Hi all,
Failed when client connects to the hypervisor running on Server using TLS and the details
can be seen as follows:
I Test Procedures:
On server (10.66.92.154)
1. Set up a Certificate Authority (CA)
1.1 # certtool --generate-privkey > cakey.pem
1.2 self-sign cakey.pem by creating a file with the signature details called ca.info
containing:
cn=10.66.92.154
ca
cert_signing_key
1.3 # certtool --generate-self-signed --load-privkey cakey.pem --template ca.info
--outfile cacert.pem
2. Create server certificates
2.1 certtool --generate-privkey > serverkey.pem
2.2 sign that key with the CA's private key by first creating a template file called
server.info
organization=Red Hat
cn=10.66.92.154
tls_www_server
encryption_key
signing_key
2.3 # certtool --generate-certificate --load-privkey serverkey.pem --load-ca-certificate
cacert.pem \
--load-ca-privkey cakey.pem --template server.info --outfile servercert.pem
3. Copy CA key and server key to correct directory
3.1 # cp cakey.pem cacert.pem /etc/pki/CA
3.2 # mkdir -p /etc/pki/libvirt/private
3.3 # cp serverkey.pem /etc/pki/libvirt/private
3.4 # cp servercert.pem /etc/pki/libvirt
4. Copy CA key to client(10.66.93.205) into correct directory
4.1 # scp cakey.pem cacert.pem root@10.66.93.205:/etc/pki/CA
5. Turn on libvird monitor listening in /etc/sysconfig/libvirtd
-- uncomment LIBVIRTD_ARGS="--listen"
6. Edit /etc/libvirt/libvirtd.conf
-- enbale listen_tls = 1
7. # service libvirtd restart
8. # service iptables stop
On client (10.66.93.205)
9. Create client certificates
9.1 # certtool --generate-privkey > clientkey.pem
9.2 Act as CA and sign the certificate. Create client.info containing:
9.1 # certtool --generate-privkey > clientkey.pem
9.2 Act as CA and sign the certificate. Create client.info containing:
country=GB
state=London
locality=London
organization=Red Hat
cn=10.66.93.205
tls_www_client
encryption_key
signing_key
9.3 # certtool --generate-certificate --load-privkey clientkey.pem --load-ca-certificate
/etc/pki/CA/cacert.pem \
--load-ca-privkey /etc/pki/CA/cakey.pem --template client.info --outfile clientcert.pem
10. Copy client key to correct directory
10.1 # mkdir -p /etc/pki/libvirt/private
10.2 # cp clientkey.pem /etc/pki/libvirt/private
10.3 # cp clientcert.pem /etc/pki/libvirt/
11. Conect to server hypervisor
# virsh -c qemu+tls://10.66.92.154/system
II Test Result:
[root@dhcp-93-205 images]# virsh -c qemu+tls://10.66.92.154/system
error: server verification (of our certificate or IP address) failed
error: failed to connect to the hypervisor
Note:
if I Step 9 as above on server and then the client can connect to the hypervisor running
on Server using TLS successfully.
Regards!
Johnson