OK, so I figured out my own problem. Basically I needed to add the ca chain to each of the cert files. The cacert.pem file had the entire chain but since the clientcert.pem and the servercert.pem files only had a single cert during the handshake the chains were not presented and so verification failed. Once I appended the chain to both the server and client certs the handshake passed. Thanks for the help. I hope this discussion helps others who have similar problems. In summary the contents of each of my files is as follows: servercert.pem -- cert unique to server child-ca1 cert caroot cert clientcert.pem -- cert unique to client child-ca1 cert caroot cert cacert.pem -- child-ca1 cert caroot cert On Tue, Apr 22, 2014 at 8:35 AM, Daniel P. Berrange <berrange@redhat.com>wrote:
Thanks for the response.
My current chain is as follows:
caroot -> child-ca1 -> server cert
My cacert.pem file has both the caroot and the child-ca1 certs. I have recompiled libvirt on my machine with some extra debug statements and verified that both the caroot cert and the child-ca1 certs are being loaded. But when I try to connect the caroot and child-ca1 certs only appear under the "Acceptable client certificate CA names" not the certificate chain. The error I get on the client when connecting is that the server identity could not be verified since the server isn't
On Tue, Apr 22, 2014 at 08:24:43AM -0600, Nathaniel Cook wrote: presenting
the entire CA chain just its own cert.
Are you willing / able to share the output of
certtool -i --infile <filename>.pem
for the cacert.pem and servercert.pem on the server, and the likewise for the cacert.pem and clientcert.pem (if used) on the client the fails to connect?
Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/:| |: http://libvirt.org -o- http://virt-manager.org:| |: http://autobuild.org -o- http://search.cpan.org/~danberr/:| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc:|
-- -Nathaniel Cook