3:05 a.m.
Well, finally It works.
Matthias, you're right. For linux, we can add cacert to nssdb to let the libcurl use.
So, This command:
certutil -d sql:/etc/pki/nssdb -A -t TC -n "esx" -i /root/cacert.pem
[root@localhost ~]# virsh -c esx://10.66.6.211
Enter username for 10.66.6.211 [root]:
Enter root's password for 10.66.6.211:
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
Thanks!
BR
zhpeng
----- Original Message -----
From: "Matthias Bolte" <matthias.bolte(a)googlemail.com>
To: "Zhimou Peng" <zhpeng(a)redhat.com>
Cc: libvir-list(a)redhat.com, "Tingting Zheng" <tzheng(a)redhat.com>
Sent: Friday, March 9, 2012 12:23:16 AM
Subject: Re: [libvirt] Can't connect ESXi ssl with virsh
2012/3/5 Zhimou Peng <zhpeng(a)redhat.com>:
Hi,
I try to use virsh connect ESXi5.0 with ssl
[root@zheng ~]# virsh -c esx://10.66.6.211/
Enter username for 10.66.6.211 [root]:
Enter root's password for 10.66.6.211:
error: internal error curl_easy_perform() returned an error: Peer certificate cannot be
authenticated with known CA certificates (60) : Peer certificate cannot be authenticated
with known CA certificates
error: failed to connect to the hypervisor
I create kew key singed by my CA certificate, still the same error.
But i can use vsphere client and https://10.66.6.211/, the new certs are ok.
Here are my steps:
1, create a CA center.
ENV prepare:
# cd /etc/pki/CA/
# mkdir {certs,crl,newcerts}
# touch index.txt
# echo 00 > serial
create private key:
[root@zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out
myroot.crt -days 3650
Generating a 2048 bit RSA private key
................................................................+++
...............................................+++
writing new private key to 'myroot.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:REDHAT
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:10.66.6.209
Email Address []:
[root@zheng CA]# mv myroot.key private/cakey.pem
[root@zheng CA]# mv myroot.crt cacert.pem
2, create private key and certificate request file for ESXi5.0 server.
# openssl req -new -nodes -out mycsr.csr
Generating a 2048 bit RSA private key
........+++
...............+++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:REDHAT
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:10.66.6.211
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3,scp the certificate request file to CA and certificate it.
[root@zheng CA]# openssl ca -out rui.crt -infiles mycsr.csr
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 5 06:53:52 2012 GMT
Not After : Mar 5 06:53:52 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = REDHAT
organizationalUnitName = QE
commonName = 10.66.6.211
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A
X509v3 Authority Key Identifier:
keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD
Certificate is to be certified until Mar 5 06:53:52 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart
hostd server
then quit the maintance mode.
Until here everything is fine. The ESXi server has a new and working
SSL certificate.
5, test it with vsphere client and firefox. new ssl keys works well.
You should have tested with curl instead, because libvirt uses libcurl
to talk to the ESXi server.
# curl https://10.66.6.211/sdk
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
And curl still gives you error number 60, the same as libvirt.
This is correct because you missed the final step. You need to tell
your client computer to trust your new CA certificate. The one you
just created and used to sign the new SSL certificate with.
On a Debian-based system you need to do the following as root to trust
the new CA certificate and make libcurl find it:
# mkdir /usr/share/ca-certificates/esx-certs
# cp /etc/pki/CA/cacert.pem /usr/share/ca-certificates/esx-certs/
# echo esx-certs/cacert.pem >> /etc/ca-certificates.conf
# update-ca-certificates
I've no clue how to do this on a Red Hat Linux-based system, that's
your part to figure out :)
Now curl and virsh should work as expected.
--
Matthias Bolte
http://photron.blogspot.com