4:37 p.m.
I'm having a problem with remote TLS libvirt connections from an
Ubuntu Jaunty client. I've reported the bug here[1] but haven't had
any hits yet so I thought I'd come to the source. Let me know if ya'll
have any ideas or know of any bugs in the versions I'm using (see
below). I just upgraded my client to Jaunty from Intrepid and I can no
longer connect to Hardy or Intrepid libvirt servers that have TLS
enabled. I get the following errors:
$ virt-viewer -c qemu+tls://example.com/system virt.example.com
libvir: Remote error : server certificate failed validation: The
certificate is not trusted.
libvir: Remote error : unable to connect to 'example.com': Invalid argument
unable to connect to libvirt qemu+tls://example.com/system
$
In the past (ie hardy, intrepid) I was able to use the following
command. Now I get an error:
$ virt-viewer -c qemu://example.com/system virt.example.com
libvir: error : could not connect to qemu://example.com/system
unable to connect to libvirt qemu://example.com/system
$
The server's config has not changed (I've tested against libvirt-bin
versions 0.4.4-3ubuntu3.1 and 0.4.0-2ubuntu8.1 on the server side). I
have the CA certificate installed on both server and client (in
/etc/pki/CA/cacert.pem). That cert signed both my x509 client cert and
the server cert. Here is some proof that it *should* work:
$ openssl s_client -CAfile /etc/pki/CA/cacert.pem -cert
/etc/pki/libvirt/clientcert.pem -key
/etc/pki/libvirt/private/clientkey.pem -connect example.com:16514
2>/dev/null|sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
servercert.pem
$ openssl verify -CAfile /etc/pki/CA/cacert.pem
servercert.pem
servercert.pem: OK
$ openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/pki/libvirt/clientcert.pem
/etc/pki/libvirt/clientcert.pem: OK
$
When I run strace against virt-viewer I can see that it is accessing
and (successfully opening) the correct certs/keys:
$ grep /etc/pki /tmp/out
stat64("/etc/pki/CA/cacert.pem", {st_mode=S_IFREG|0644, st_size=1716, ...}) = 0
stat64("/etc/pki/libvirt/private/clientkey.pem",
{st_mode=S_IFREG|0644, st_size=887, ...}) = 0
stat64("/etc/pki/libvirt/clientcert.pem", {st_mode=S_IFREG|0644,
st_size=1172, ...}) = 0
open("/etc/pki/CA/cacert.pem", O_RDONLY) = 5
open("/etc/pki/libvirt/private/clientkey.pem", O_RDONLY) = 5
open("/etc/pki/libvirt/clientcert.pem", O_RDONLY) = 5
$
Thanks in advance,
Scott
------------
[1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/366455
4:59 p.m.
On Mon, Apr 27, 2009 at 02:37:28PM -0700, Scott Beardsley wrote:
I'm having a problem with remote TLS libvirt connections from an
Ubuntu Jaunty client. I've reported the bug here[1] but haven't had
any hits yet so I thought I'd come to the source. Let me know if ya'll
have any ideas or know of any bugs in the versions I'm using (see
below). I just upgraded my client to Jaunty from Intrepid and I can no
longer connect to Hardy or Intrepid libvirt servers that have TLS
enabled. I get the following errors:
$ virt-viewer -c qemu+tls://example.com/system virt.example.com
libvir: Remote error : server certificate failed validation: The
certificate is not trusted.
libvir: Remote error : unable to connect to 'example.com': Invalid argument
unable to connect to libvirt qemu+tls://example.com/system
This error message comes from gnutls_certificate_verify_peers2() and
maps to the annoyingly generic GNUTLS_CERT_INVALID error code.
In the past (ie hardy, intrepid) I was able to use the following
command. Now I get an error:
$ virt-viewer -c qemu://example.com/system virt.example.com
libvir: error : could not connect to qemu://example.com/system
unable to connect to libvirt qemu://example.com/system
$
The server's config has not changed (I've tested against libvirt-bin
versions 0.4.4-3ubuntu3.1 and 0.4.0-2ubuntu8.1 on the server side). I
have the CA certificate installed on both server and client (in
/etc/pki/CA/cacert.pem). That cert signed both my x509 client cert and
the server cert. Here is some proof that it *should* work:
I'd run some checks with the gnutls 'certtool' instead of openssl,
so you can be sure you're running the same SSL code as libvirt
uses. One random idea is that perhaps the newer GNUTLS in Jaunty
has stopped supporting some feature used in your certificates.
eg perhaps they finally disabled md5 algorithm for cert signing
or similar ideas. certtool may give you info if this is the case
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
7:05 p.m.
New subject: [libvirt] qemu+tls server certificate validation failure (The certificate is not trusted)
This error message comes from gnutls_certificate_verify_peers2() and
maps to the annoyingly generic GNUTLS_CERT_INVALID error code.
indeed
> The server's config has not changed (I've tested against
libvirt-bin
> versions 0.4.4-3ubuntu3.1 and 0.4.0-2ubuntu8.1 on the server side). I
> have the CA certificate installed on both server and client (in
> /etc/pki/CA/cacert.pem). That cert signed both my x509 client cert and
> the server cert. Here is some proof that it *should* work:
I'd run some checks with the gnutls 'certtool' instead of openssl,
so you can be sure you're running the same SSL code as libvirt
uses. One random idea is that perhaps the newer GNUTLS in Jaunty
has stopped supporting some feature used in your certificates.
eg perhaps they finally disabled md5 algorithm for cert signing
or similar ideas. certtool may give you info if this is the case
I just verified that our self-signed CA uses MD5 (boo). I'll have to
look into whether a SHA CA fixes the problem. I'm using gnutls
v2.4.2-6 (on the client side, 2.4.1-1ubuntu0.2 on the server side).
There is a changelog here[1]. According to that log:
"Verifying untrusted X.509 certificates signed with RSA-MD2 or RSA-MD5
will now fail with a GNUTLS_CERT_INSECURE_ALGORITHM verification
output."
I'm curious if there is a different problem. Or, perhaps virt-viewer
is detecting GNUTLS_CERT_INSECURE_ALGORITHM as GNUTLS_CERT_INVALID ?
Either way, we should fix our CA.
BTW, will certtool verify certs ala "openssl verify" ?
Scott
---------
[1]
http://changelogs.ubuntu.com/changelogs/pool/main/g/gnutls26/gnutls26_2.4...
7:44 p.m.
New subject: [libvirt] qemu+tls server certificate validation failure (The certificate is not trusted)
BTW, will certtool verify certs ala "openssl verify" ?
$ certtool --verify-chain --infile /etc/pki/CA/cacert.pem |grep Verification
Verification output: Verified.
I found the verify-chain option but it doesn't like it when I add my
x509 client cert.
5686
days inactive
5687
days old
3 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Scott Beardsley