Re: [libvirt-users] TLS and intermediate CA

On Tue, Apr 22, 2014 at 08:24:43AM -0600, Nathaniel Cook wrote: > Thanks for the response. > > My current chain is as follows: > > caroot -> child-ca1 -> server cert > > My cacert.pem file has both the caroot and the child-ca1 certs. I have > recompiled libvirt on my machine with some extra debug statements and > verified that both the caroot cert and the child-ca1 certs are being > loaded. But when I try to connect the caroot and child-ca1 certs only > appear under the "Acceptable client certificate CA names" not the > certificate chain. The error I get on the client when connecting is that > the server identity could not be verified since the server isn't presenting > the entire CA chain just its own cert. Are you willing / able to share the output of certtool -i --infile <filename>.pem for the cacert.pem and servercert.pem on the server, and the likewise for the cacert.pem and clientcert.pem (if used) on the client the fails to connect? Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/:| |: http://libvirt.org -o- http://virt-manager.org:| |: http://autobuild.org -o- http://search.cpan.org/~danberr/:| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc:|