[libvirt] TLS for libvirt remote access
- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
After generating TLS certificates for Libvirt remote access , I test the
certificates
by running pki_check.sh and get the following message :
The CA certificate and the client certificate do not match
What can cause this message ?
I guess this is a problem as I am trying to access remotely the host
machine and fail
with a message of :libvir: Remote error : Connection refused
That happens even if I use a client and server on the same machine and try
: sudo virsh -c qemu://localhost/defualt.
I am using libvirt 0.6.
can I get first a connection with no certificate/encryption by using URI =
qemu+tcp://... by making the needed change on the libvirtd.conf file
on the server side ? that did not work either
I followed the instructions in the Libvirt Web Site (generate a CA
private key and certificate then the client and server keys and
certificates and copy them to appropriate locations),. Also restarted the
libvirtd with the --listen --verbose flags on the server side
what can be wrong with my steps ?
Zvi Dubitzky
Virtualization and System Architecture Email:dubi@il.ibm.com
IBM Haifa Research Laboratory Phone: +972-4-8296182
Haifa, 31905, ISRAEL
Zvi Dubitzky wrote:
After generating TLS certificates for Libvirt remote access , I test
the
certificates
by running pki_check.sh and get the following message :
The CA certificate and the client certificate do not match
What can cause this message ?
I guess this is a problem as I am trying to access remotely the host
machine and fail
with a message of :libvir: Remote error : Connection refused
That happens even if I use a client and server on the same machine and try
: sudo virsh -c qemu://localhost/defualt.
I am using libvirt 0.6.
You have quite a few problems in your configuration here, including using the
wrong URI, and most probably an iptables problem. However, let's start simply...
can I get first a connection with no certificate/encryption by using URI =
qemu+tcp://... by making the needed change on the libvirtd.conf file
on the server side ? that did not work either
To begin with, I would start with just getting tcp going. It's totally
insecure, but it's a good initial test of getting everything up and running. To
do that, you have to enable "listen_tcp" in libvirtd.conf. You *also* have to
change "auth_tcp" to "none" in libvirtd.conf; otherwise, it
automatically tries
to use SASL for authentication, which you don't want at this point. Then you
need to start up libvirtd --verbose --listen.
At this point, you should be able to do: virsh -c qemu+tcp://hostname/system
list --all, and get at least "empty" output from the virsh list command. If
you
get a "connection refused", you most likely have a firewall blocking the port
that libvirtd is listening on; you'll have to open up that part.
Assuming you get the above working, go back into libvirtd.conf and disable TCP
(like I said, it opens up a security issue). Then go back to the instructions
on the website for generating and using TLS, and make sure you've followed the
directions exactly. I've used those instructions many times, and they work just
fine. Once you think you have it configured, then you can try: virsh -c
qemu+tls://hostname/system list --all, and see if that works. Again, if you get
"connection refused", it probably means your firewall is in the way; libvirtd
uses a different port for listen_tcp and listen_tls.
--
Chris Lalancette
5725
days inactive
5726
days old
1 comments
2 participants
tags (0)
participants (2)
-
Chris Lalancette -
Zvi Dubitzky