[libvirt] Can't connect ESXi ssl with virsh
Hi, I try to use virsh connect ESXi5.0 with ssl [root@zheng ~]# virsh -c esx://10.66.6.211/ Enter username for 10.66.6.211 [root]: Enter root's password for 10.66.6.211: error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor I create kew key singed by my CA certificate, still the same error. But i can use vsphere client and https://10.66.6.211/, the new certs are ok. Here are my steps: 1, create a CA center. ENV prepare: # cd /etc/pki/CA/ # mkdir {certs,crl,newcerts} # touch index.txt # echo 00 > serial create private key: [root@zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650 Generating a 2048 bit RSA private key ................................................................+++ ...............................................+++ writing new private key to 'myroot.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.209 Email Address []: [root@zheng CA]# mv myroot.key private/cakey.pem [root@zheng CA]# mv myroot.crt cacert.pem 2, create private key and certificate request file for ESXi5.0 server. # openssl req -new -nodes -out mycsr.csr Generating a 2048 bit RSA private key ........+++ ...............+++ writing new private key to 'privkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.211 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 3,scp the certificate request file to CA and certificate it. [root@zheng CA]# openssl ca -out rui.crt -infiles mycsr.csr Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Mar 5 06:53:52 2012 GMT Not After : Mar 5 06:53:52 2013 GMT Subject: countryName = CN stateOrProvinceName = BEIJING organizationName = REDHAT organizationalUnitName = QE commonName = 10.66.6.211 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A X509v3 Authority Key Identifier: keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD Certificate is to be certified until Mar 5 06:53:52 2013 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server then quit the maintance mode. 5, test it with vsphere client and firefox. new ssl keys works well. 6,[root@zheng ~]# virsh -c esx://10.66.6.211 Enter username for 10.66.6.211 [root]: Enter root's password for 10.66.6.211: error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor So, i don't know if i have wrong steps or it's a bug?
On Mon, Mar 05, 2012 at 02:04:05AM -0500, Zhimou Peng wrote:
Hi,
I try to use virsh connect ESXi5.0 with ssl
[root@zheng ~]# virsh -c esx://10.66.6.211/ Enter username for 10.66.6.211 [root]: Enter root's password for 10.66.6.211: error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor
I create kew key singed by my CA certificate, still the same error. But i can use vsphere client and https://10.66.6.211/, the new certs are ok.
Here are my steps:
1, create a CA center.
ENV prepare: # cd /etc/pki/CA/ # mkdir {certs,crl,newcerts} # touch index.txt # echo 00 > serial
create private key: [root@zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650 Generating a 2048 bit RSA private key ................................................................+++ ...............................................+++ writing new private key to 'myroot.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.209 Email Address []:
[root@zheng CA]# mv myroot.key private/cakey.pem [root@zheng CA]# mv myroot.crt cacert.pem
2, create private key and certificate request file for ESXi5.0 server. # openssl req -new -nodes -out mycsr.csr Generating a 2048 bit RSA private key ........+++ ...............+++ writing new private key to 'privkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.211 Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3,scp the certificate request file to CA and certificate it. [root@zheng CA]# openssl ca -out rui.crt -infiles mycsr.csr Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Mar 5 06:53:52 2012 GMT Not After : Mar 5 06:53:52 2013 GMT Subject: countryName = CN stateOrProvinceName = BEIJING organizationName = REDHAT organizationalUnitName = QE commonName = 10.66.6.211 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A X509v3 Authority Key Identifier: keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD
Certificate is to be certified until Mar 5 06:53:52 2013 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server then quit the maintance mode.
5, test it with vsphere client and firefox. new ssl keys works well.
6,[root@zheng ~]# virsh -c esx://10.66.6.211 Enter username for 10.66.6.211 [root]: Enter root's password for 10.66.6.211: error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor
I didn't see any steps to install your self-signed CA certificate (cacert.pem in your example) on client. -- Thanks, Hu Tao
Ehh..... Not familiar with it. Can you give me one example? ----- Original Message ----- From: "Hu Tao" <hutao@cn.fujitsu.com> To: "Zhimou Peng" <zhpeng@redhat.com> Cc: libvir-list@redhat.com, "Tingting Zheng" <tzheng@redhat.com> Sent: Monday, March 5, 2012 3:22:22 PM Subject: Re: [libvirt] Can't connect ESXi ssl with virsh On Mon, Mar 05, 2012 at 02:04:05AM -0500, Zhimou Peng wrote:
Hi,
I try to use virsh connect ESXi5.0 with ssl
[root@zheng ~]# virsh -c esx://10.66.6.211/ Enter username for 10.66.6.211 [root]: Enter root's password for 10.66.6.211: error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor
I create kew key singed by my CA certificate, still the same error. But i can use vsphere client and https://10.66.6.211/, the new certs are ok.
