Re: [libvirt-users] Using certtool to generate certificates for ESXi
2013/10/30 Shiva Bhanujan <sxb075(a)gmail.com>:
Hi Daniel,
thanks for the reply - The procedure I use is the same as I use for
XenServer, and the certificate exchange works just fine. The only thing I'm
a bit unclear on, is the location of the CA cert, which in the case of
XenServer, I simply put it in /etc/pki/CA. And when I start the libvirtd
daemon, it successfully picks it up. If I put the Server key and cert in
/etc/vmware/ssl for ESXi, is there a location where I put the CA cert
(cacert.pem)? Also, following are the log errors that I see -
2013-10-30T18:32:25.405Z [FFE81B90 error 'Default']
SSLStreamImpl::DoServerHandshake (ffd005d0) SSL_accept failed. Dumping SSL
error queue:
2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] [0] error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
2013-10-30T18:32:25.405Z [FFE81B90 warning 'Default'] SSL Handshake failed
for stream TCP(local=<ESXi>:443, peer=<client>:33776), error:
N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca)
Doesn't this mean the CA cert wasn't found on the ESXi?
Regards,
Shiva
On Wed, Oct 30, 2013 at 2:45 AM, Daniel P. Berrange <berrange(a)redhat.com>
wrote:
>
> On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote:
> > Hello,
> >
> > I'm using certtool to generate the server certificates for ESXi -
> > http://libvirt.org/remote.html#Remote_TLS_CA. I just copy the server
> > certificate and key as /etc/vmware/ssl/rui.crt and
> > /etc/vmware/ssl/rui.key.
> > And then use virsh to connect from a CentOS 6.4 VM running on it -
> > "virsh
> > -c esx://<esx IP>. I get the following error -
> >
> > error: internal error curl_easy_perform() returned an error: Peer
> > certificate cannot be authenticated with known CA certificates (60) :
> > Peer
> > certificate cannot be authenticated with known CA certificates
> > error: failed to connect to the hypervisor
> >
> > is there something basic that I'm missing?
>
> I'm not sure what you're missing, but the error message means that the
> VMWare server certificate was not signed by any CA certificate that
> the libvirt client has access to. So it is a client side CA cert config
> problem most likely.
I think this problem has already been discussed on this mailing list, see:
https://www.redhat.com/archives/libvir-list/2012-March/msg00342.html
What you basically have to do is create your own Certificate Authority
(CA) and then issue a new server certificate with that CA as described
in the guide you mentioned. Then transfer this server certificate to
the ESX server and put it into the correct place. I think you already
have done this correctly
The last thing that's missing (the same as in the mailing list thread
I linked above) is that you need to configure your client properly.
The SSL infrastructure on your client needs to know about your custom
CA. libcurl has to be able to find and use it in order to verify that
the certificate your ESXi server present is valid. How this has to be
done depends on the SSL backend libcurl is using and on your distro.
--
Matthias Bolte
http://photron.blogspot.com