[libvirt] virsh qemu+tls login error
hi all on client side , (cacert.pem,clientcert.pem,clientkey.pem) certificate are in position. spicec can connect server(kvm host) successfully. 'virsh -c qemu+tcp ' can work well. but virsh command line error when launch virsh -c qemu+tls.............. [root@ovirtdev libvirt]# virsh -d 0 -c qemu+tls://192.168.5.113/system hostname commands: "hostname" 2013-03-06 07:05:22.716+0000: 22245: info : libvirt version: 0.9.10, package: 21.el6_3.8 (CentOS BuildSystem <http://bugs.centos.org>, 2013-01-28-19:24:16, c6b10.bsys.dev.centos.org) 2013-03-06 07:05:22.716+0000: 22245: warning : virNetTLSContextCheckCertificate:1093 : Certificate check failed Certificate failed validation: The certificate hasn't got a known issuer. error: authentication failed: Failed to verify peer's certificate error: failed to connect to the hypervisor [root@ovirtdev libvirt]#
On Wed, Mar 06, 2013 at 03:13:34PM +0800, yue wrote:
hi all on client side , (cacert.pem,clientcert.pem,clientkey.pem) certificate are in position. spicec can connect server(kvm host) successfully. 'virsh -c qemu+tcp ' can work well. but virsh command line error when launch virsh -c qemu+tls..............
[root@ovirtdev libvirt]# virsh -d 0 -c qemu+tls://192.168.5.113/system hostname commands: "hostname" 2013-03-06 07:05:22.716+0000: 22245: info : libvirt version: 0.9.10, package: 21.el6_3.8 (CentOS BuildSystem <http://bugs.centos.org>, 2013-01-28-19:24:16, c6b10.bsys.dev.centos.org) 2013-03-06 07:05:22.716+0000: 22245: warning : virNetTLSContextCheckCertificate:1093 : Certificate check failed Certificate failed validation: The certificate hasn't got a known issuer. error: authentication failed: Failed to verify peer's certificate error: failed to connect to the hypervisor [root@ovirtdev libvirt]#
This means that the certificate did not validate against the CA certificate. ie the server's cert was not signed by the CA cert that the client has Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
how to deal with it ? At 2013-03-06 17:37:50,"Daniel P. Berrange" <berrange@redhat.com> wrote:
On Wed, Mar 06, 2013 at 03:13:34PM +0800, yue wrote:
hi all on client side , (cacert.pem,clientcert.pem,clientkey.pem) certificate are in position. spicec can connect server(kvm host) successfully. 'virsh -c qemu+tcp ' can work well. but virsh command line error when launch virsh -c qemu+tls..............
[root@ovirtdev libvirt]# virsh -d 0 -c qemu+tls://192.168.5.113/system hostname commands: "hostname" 2013-03-06 07:05:22.716+0000: 22245: info : libvirt version: 0.9.10, package: 21.el6_3.8 (CentOS BuildSystem <http://bugs.centos.org>, 2013-01-28-19:24:16, c6b10.bsys.dev.centos.org) 2013-03-06 07:05:22.716+0000: 22245: warning : virNetTLSContextCheckCertificate:1093 : Certificate check failed Certificate failed validation: The certificate hasn't got a known issuer. error: authentication failed: Failed to verify peer's certificate error: failed to connect to the hypervisor [root@ovirtdev libvirt]#
This means that the certificate did not validate against the CA certificate. ie the server's cert was not signed by the CA cert that the client has
Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Daniel P. Berrange -
yue