Here are my steps:
1, create a CA center.
ENV prepare: # cd /etc/pki/CA/ # mkdir {certs,crl,newcerts} # touch index.txt # echo 00 > serial
create private key: [root@zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650 Generating a 2048 bit RSA private key ................................................................+++ ...............................................+++ writing new private key to 'myroot.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.209 Email Address []:
[root@zheng CA]# mv myroot.key private/cakey.pem [root@zheng CA]# mv myroot.crt cacert.pem
2, create private key and certificate request file for ESXi5.0 server. # openssl req -new -nodes -out mycsr.csr Generating a 2048 bit RSA private key ........+++ ...............+++ writing new private key to 'privkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.211 Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3,scp the certificate request file to CA and certificate it. [root@zheng CA]# openssl ca -out rui.crt -infiles mycsr.csr Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Mar 5 06:53:52 2012 GMT Not After : Mar 5 06:53:52 2013 GMT Subject: countryName = CN stateOrProvinceName = BEIJING organizationName = REDHAT organizationalUnitName = QE commonName = 10.66.6.211 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A X509v3 Authority Key Identifier: keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD
Certificate is to be certified until Mar 5 06:53:52 2013 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server then quit the maintance mode.
5, test it with vsphere client and firefox. new ssl keys works well.
6,[root@zheng ~]# virsh -c esx://10.66.6.211 Enter username for 10.66.6.211 [root]: Enter root's password for 10.66.6.211: error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor
I didn't see any steps to install your self-signed CA certificate (cacert.pem in your example) on client. -- Thanks, Hu Tao
And my CA is also my client in this case. ----- Original Message ----- From: "Zhimou Peng" <zhpeng@redhat.com> To: "Hu Tao" <hutao@cn.fujitsu.com> Cc: libvir-list@redhat.com, "Tingting Zheng" <tzheng@redhat.com> Sent: Monday, March 5, 2012 3:42:38 PM Subject: Re: [libvirt] Can't connect ESXi ssl with virsh Ehh..... Not familiar with it. Can you give me one example? ----- Original Message ----- From: "Hu Tao" <hutao@cn.fujitsu.com> To: "Zhimou Peng" <zhpeng@redhat.com> Cc: libvir-list@redhat.com, "Tingting Zheng" <tzheng@redhat.com> Sent: Monday, March 5, 2012 3:22:22 PM Subject: Re: [libvirt] Can't connect ESXi ssl with virsh On Mon, Mar 05, 2012 at 02:04:05AM -0500, Zhimou Peng wrote:
Hi,
I try to use virsh connect ESXi5.0 with ssl
[root@zheng ~]# virsh -c esx://10.66.6.211/ Enter username for 10.66.6.211 [root]: Enter root's password for 10.66.6.211: error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor
I create kew key singed by my CA certificate, still the same error. But i can use vsphere client and https://10.66.6.211/, the new certs are ok.
Here are my steps:
1, create a CA center.
ENV prepare: # cd /etc/pki/CA/ # mkdir {certs,crl,newcerts} # touch index.txt # echo 00 > serial
create private key: [root@zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650 Generating a 2048 bit RSA private key ................................................................+++ ...............................................+++ writing new private key to 'myroot.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.209 Email Address []:
[root@zheng CA]# mv myroot.key private/cakey.pem [root@zheng CA]# mv myroot.crt cacert.pem
2, create private key and certificate request file for ESXi5.0 server. # openssl req -new -nodes -out mycsr.csr Generating a 2048 bit RSA private key ........+++ ...............+++ writing new private key to 'privkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.211 Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3,scp the certificate request file to CA and certificate it. [root@zheng CA]# openssl ca -out rui.crt -infiles mycsr.csr Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Mar 5 06:53:52 2012 GMT Not After : Mar 5 06:53:52 2013 GMT Subject: countryName = CN stateOrProvinceName = BEIJING organizationName = REDHAT organizationalUnitName = QE commonName = 10.66.6.211 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A X509v3 Authority Key Identifier: keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD
Certificate is to be certified until Mar 5 06:53:52 2013 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server then quit the maintance mode.
5, test it with vsphere client and firefox. new ssl keys works well.
