Certificate verification error for qemu while migrating

Hello, I'm running ovirt 4.4.10 (using libvirt 7.10.0-1.module_el8.6.0+1046+bd8eec5e) and I have the following qemu error while I launch a VM migration Jul 3 12:37:07myhostname1 journal[958949]: Certificate [session] owner does not match the hostname myhostname2 Jul 3 12:37:07 myhostname1journal[958949]: Certificate check failed Certificate [session] owner does not match the hostname myhostname2 Jul 3 12:37:07 myhostname1 journal[958949]: authentication failed: Failed to verify peer's certificate Jul 3 12:37:07myhostname1 journal[958949]: operation failed: Failed to connect to remote libvirt URI qemu+tls://myhostname3/system: authentication failed: Failed to verify peer's certificate To avoid this error I set the following paramaters inside the /etc/libvirt/qemu.conf and restard vdsmd and libvirtd daemons. migrate_tls_x509_verify = 0 default_tls_x509_verify = 0 But I still have the same error. Can you help me to understand why this set of parameters are not working as expected ? kind regards, Julien

On Thu, Jul 04, 2024 at 10:03:23AM -0000, jdeberles@gmail.com wrote:
Hello, I'm running ovirt 4.4.10 (using libvirt 7.10.0-1.module_el8.6.0+1046+bd8eec5e) and I have the following qemu error while I launch a VM migration
Jul 3 12:37:07myhostname1 journal[958949]: Certificate [session] owner does not match the hostname myhostname2 Jul 3 12:37:07 myhostname1journal[958949]: Certificate check failed Certificate [session] owner does not match the hostname myhostname2 Jul 3 12:37:07 myhostname1 journal[958949]: authentication failed: Failed to verify peer's certificate Jul 3 12:37:07myhostname1 journal[958949]: operation failed: Failed to connect to remote libvirt URI qemu+tls://myhostname3/system: authentication failed: Failed to verify peer's certificate
This error comes from the libvirtd connection, whose behaviuor is controlled in /etc/libvirt/libvirtd.conf
To avoid this error I set the following paramaters inside the /etc/libvirt/qemu.conf and restard vdsmd and libvirtd daemons. migrate_tls_x509_verify = 0 default_tls_x509_verify = 0
There parameters apply to QEMU, not libvirtd, hence having no effect on the above error. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

Hello Daniel, ty for your reply. based on your answer, I uncomment the following line "tls_no_verify_certificate = 1" in /etc/libvirt/libvirtd.conf and restart service libvirtd but I stil have the same issue. Do you have any suggestion to fix this issue ? Kind regards, Julien

On Thu, Jul 04, 2024 at 12:13:59PM -0000, jdeberles@gmail.com wrote:
Hello Daniel,
ty for your reply.
based on your answer, I uncomment the following line "tls_no_verify_certificate = 1" in /etc/libvirt/libvirtd.conf and restart service libvirtd but I stil have the same issue. Do you have any suggestion to fix this issue ?
That controls whether the server side libvirtd, requests a cert from the incoming libvirtd. I believe your error message is about the client being unable to verify the server. For the latter you need to append '?no_verify=1' to the URI you give when initiating the migration The best thing though is to just fix your certificates, as by disabling cert validation you no longer have any MITM protection, and TLS thus has rather limited security value. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

Dear Daniel, I tried to pass the following parameter tls_no_verify_certificate = 1 on /etc/libvirt/libvirtd.conf but i still have the error below: *Migration failed due to an Error: Failed to connect to remote libvirt URI qemu+tls:/myhost/system: authentication failed: Failed to verify peer's certificate...* I double checked my certificate cn and doesn't find the error. Do you know a way to deactivate the cn check the time I handle this certificate error. Kind regards, Julien Le jeu. 4 juil. 2024 à 14:18, Daniel P. Berrangé <berrange@redhat.com> a écrit :
On Thu, Jul 04, 2024 at 12:13:59PM -0000, jdeberles@gmail.com wrote:
Hello Daniel,
ty for your reply.
based on your answer, I uncomment the following line "tls_no_verify_certificate = 1" in /etc/libvirt/libvirtd.conf and restart service libvirtd but I stil have the same issue. Do you have any suggestion to fix this issue ?
That controls whether the server side libvirtd, requests a cert from the incoming libvirtd.
I believe your error message is about the client being unable to verify the server.
For the latter you need to append '?no_verify=1' to the URI you give when initiating the migration
The best thing though is to just fix your certificates, as by disabling cert validation you no longer have any MITM protection, and TLS thus has rather limited security value.
With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (3)
-
Daniel P. Berrangé
-
jdeberles@gmail.com
-
Julien Deberles