On Wed, Dec 06, 2017 at 09:44:47PM +0800, Yalan Zhang wrote:
Hi guys,
I met a problem when I use tls to connect libvirt.
When I set the CN in client.info, server.info as hostname(FDQN), the tls
check will fail with ip; and vice versa, when set CN as ip address, the tls
check will fail with hostname. Only use what we set in can succeed. If this
is expected? or I there was some issue in my env. or setup steps?
1. set tls env with hostname, then it will fail to check with ip
# virsh -c qemu+tls://192.168.122.4/system
2017-12-06 13:24:52.346+0000: 3954: info : libvirt version: x.x.x, package:
4.el7 (Red Hat, Inc. <
http://bugzilla.redhat.com/bugzilla>,
2017-11-30-07:57:27,
x.x.x.redhat.com)
2017-12-06 13:24:52.346+0000: 3954: info : hostname: work.englab.cn
2017-12-06 13:24:52.346+0000: 3954: warning :
virNetTLSContextCheckCertificate:1125 : Certificate check failed
Certificate [session] owner does not match the hostname 192.168.122.4
error: failed to connect to the hypervisor
error: authentication failed: Failed to verify peer's certificate
2. use the hostname as what we set can succeed.
# virsh -c qemu+tls://test.englab.cn/system
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh #
X509 certificates contain one or more hostnames + IP addresses that are
associated with the server that owns them. The error message you see
shows that the certificate you have created only contains the hostname
"test.englab.cn", and does *not* contain the IP address
"192.168.122.4".
If you want to be able to connect to libvirt using and IP address then
you need to make sure the certificate contains the IP address too.
If you're following the libvirt guide at
https://libvirt.org/remote.html#Remote_TLS_server_certificates
Then, instead of creating server.info containing:
organization = Name of your organization
cn = test.englab.cn
tls_www_server
encryption_key
signing_key
use this:
organization = Name of your organization
cn = test.englab.cn
dns_name = test.englab.cn
dns_name = test
ip_address = 192.168.122.4
tls_www_server
encryption_key
signing_key
notice you can list multiple dns_name entries and multiple ip_address
entries if needed - I show using the short + fully qualified hostname
here. Adjust as desired.
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|