6,[root@zheng ~]# virsh -c esx://10.66.6.211 Enter username for 10.66.6.211 [root]: Enter root's password for 10.66.6.211: error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor
I didn't see any steps to install your self-signed CA certificate (cacert.pem in your example) on client. -- Thanks, Hu Tao -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On Mon, Mar 05, 2012 at 02:50:51AM -0500, Zhimou Peng wrote:
And my CA is also my client in this case.
I just noticed it.
4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server then quit the maintance mode.
Steps of changing the default certificate I read from http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp?topic=/c... are not the same as yours. Though I don't know the difference, I think you can have a try. -- Thanks, Hu Tao
I'll have a try :) Thanks ----- Original Message ----- From: "Hu Tao" <hutao@cn.fujitsu.com> To: "Zhimou Peng" <zhpeng@redhat.com> Cc: libvir-list@redhat.com, "Tingting Zheng" <tzheng@redhat.com> Sent: Monday, March 5, 2012 4:09:59 PM Subject: Re: [libvirt] Can't connect ESXi ssl with virsh On Mon, Mar 05, 2012 at 02:50:51AM -0500, Zhimou Peng wrote:
And my CA is also my client in this case.
I just noticed it.
4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server then quit the maintance mode.
Steps of changing the default certificate I read from http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp?topic=/c... are not the same as yours. Though I don't know the difference, I think you can have a try. -- Thanks, Hu Tao
Ehh...I followed the ESXi5.0 guide.(my ENV is ESXi) http://pubs.vmware.com/vsphere-50/topic/com.vmware.vsphere.security.doc_50/G... http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.soluti... I ignore the steps for vcenter. ----- Original Message ----- From: "Zhimou Peng" <zhpeng@redhat.com> To: "Hu Tao" <hutao@cn.fujitsu.com> Cc: libvir-list@redhat.com, "Tingting Zheng" <tzheng@redhat.com> Sent: Monday, March 5, 2012 4:19:29 PM Subject: Re: [libvirt] Can't connect ESXi ssl with virsh I'll have a try :) Thanks ----- Original Message ----- From: "Hu Tao" <hutao@cn.fujitsu.com> To: "Zhimou Peng" <zhpeng@redhat.com> Cc: libvir-list@redhat.com, "Tingting Zheng" <tzheng@redhat.com> Sent: Monday, March 5, 2012 4:09:59 PM Subject: Re: [libvirt] Can't connect ESXi ssl with virsh On Mon, Mar 05, 2012 at 02:50:51AM -0500, Zhimou Peng wrote:
And my CA is also my client in this case.
I just noticed it.
4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server then quit the maintance mode.
Steps of changing the default certificate I read from http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp?topic=/c... are not the same as yours. Though I don't know the difference, I think you can have a try. -- Thanks, Hu Tao -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
2012/3/5 Zhimou Peng <zhpeng@redhat.com>:
Hi,
I try to use virsh connect ESXi5.0 with ssl
[root@zheng ~]# virsh -c esx://10.66.6.211/ Enter username for 10.66.6.211 [root]: Enter root's password for 10.66.6.211: error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor
I create kew key singed by my CA certificate, still the same error. But i can use vsphere client and https://10.66.6.211/, the new certs are ok.
Here are my steps:
1, create a CA center.
ENV prepare: # cd /etc/pki/CA/ # mkdir {certs,crl,newcerts} # touch index.txt # echo 00 > serial
create private key: [root@zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650 Generating a 2048 bit RSA private key ................................................................+++ ...............................................+++ writing new private key to 'myroot.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.209 Email Address []:
[root@zheng CA]# mv myroot.key private/cakey.pem [root@zheng CA]# mv myroot.crt cacert.pem
2, create private key and certificate request file for ESXi5.0 server. # openssl req -new -nodes -out mycsr.csr Generating a 2048 bit RSA private key ........+++ ...............+++ writing new private key to 'privkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.211 Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3,scp the certificate request file to CA and certificate it. [root@zheng CA]# openssl ca -out rui.crt -infiles mycsr.csr Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Mar 5 06:53:52 2012 GMT Not After : Mar 5 06:53:52 2013 GMT Subject: countryName = CN stateOrProvinceName = BEIJING organizationName = REDHAT organizationalUnitName = QE commonName = 10.66.6.211 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A X509v3 Authority Key Identifier: keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD
Certificate is to be certified until Mar 5 06:53:52 2013 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server then quit the maintance mode.
Until here everything is fine. The ESXi server has a new and working SSL certificate.
5, test it with vsphere client and firefox. new ssl keys works well.
