[libvirt-users] Using certtool to generate certificates for ESXi

Hello, I'm using certtool to generate the server certificates for ESXi - http://libvirt.org/remote.html#Remote_TLS_CA. I just copy the server certificate and key as /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key. And then use virsh to connect from a CentOS 6.4 VM running on it - "virsh -c esx://<esx IP>. I get the following error - error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor is there something basic that I'm missing? Regards, Shiva

On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote:
Hello,
I'm using certtool to generate the server certificates for ESXi - http://libvirt.org/remote.html#Remote_TLS_CA. I just copy the server certificate and key as /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key. And then use virsh to connect from a CentOS 6.4 VM running on it - "virsh -c esx://<esx IP>. I get the following error -
error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor
is there something basic that I'm missing?
I'm not sure what you're missing, but the error message means that the VMWare server certificate was not signed by any CA certificate that the libvirt client has access to. So it is a client side CA cert config problem most likely. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

Hi Daniel, thanks for the reply - The procedure I use is the same as I use for XenServer, and the certificate exchange works just fine. The only thing I'm a bit unclear on, is the location of the CA cert, which in the case of XenServer, I simply put it in /etc/pki/CA. And when I start the libvirtd daemon, it successfully picks it up. If I put the Server key and cert in /etc/vmware/ssl for ESXi, is there a location where I put the CA cert (cacert.pem)? Also, following are the log errors that I see - 2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] SSLStreamImpl::DoServerHandshake (ffd005d0) SSL_accept failed. Dumping SSL error queue: 2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] [0] error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 2013-10-30T18:32:25.405Z [FFE81B90 warning 'Default'] SSL Handshake failed for stream TCP(local=<ESXi>:443, peer=<client>:33776), error: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca) Doesn't this mean the CA cert wasn't found on the ESXi? Regards, Shiva On Wed, Oct 30, 2013 at 2:45 AM, Daniel P. Berrange <berrange@redhat.com>wrote:
On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote:
Hello,
I'm using certtool to generate the server certificates for ESXi - http://libvirt.org/remote.html#Remote_TLS_CA. I just copy the server certificate and key as /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key. And then use virsh to connect from a CentOS 6.4 VM running on it - "virsh -c esx://<esx IP>. I get the following error -
error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor
is there something basic that I'm missing?
I'm not sure what you're missing, but the error message means that the VMWare server certificate was not signed by any CA certificate that the libvirt client has access to. So it is a client side CA cert config problem most likely.
Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/:| |: http://libvirt.org -o- http://virt-manager.org:| |: http://autobuild.org -o- http://search.cpan.org/~danberr/:| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc:|

2013/10/30 Shiva Bhanujan <sxb075@gmail.com>:
Hi Daniel,
thanks for the reply - The procedure I use is the same as I use for XenServer, and the certificate exchange works just fine. The only thing I'm a bit unclear on, is the location of the CA cert, which in the case of XenServer, I simply put it in /etc/pki/CA. And when I start the libvirtd daemon, it successfully picks it up. If I put the Server key and cert in /etc/vmware/ssl for ESXi, is there a location where I put the CA cert (cacert.pem)? Also, following are the log errors that I see -
2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] SSLStreamImpl::DoServerHandshake (ffd005d0) SSL_accept failed. Dumping SSL error queue: 2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] [0] error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 2013-10-30T18:32:25.405Z [FFE81B90 warning 'Default'] SSL Handshake failed for stream TCP(local=<ESXi>:443, peer=<client>:33776), error: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca)
Doesn't this mean the CA cert wasn't found on the ESXi?
Regards, Shiva
On Wed, Oct 30, 2013 at 2:45 AM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote:
Hello,
I'm using certtool to generate the server certificates for ESXi - http://libvirt.org/remote.html#Remote_TLS_CA. I just copy the server certificate and key as /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key. And then use virsh to connect from a CentOS 6.4 VM running on it - "virsh -c esx://<esx IP>. I get the following error -
error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor
is there something basic that I'm missing?
I'm not sure what you're missing, but the error message means that the VMWare server certificate was not signed by any CA certificate that the libvirt client has access to. So it is a client side CA cert config problem most likely.
I think this problem has already been discussed on this mailing list, see: https://www.redhat.com/archives/libvir-list/2012-March/msg00342.html What you basically have to do is create your own Certificate Authority (CA) and then issue a new server certificate with that CA as described in the guide you mentioned. Then transfer this server certificate to the ESX server and put it into the correct place. I think you already have done this correctly The last thing that's missing (the same as in the mailing list thread I linked above) is that you need to configure your client properly. The SSL infrastructure on your client needs to know about your custom CA. libcurl has to be able to find and use it in order to verify that the certificate your ESXi server present is valid. How this has to be done depends on the SSL backend libcurl is using and on your distro. -- Matthias Bolte http://photron.blogspot.com

