[PATCH] docs: kbase/tlscerts: mention dropped 'encryption_key'
Older libvirt versions still only work if 'encryption_key' is enabled
in the server and client certificates. Add a note.
While at it, also add a note that after setting the certificates up,
the TLS ports need to be restarted because I haven't found a mention
of it elsewhere.
Signed-off-by: Sebastian Mitterle <smitterl(a)redhat.com>
---
docs/kbase/tlscerts.rst | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst
index 215d454998..a1ea4d5f21 100644
--- a/docs/kbase/tlscerts.rst
+++ b/docs/kbase/tlscerts.rst
@@ -213,6 +213,10 @@ clients to reach the server, both with and without domain name
qualifiers. If
clients are likely to connect to the server by IP address, then one or more
'ip_address' fields should also be added.
+Important: If you're running a libvirt version before 11.6.0 you need to also add
+``encryption_key`` to the template. Previous versions required this.
+
+
Use the template file as input to a ``certtool`` command to sign the server
certificate:
@@ -299,7 +303,11 @@ briefly cover the steps.
tls_www_client
signing_key
- and sign by doing:
+
+ Important: If you're running a libvirt version before 11.6.0 you need to also add
+ ``encryption_key`` to the template. Previous versions required this.
+
+ Create the certificate by running:
::
@@ -317,10 +325,17 @@ briefly cover the steps.
Troubleshooting TLS certificate problems
----------------------------------------
-failed to verify client's certificate
- On the server side, run the libvirtd server with the '--listen' and
- '--verbose' options while the client is connecting. The verbose log messages
- should tell you enough to diagnose the problem.
+* TLS socket
+
+ After setting up your server certificates you'll have to restart the TLS socket
+ ``systemctl restart virtproxyd-tls.socket`` for modular daemon setup, or
+ ``systemctl restart libvirtd-tls.socket`` for the monolithic daemon setup.
+
+* failed to verify client's certificate
+
+ On the server side, run the libvirtd server with the '--listen' and
+ '--verbose' options while the client is connecting. The verbose log messages
+ should tell you enough to diagnose the problem.
You can use the virt-pki-validate shell script to analyze the setup on the
client or server machines, preferably as root. It will try to point out the
--
2.50.1