You should have tested with curl instead, because libvirt uses libcurl to talk to the ESXi server. # curl https://10.66.6.211/sdk curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html And curl still gives you error number 60, the same as libvirt. This is correct because you missed the final step. You need to tell your client computer to trust your new CA certificate. The one you just created and used to sign the new SSL certificate with. On a Debian-based system you need to do the following as root to trust the new CA certificate and make libcurl find it: # mkdir /usr/share/ca-certificates/esx-certs # cp /etc/pki/CA/cacert.pem /usr/share/ca-certificates/esx-certs/ # echo esx-certs/cacert.pem >> /etc/ca-certificates.conf # update-ca-certificates I've no clue how to do this on a Red Hat Linux-based system, that's your part to figure out :) Now curl and virsh should work as expected. -- Matthias Bolte http://photron.blogspot.com
Well, finally It works. Matthias, you're right. For linux, we can add cacert to nssdb to let the libcurl use. So, This command: certutil -d sql:/etc/pki/nssdb -A -t TC -n "esx" -i /root/cacert.pem [root@localhost ~]# virsh -c esx://10.66.6.211 Enter username for 10.66.6.211 [root]: Enter root's password for 10.66.6.211: Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit Thanks! BR zhpeng ----- Original Message ----- From: "Matthias Bolte" <matthias.bolte@googlemail.com> To: "Zhimou Peng" <zhpeng@redhat.com> Cc: libvir-list@redhat.com, "Tingting Zheng" <tzheng@redhat.com> Sent: Friday, March 9, 2012 12:23:16 AM Subject: Re: [libvirt] Can't connect ESXi ssl with virsh 2012/3/5 Zhimou Peng <zhpeng@redhat.com>:
Hi,
I try to use virsh connect ESXi5.0 with ssl
[root@zheng ~]# virsh -c esx://10.66.6.211/ Enter username for 10.66.6.211 [root]: Enter root's password for 10.66.6.211: error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor
I create kew key singed by my CA certificate, still the same error. But i can use vsphere client and https://10.66.6.211/, the new certs are ok.
Here are my steps:
1, create a CA center.
ENV prepare: # cd /etc/pki/CA/ # mkdir {certs,crl,newcerts} # touch index.txt # echo 00 > serial
create private key: [root@zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650 Generating a 2048 bit RSA private key ................................................................+++ ...............................................+++ writing new private key to 'myroot.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.209 Email Address []:
[root@zheng CA]# mv myroot.key private/cakey.pem [root@zheng CA]# mv myroot.crt cacert.pem
2, create private key and certificate request file for ESXi5.0 server. # openssl req -new -nodes -out mycsr.csr Generating a 2048 bit RSA private key ........+++ ...............+++ writing new private key to 'privkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BEIJING Locality Name (eg, city) [Default City]:BEIJING Organization Name (eg, company) [Default Company Ltd]:REDHAT Organizational Unit Name (eg, section) []:QE Common Name (eg, your name or your server's hostname) []:10.66.6.211 Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3,scp the certificate request file to CA and certificate it. [root@zheng CA]# openssl ca -out rui.crt -infiles mycsr.csr Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Mar 5 06:53:52 2012 GMT Not After : Mar 5 06:53:52 2013 GMT Subject: countryName = CN stateOrProvinceName = BEIJING organizationName = REDHAT organizationalUnitName = QE commonName = 10.66.6.211 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A X509v3 Authority Key Identifier: keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD
Certificate is to be certified until Mar 5 06:53:52 2013 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server then quit the maintance mode.
Until here everything is fine. The ESXi server has a new and working SSL certificate.
5, test it with vsphere client and firefox. new ssl keys works well.
You should have tested with curl instead, because libvirt uses libcurl to talk to the ESXi server. # curl https://10.66.6.211/sdk curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html And curl still gives you error number 60, the same as libvirt. This is correct because you missed the final step. You need to tell your client computer to trust your new CA certificate. The one you just created and used to sign the new SSL certificate with. On a Debian-based system you need to do the following as root to trust the new CA certificate and make libcurl find it: # mkdir /usr/share/ca-certificates/esx-certs # cp /etc/pki/CA/cacert.pem /usr/share/ca-certificates/esx-certs/ # echo esx-certs/cacert.pem >> /etc/ca-certificates.conf # update-ca-certificates I've no clue how to do this on a Red Hat Linux-based system, that's your part to figure out :) Now curl and virsh should work as expected. -- Matthias Bolte http://photron.blogspot.com
participants (3)
-
Hu Tao -
Matthias Bolte -
Zhimou Peng