Re: [libvirt-users] TLS and intermediate CA
On Tue, Apr 22, 2014 at 08:24:43AM -0600, Nathaniel Cook wrote:
Thanks for the response.
My current chain is as follows:
caroot -> child-ca1 -> server cert
My cacert.pem file has both the caroot and the child-ca1 certs. I have
recompiled libvirt on my machine with some extra debug statements and
verified that both the caroot cert and the child-ca1 certs are being
loaded. But when I try to connect the caroot and child-ca1 certs only
appear under the "Acceptable client certificate CA names" not the
certificate chain. The error I get on the client when connecting is that
the server identity could not be verified since the server isn't presenting
the entire CA chain just its own cert.
Are you willing / able to share the output of
certtool -i --infile <filename>.pem
for the cacert.pem and servercert.pem on the server, and the likewise for
the cacert.pem and clientcert.pem (if used) on the client the fails to
connect?
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|