f21 100755
--- a/systemvm/agent/scripts/config_ssl.sh
+++ b/systemvm/agent/scripts/config_ssl.sh
@@ -52,13 +52,13 @@ cflag=
 cpkflag=
 cpcflag=
 cccflag=
-customPrivKey=$(dirname $0)/certs/realhostip.key
-customPrivCert=$(dirname $0)/certs/realhostip.crt
+customPrivKey=$(dirname $0)/certs/systemvm.key
+customPrivCert=$(dirname $0)/certs/systemvm.crt
 customCertChain=
 customCACert=
 publicIp=
 hostName=
-keyStore=$(dirname $0)/certs/realhostip.keystore
+keyStore=$(dirname $0)/certs/systemvm.keystore
 defaultJavaKeyStoreFile=/etc/ssl/certs/java/cacerts
 defaultJavaKeyStorePass="changeit"
 aliasName="CPVMCertificate"
diff --git a/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh b/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
index f7c071c8cc0e..c601f6ad2210 100755
--- a/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
@@ -65,7 +65,7 @@ patch_systemvm() {
   fi
   rm -fr $backupfolder
   # Import global cacerts into 'cloud' service's keystore
-  keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/realhostip.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt || true
+  keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/systemvm.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt || true
   return 0
 }
 
diff --git a/systemvm/patch-sysvms.sh b/systemvm/patch-sysvms.sh
index 88d720e0f32f..12f7eb50038d 100755
--- a/systemvm/patch-sysvms.sh
+++ b/systemvm/patch-sysvms.sh
@@ -126,7 +126,7 @@ patch_systemvm() {
 
   if [ "$TYPE" = "consoleproxy" ] || [ "$TYPE" = "secstorage" ]; then
     # Import global cacerts into 'cloud' service's keystore
-    keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/realhostip.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt 2>/dev/null || true
+    keytool -importkeystore -srckeystore /etc/ssl/certs/java/cacerts -destkeystore /usr/local/cloud/systemvm/certs/systemvm.keystore -srcstorepass changeit -deststorepass vmops.com -noprompt 2>/dev/null || true
   fi
 
   update_checksum $newpath/cloud-scripts.tgz
diff --git a/systemvm/pom.xml b/systemvm/pom.xml
index 9bffc45cf4eb..ca9176ee85f9 100644
--- a/systemvm/pom.xml
+++ b/systemvm/pom.xml
@@ -205,7 +205,7 @@
                             <systemProperties>
                                 <systemProperty>
                                     <key>javax.net.ssl.trustStore</key>
-                                    <value>certs/realhostip.keystore</value>
+                                    <value>certs/systemvm.keystore</value>
                                     <key>log.home</key>
                                     <value>${PWD}/</value>
                                 </systemProperty>
diff --git a/utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java b/utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java
index b7df14dc85d0..e50eefd466bf 100644
--- a/utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java
+++ b/utils/src/test/java/org/apache/cloudstack/utils/imagestore/ImageStoreUtilTest.java
@@ -27,7 +27,7 @@ public class ImageStoreUtilTest {
 
     @Test
     public void testgenerateHttpsPostUploadUrl() throws MalformedURLException {
-        String ssvmdomain = "*.realhostip.com";
+        String ssvmdomain = "*.example.com";
         String ipAddress = "10.147.28.14";
         String uuid = UUID.randomUUID().toString();
         String protocol = "https";
@@ -47,7 +47,7 @@ public void testgenerateHttpsPostUploadUrl() throws MalformedURLException {
 
     @Test
     public void testgenerateHttpPostUploadUrl() throws MalformedURLException {
-        String ssvmdomain = "*.realhostip.com";
+        String ssvmdomain = "*.example.com";
         String ipAddress = "10.147.28.14";
         String uuid = UUID.randomUUID().toString();
         String protocol = "http";