Re: [libvirt-users] [virt-tools-list] Client certificate paths?
On 08/12/2010 10:29 AM, Lars Kellogg-Stedman wrote:
Hello all,
I'm trying to get virsh (and virt-manager) to talk to a remote libvirt instance. I cannot for the life of me figure out how to tell either tool where to find client or CA certificates. Do they *really* need to access the ones in /etc/pki? In particular, the client seems to want to read the *server's* private key, which for obvious reasons is only readable by root.
I feel like I must be missing something obvious...if someone can point me towards a solution I would really appreciate it. Thanks!
If it's relevant, I'm running everything under Fedora 13 right now, so that means libvirt-0.8.2-1.fc13.x86_64 and qemu-kvm-0.12.3-8.fc13.x86_64.
This is more a libvirt question, so CC-ing libvirt-users. - Cole
On 08/20/2010 12:59 AM, Cole Robinson wrote:
On 08/12/2010 10:29 AM, Lars Kellogg-Stedman wrote:
Hello all,
I'm trying to get virsh (and virt-manager) to talk to a remote libvirt instance. I cannot for the life of me figure out how to tell either tool where to find client or CA certificates. Do they *really* need to access the ones in /etc/pki? In particular, the client seems to want to read the *server's* private key, which for obvious reasons is only readable by root.
I feel like I must be missing something obvious...if someone can point me towards a solution I would really appreciate it. Thanks!
Hi Lars, There wasn't a mention a which type of certificates you're trying to use, so I'll assume TLS, as that's what /etc/pki is for. virsh ***** With virsh, it is hard coded to use a server wide path for its client certificate. (found this out yesterday) It's been mentioned there's an RFE for having that configurable, but it's not something I've looked into. $ ls -la /etc/pki/libvirt/clientcert.pem /etc/pki/libvirt/private/clientkey.pem -rw-r--r-- 1 root root 1220 Aug 19 02:34 /etc/pki/libvirt/clientcert.pem -rw-r--r-- 1 root root 1675 Aug 19 02:32 /etc/pki/libvirt/private/clientkey.pem $ It also needs the CA Certificate (not the key) here: /etc/pki/CA/cacert.pem $ sudo ls -la /etc/pki/CA/cacert.pem -rw-r--r-- 1 root root 1070 Aug 19 01:06 /etc/pki/CA/cacert.pem $ Real life example of it working ******************************* $ virsh -c qemu://host1/system Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh # (the qemu:// bit works there without saying qemu+tls://, because TLS is the default) virt-manager ************ virt-manager though, uses the client certificate in a different spot. It has them per user, and they're stored in: ~/.pki/libvirt-vnc/clientcert.pem ~/.pki/libvirt-vnc/private/clientkey.pem It needs the CA Certificate in: ~/.pki/CA/ca-cert.pem $ ls -la ~/.pki/libvirt-vnc/clientcert.pem ~/.pki/libvirt-vnc/private/clientkey.pem ~/.pki/CA/ca-cert.pem $ ls -la ~/.pki/libvirt-vnc/clientcert.pem ~/.pki/libvirt-vnc/private/clientkey.pem ~/.pki/CA/ca-cert.pem -rw-r--r-- 1 jc jc 1070 Aug 19 20:48 /export/backend/home/jc/.pki/CA/ca-cert.pem -rw-r--r-- 1 jc jc 1220 Aug 19 20:48 /export/backend/home/jc/.pki/libvirt-vnc/clientcert.pem lrwxrwxrwx 1 jc jc 16 Aug 19 21:14 /export/backend/home/jc/.pki/libvirt-vnc/private/clientkey.pem -> ../clientkey.pem $ You'll be able to see that pointing to the keys in my home dir. Something you'll notice is that in this instance, my clientkey.pem is itself NOT in the "private" sub-dir. It's in a folder below that, with a link in the private sub-dir, which is good enough. I have it this way only because I created it in a different spot initially when trying to get it to work, and it turns out that virt-viewer (another VNC viewing thing) needs it there instead. i.e. in the directory below "private". Anyway, the above works. :) If you have troubles with the TLS key generation, the docs on the libvirt.org site work: http://libvirt.org/remote.html And the paths for virt-manager are given on the last part of this page: http://virt-manager.org/page/RemoteTLS#virt-manager.2Fvirsh.2Fvirt-viewer_cl...
If it's relevant, I'm running everything under Fedora 13 right now, so that means libvirt-0.8.2-1.fc13.x86_64 and qemu-kvm-0.12.3-8.fc13.x86_64.
Similar. All of the above is on an F13 workstation as well. All good now? :) Regards and best wishes, Justin Clift -- Salasaga - Open Source eLearning IDE http://www.salasaga.org
Hi all, (Following up on this further) There's not that much clear documentation around for the paths required for using TLS with various VNC clients. Therefore, after a liberal use of strace to find out what clients really do look for, there is a first set of info on the libvirt.org wiki: http://wiki.libvirt.org/page/VNCTLSSetup It's more in depth than the previous mailing list reply, covering: * Vinagre * Virt Manager * Virt Viewer * Gtk-VNC Lars, it should help you get up and running with the VNC client side of things if you're still having troubles. (?) Cole (and others too), if you have time, all feedback/pointers/thoughts/etc are welcome. :) Regards and best wishes, Justin Clift
participants (3)
-
Cole Robinson -
Justin Clift -
Justin Clift