Re: [libvirt] qemu+tls server certificate validation failure (The certificate is not trusted)
This error message comes from gnutls_certificate_verify_peers2() and
maps to the annoyingly generic GNUTLS_CERT_INVALID error code.
indeed
> The server's config has not changed (I've tested against
libvirt-bin
> versions 0.4.4-3ubuntu3.1 and 0.4.0-2ubuntu8.1 on the server side). I
> have the CA certificate installed on both server and client (in
> /etc/pki/CA/cacert.pem). That cert signed both my x509 client cert and
> the server cert. Here is some proof that it *should* work:
I'd run some checks with the gnutls 'certtool' instead of openssl,
so you can be sure you're running the same SSL code as libvirt
uses. One random idea is that perhaps the newer GNUTLS in Jaunty
has stopped supporting some feature used in your certificates.
eg perhaps they finally disabled md5 algorithm for cert signing
or similar ideas. certtool may give you info if this is the case
I just verified that our self-signed CA uses MD5 (boo). I'll have to
look into whether a SHA CA fixes the problem. I'm using gnutls
v2.4.2-6 (on the client side, 2.4.1-1ubuntu0.2 on the server side).
There is a changelog here[1]. According to that log:
"Verifying untrusted X.509 certificates signed with RSA-MD2 or RSA-MD5
will now fail with a GNUTLS_CERT_INSECURE_ALGORITHM verification
output."
I'm curious if there is a different problem. Or, perhaps virt-viewer
is detecting GNUTLS_CERT_INSECURE_ALGORITHM as GNUTLS_CERT_INVALID ?
Either way, we should fix our CA.
BTW, will certtool verify certs ala "openssl verify" ?
Scott
---------
[1]
http://changelogs.ubuntu.com/changelogs/pool/main/g/gnutls26/gnutls26_2.4...