On Sun, Sep 15, 2013 at 9:34 PM, Dan Kenigsberg
<danken(a)redhat.com> wrote:
> On Sun, Sep 15, 2013 at 08:44:18PM +1000, Andrew Lau wrote:
> > On Sun, Sep 15, 2013 at 8:00 PM, Dan Kenigsberg <danken(a)redhat.com>
> wrote:
> >
> > > On Sun, Sep 15, 2013 at 06:48:41PM +1000, Andrew Lau wrote:
> > > > Hi Dan,
> > > >
> > > > Certainly, I've uploaded them to fedora's paste bin and tried
to snip
> > > just
> > > > the relevant details.
> > > >
> > > > Sender (
hv01.melb.domain.net):
> > > >
http://paste.fedoraproject.org/39660/92339651/
> > >
> > > This one has
> > >
> > > libvirtError: operation failed: Failed to connect to remote libvirt
> > > URI
qemu+tls://hv02.melb.domain.net/system
> > >
> > > which is most often related to firewall issues, and some time to key
> > > mismatch.
> > >
> > > Does
> > > virsh -c
qemu+tls://hv02.melb.domain.net/system capabilities
> > > work when run from the command line of hv01?
> > >
> > > Dan.
> > > > Receiver (
hv02.melb.domain.net): `
> > > >
http://paste.fedoraproject.org/39661/23406913/
> > > >
> > > > VM being transfered is ovirt_guest_vm
> > > >
> > > > Thanks,
> > > > Andrew
> > >
> >
> > virsh -c
qemu+tls://hv02.melb.domain.net/system
> > 2013-09-15 10:41:10.620+0000: 23994: info : libvirt version: 0.10.2,
> > package: 18.el6_4.9 (CentOS BuildSystem <
http://bugs.centos.org>,
> > 2013-07-02-11:19:29,
c6b8.bsys.dev.centos.org)
> > 2013-09-15 10:41:10.620+0000: 23994: warning :
> > virNetTLSContextCheckCertificate:1102 : Certificate check failed
> > Certificate failed validation: The certificate hasn't got a known issuer.
>
> Would you share your
>
>
> openssl x509 -in
> /etc/pki/vdsm/certs/cacert.pem -text
>
> openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -text
>
> on both hosts? This content may be sensitive, and may not
> provide an answer why libvirt on src cannot contact libvirtd on the
> other host. So before you do that, would you test if
>
>
> vdsClient -s
hv02.melb.domain.net getVdsCapabilities
>
> works when run on hv01? It may be that the certificates are fine, but
> libvirt is not configured to use the correct ones.
>
> Dan.
>
>
vdsClient -s
hv02.melb.domain.net getVdsCapabilities runs fine
I did a quick comparison between the files on both hosts, they seem to have
the right details (host names, authority etc.)
cacert.pem matches
/etc/libvirt/libvirtd.conf
ca_file="/etc/pki/vdsm/certs/cacert.pem"
cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
key_file="/etc/pki/vdsm/keys/vdsmkey.pem"