Hi Daniel,

thanks for the reply - The procedure I use is the same as I use for XenServer, and the certificate exchange works just fine.  The only thing I'm a bit unclear on, is the location of the CA cert, which in the case of XenServer, I simply put it in /etc/pki/CA.  And when I start the libvirtd daemon, it successfully picks it up.  If I put the Server key and cert in /etc/vmware/ssl for ESXi, is there a location where I put the CA cert (cacert.pem)?  Also, following are the log errors that I see -

2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] SSLStreamImpl::DoServerHandshake (ffd005d0) SSL_accept failed. Dumping SSL error queue:
2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] [0] error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
2013-10-30T18:32:25.405Z [FFE81B90 warning 'Default'] SSL Handshake failed for stream TCP(local=<ESXi>:443, peer=<client>:33776), error: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca)


Doesn't this mean the CA cert wasn't found on the ESXi?

Regards,
Shiva



On Wed, Oct 30, 2013 at 2:45 AM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote:
> Hello,
>
> I'm using certtool to generate the server certificates for ESXi -
> http://libvirt.org/remote.html#Remote_TLS_CA.  I just copy the server
> certificate and key as /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key.
>  And then use virsh to connect from a CentOS 6.4 VM running on it - "virsh
> -c esx://<esx IP>.  I get the following error -
>
> error: internal error curl_easy_perform() returned an error: Peer
> certificate cannot be authenticated with known CA certificates (60) : Peer
> certificate cannot be authenticated with known CA certificates
> error: failed to connect to the hypervisor
>
> is there something basic that I'm missing?

I'm not sure what you're missing, but the error message means that the
VMWare server certificate was not signed by any CA certificate that
the libvirt client has access to. So it is a client side CA cert config
problem most likely.

Daniel
--
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|