[libvirt] TLS for libvirt remote access

After generating TLS certificates for Libvirt remote access , I test the certificates by running pki_check.sh and get the following message : The CA certificate and the client certificate do not match What can cause this message ? I guess this is a problem as I am trying to access remotely the host machine and fail with a message of :libvir: Remote error : Connection refused That happens even if I use a client and server on the same machine and try : sudo virsh -c qemu://localhost/defualt. I am using libvirt 0.6. can I get first a connection with no certificate/encryption by using URI = qemu+tcp://... by making the needed change on the libvirtd.conf file on the server side ? that did not work either I followed the instructions in the Libvirt Web Site (generate a CA private key and certificate then the client and server keys and certificates and copy them to appropriate locations),. Also restarted the libvirtd with the --listen --verbose flags on the server side what can be wrong with my steps ? Zvi Dubitzky Virtualization and System Architecture Email:dubi@il.ibm.com IBM Haifa Research Laboratory Phone: +972-4-8296182 Haifa, 31905, ISRAEL

Zvi Dubitzky wrote:
After generating TLS certificates for Libvirt remote access , I test the certificates by running pki_check.sh and get the following message : The CA certificate and the client certificate do not match
What can cause this message ?
I guess this is a problem as I am trying to access remotely the host machine and fail with a message of :libvir: Remote error : Connection refused
That happens even if I use a client and server on the same machine and try : sudo virsh -c qemu://localhost/defualt. I am using libvirt 0.6.
You have quite a few problems in your configuration here, including using the wrong URI, and most probably an iptables problem. However, let's start simply...
can I get first a connection with no certificate/encryption by using URI = qemu+tcp://... by making the needed change on the libvirtd.conf file on the server side ? that did not work either
To begin with, I would start with just getting tcp going. It's totally insecure, but it's a good initial test of getting everything up and running. To do that, you have to enable "listen_tcp" in libvirtd.conf. You *also* have to change "auth_tcp" to "none" in libvirtd.conf; otherwise, it automatically tries to use SASL for authentication, which you don't want at this point. Then you need to start up libvirtd --verbose --listen. At this point, you should be able to do: virsh -c qemu+tcp://hostname/system list --all, and get at least "empty" output from the virsh list command. If you get a "connection refused", you most likely have a firewall blocking the port that libvirtd is listening on; you'll have to open up that part. Assuming you get the above working, go back into libvirtd.conf and disable TCP (like I said, it opens up a security issue). Then go back to the instructions on the website for generating and using TLS, and make sure you've followed the directions exactly. I've used those instructions many times, and they work just fine. Once you think you have it configured, then you can try: virsh -c qemu+tls://hostname/system list --all, and see if that works. Again, if you get "connection refused", it probably means your firewall is in the way; libvirtd uses a different port for listen_tcp and listen_tls. -- Chris Lalancette
participants (2)
-
Chris Lalancette
-
Zvi Dubitzky