12:03 p.m.
Hello,
I'm running ovirt 4.4.10 (using libvirt 7.10.0-1.module_el8.6.0+1046+bd8eec5e) and I
have the following qemu error while I launch a VM migration
Jul 3 12:37:07myhostname1 journal[958949]: Certificate [session] owner does not match
the hostname myhostname2
Jul 3 12:37:07 myhostname1journal[958949]: Certificate check failed Certificate
[session] owner does not match the hostname myhostname2
Jul 3 12:37:07 myhostname1 journal[958949]: authentication failed: Failed to verify
peer's certificate
Jul 3 12:37:07myhostname1 journal[958949]: operation failed: Failed to connect to remote
libvirt URI qemu+tls://myhostname3/system: authentication failed: Failed to verify
peer's certificate
To avoid this error I set the following paramaters inside the /etc/libvirt/qemu.conf and
restard vdsmd and libvirtd daemons.
migrate_tls_x509_verify = 0
default_tls_x509_verify = 0
But I still have the same error. Can you help me to understand why this set of parameters
are not working as expected ?
kind regards,
Julien
12:36 p.m.
On Thu, Jul 04, 2024 at 10:03:23AM -0000, jdeberles(a)gmail.com wrote:
Hello,
I'm running ovirt 4.4.10 (using libvirt 7.10.0-1.module_el8.6.0+1046+bd8eec5e) and I
have the following qemu error while I launch a VM migration
Jul 3 12:37:07myhostname1 journal[958949]: Certificate [session] owner does not match
the hostname myhostname2
Jul 3 12:37:07 myhostname1journal[958949]: Certificate check failed Certificate
[session] owner does not match the hostname myhostname2
Jul 3 12:37:07 myhostname1 journal[958949]: authentication failed: Failed to verify
peer's certificate
Jul 3 12:37:07myhostname1 journal[958949]: operation failed: Failed to connect to
remote
libvirt URI qemu+tls://myhostname3/system: authentication failed: Failed to verify
peer's certificate
This error comes from the libvirtd connection, whose behaviuor is
controlled in /etc/libvirt/libvirtd.conf
To avoid this error I set the following paramaters inside the
/etc/libvirt/qemu.conf and
restard vdsmd and libvirtd daemons.
migrate_tls_x509_verify = 0
default_tls_x509_verify = 0
There parameters apply to QEMU, not libvirtd, hence having no effect on
the above error.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
2:13 p.m.
Hello Daniel,
ty for your reply.
based on your answer, I uncomment the following line "tls_no_verify_certificate =
1" in /etc/libvirt/libvirtd.conf and restart service libvirtd but I stil have the
same issue.
Do you have any suggestion to fix this issue ?
Kind regards,
Julien
2:18 p.m.
On Thu, Jul 04, 2024 at 12:13:59PM -0000, jdeberles(a)gmail.com wrote:
Hello Daniel,
ty for your reply.
based on your answer, I uncomment the following line
"tls_no_verify_certificate = 1" in /etc/libvirt/libvirtd.conf
and restart service libvirtd but I stil have the same issue.
Do you have any suggestion to fix this issue ?
That controls whether the server side libvirtd, requests a cert from the
incoming libvirtd.
I believe your error message is about the client being unable to verify
the server.
For the latter you need to append '?no_verify=1' to the URI you give
when initiating the migration
The best thing though is to just fix your certificates, as by disabling
cert validation you no longer have any MITM protection, and TLS thus has
rather limited security value.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
12:10 p.m.
Dear Daniel,
I tried to pass the following parameter tls_no_verify_certificate = 1 on
/etc/libvirt/libvirtd.conf but i still have the error below:
*Migration failed due to an Error: Failed to connect to remote libvirt URI
qemu+tls:/myhost/system: authentication failed: Failed to verify peer's
certificate...*
I double checked my certificate cn and doesn't find the error. Do you know
a way to deactivate the cn check the time I handle this certificate error.
Kind regards,
Julien
Le jeu. 4 juil. 2024 à 14:18, Daniel P. Berrangé <berrange(a)redhat.com> a
écrit :
On Thu, Jul 04, 2024 at 12:13:59PM -0000, jdeberles(a)gmail.com wrote:
> Hello Daniel,
>
> ty for your reply.
>
> based on your answer, I uncomment the following line
> "tls_no_verify_certificate = 1" in /etc/libvirt/libvirtd.conf
> and restart service libvirtd but I stil have the same issue.
> Do you have any suggestion to fix this issue ?
That controls whether the server side libvirtd, requests a cert from the
incoming libvirtd.
I believe your error message is about the client being unable to verify
the server.
For the latter you need to append '?no_verify=1' to the URI you give
when initiating the migration
The best thing though is to just fix your certificates, as by disabling
cert validation you no longer have any MITM protection, and TLS thus has
rather limited security value.
With regards,
Daniel
--
|: https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-
https://fstop138.berrange.com :|
|: https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|
49
days inactive
74
days old
4 comments
3 participants
participants (3)
-
Daniel P. Berrangé -
jdeberles@gmail.com -
Julien Deberles