OK, so I figured out my own problem. Basically I needed to add the ca chain to each of the cert files. The cacert.pem file had the entire chain but since the clientcert.pem and the servercert.pem files only had a single cert during the handshake the chains were not presented and so verification failed. Once I appended the chain to both the server and client certs the handshake passed. Thanks for the help. I hope this discussion helps others who have similar problems.

In summary the contents of each of my files is as follows:

servercert.pem --

cert unique to server

child-ca1 cert

caroot cert

clientcert.pem --

cert unique to client

child-ca1 cert

caroot cert

cacert.pem --

child-ca1 cert

caroot cert

On Tue, Apr 22, 2014 at 8:35 AM, Daniel P. Berrange <berrange@redhat.com> wrote:

On Tue, Apr 22, 2014 at 08:24:43AM -0600, Nathaniel Cook wrote:
> Thanks for the response.
>
> My current chain is as follows:
>
> caroot -> child-ca1 -> server cert
>
> My cacert.pem file has both the caroot and the child-ca1 certs. I have
> recompiled libvirt on my machine with some extra debug statements and
> verified that both the caroot cert and the child-ca1 certs are being
> loaded. But when I try to connect the caroot and child-ca1 certs only
> appear under the "Acceptable client certificate CA names" not the
> certificate chain. The error I get on the client when connecting is that
> the server identity could not be verified since the server isn't presenting
> the entire CA chain just its own cert.

Are you willing / able to share the output of

certtool -i --infile <filename>.pem

for the cacert.pem and servercert.pem on the server, and the likewise for
the cacert.pem and clientcert.pem (if used) on the client the fails to
connect?

Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

--
-Nathaniel Cook