Hi Matthias, Thanks for the response. For connecting to ESXi, I couldn't find any environment setting to make 'curl' point to the client certificates. So, for the time being, I hard-coded the location in libvirt-<version>/src/esx/esx_vi.c. esx_vi.c: curl_easy_setopt(curl->handle, CURLOPT_SSLCERT, "/etc/pki/libvirt/clientcert.pem"); esx_vi.c: curl_easy_setopt(curl->handle, CURLOPT_SSLKEY, "/etc/pki/libvirt/private/clientkey.pem"); esx_vi.c: curl_easy_setopt(curl->handle, CURLOPT_CAINFO, "/etc/pki/CA/cacert.pem"); This has worked for me. Perhaps there's a cleaner way of doing this? If I find something, I'll share w/ everybody on the list. regards, Shiva On Thu, Oct 31, 2013 at 7:16 AM, Matthias Bolte < matthias.bolte@googlemail.com> wrote:
2013/10/30 Shiva Bhanujan <sxb075@gmail.com>:
Hi Daniel,
thanks for the reply - The procedure I use is the same as I use for XenServer, and the certificate exchange works just fine. The only thing I'm a bit unclear on, is the location of the CA cert, which in the case of XenServer, I simply put it in /etc/pki/CA. And when I start the libvirtd daemon, it successfully picks it up. If I put the Server key and cert in /etc/vmware/ssl for ESXi, is there a location where I put the CA cert (cacert.pem)? Also, following are the log errors that I see -
2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] SSLStreamImpl::DoServerHandshake (ffd005d0) SSL_accept failed. Dumping SSL error queue: 2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] [0] error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 2013-10-30T18:32:25.405Z [FFE81B90 warning 'Default'] SSL Handshake failed for stream TCP(local=<ESXi>:443, peer=<client>:33776), error: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca)
Doesn't this mean the CA cert wasn't found on the ESXi?
Regards, Shiva
On Wed, Oct 30, 2013 at 2:45 AM, Daniel P. Berrange <berrange@redhat.com
wrote:
On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote:
Hello,
I'm using certtool to generate the server certificates for ESXi - http://libvirt.org/remote.html#Remote_TLS_CA. I just copy the server certificate and key as /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key. And then use virsh to connect from a CentOS 6.4 VM running on it - "virsh -c esx://<esx IP>. I get the following error -
error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor
is there something basic that I'm missing?
I'm not sure what you're missing, but the error message means that the VMWare server certificate was not signed by any CA certificate that the libvirt client has access to. So it is a client side CA cert config problem most likely.
I think this problem has already been discussed on this mailing list, see:
https://www.redhat.com/archives/libvir-list/2012-March/msg00342.html
What you basically have to do is create your own Certificate Authority (CA) and then issue a new server certificate with that CA as described in the guide you mentioned. Then transfer this server certificate to the ESX server and put it into the correct place. I think you already have done this correctly
The last thing that's missing (the same as in the mailing list thread I linked above) is that you need to configure your client properly. The SSL infrastructure on your client needs to know about your custom CA. libcurl has to be able to find and use it in order to verify that the certificate your ESXi server present is valid. How this has to be done depends on the SSL backend libcurl is using and on your distro.
-- Matthias Bolte http://photron.blogspot.com
participants (3)
-
Daniel P. Berrange
-
Matthias Bolte
-
Shiva Bhanujan