Re: [libvirt] Can't connect ESXi ssl with virsh

Hi, I try to use virsh connect ESXi5.0 with ssl [root@zheng ~]# virsh -c esx://10.66.6.211/ Enter username for 10.66.6.211 [root]: Enter root's password for 10.66.6.211: error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor I create kew key singed by my CA certificate, still the same error. But i can use vsphere client and https://10.66.6.211/， the new certs are ok. Here are my steps: 1, create a CA center. ENV prepare: # cd /etc/pki/CA/ # mkdir {certs,crl,newcerts} # touch index.txt # echo 00 > serial create private key: [root@zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650 Generating a 2048 bit RSA private key ................................................................+++ ...............................................+++ writing new private key to 'myroot.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.209 Email Address []: [root@zheng CA]# mv myroot.key private/cakey.pem [root@zheng CA]# mv myroot.crt cacert.pem 2, create private key and certificate request file for ESXi5.0 server. # openssl req -new -nodes -out mycsr.csr Generating a 2048 bit RSA private key ........+++ ...............+++ writing new private key to 'privkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.211 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 3,scp the certificate request file to CA and certificate it. [root@zheng CA]# openssl ca -out rui.crt -infiles mycsr.csr Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Mar 5 06:53:52 2012 GMT Not After : Mar 5 06:53:52 2013 GMT Subject: countryName = CN stateOrProvinceName = BEIJING organizationName = REDHAT organizationalUnitName = QE commonName = 10.66.6.211 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A X509v3 Authority Key Identifier: keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD Certificate is to be certified until Mar 5 06:53:52 2013 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server then quit the maintance mode. 5, test it with vsphere client and firefox. new ssl keys works well. 6,[root@zheng ~]# virsh -c esx://10.66.6.211 Enter username for 10.66.6.211 [root]: Enter root's password for 10.66.6.211: error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor