Re: [libvirt] qemu+tls server certificate validation failure (The certificate is not trusted)
On Mon, Apr 27, 2009 at 02:37:28PM -0700, Scott Beardsley wrote:
I'm having a problem with remote TLS libvirt connections from an
Ubuntu Jaunty client. I've reported the bug here[1] but haven't had
any hits yet so I thought I'd come to the source. Let me know if ya'll
have any ideas or know of any bugs in the versions I'm using (see
below). I just upgraded my client to Jaunty from Intrepid and I can no
longer connect to Hardy or Intrepid libvirt servers that have TLS
enabled. I get the following errors:
$ virt-viewer -c qemu+tls://example.com/system virt.example.com
libvir: Remote error : server certificate failed validation: The
certificate is not trusted.
libvir: Remote error : unable to connect to 'example.com': Invalid argument
unable to connect to libvirt qemu+tls://example.com/system
This error message comes from gnutls_certificate_verify_peers2() and
maps to the annoyingly generic GNUTLS_CERT_INVALID error code.
In the past (ie hardy, intrepid) I was able to use the following
command. Now I get an error:
$ virt-viewer -c qemu://example.com/system virt.example.com
libvir: error : could not connect to qemu://example.com/system
unable to connect to libvirt qemu://example.com/system
$
The server's config has not changed (I've tested against libvirt-bin
versions 0.4.4-3ubuntu3.1 and 0.4.0-2ubuntu8.1 on the server side). I
have the CA certificate installed on both server and client (in
/etc/pki/CA/cacert.pem). That cert signed both my x509 client cert and
the server cert. Here is some proof that it *should* work:
I'd run some checks with the gnutls 'certtool' instead of openssl,
so you can be sure you're running the same SSL code as libvirt
uses. One random idea is that perhaps the newer GNUTLS in Jaunty
has stopped supporting some feature used in your certificates.
eg perhaps they finally disabled md5 algorithm for cert signing
or similar ideas. certtool may give you info if this is the case
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|