[libvirt] qemu+tls server certificate validation failure (The certificate is not trusted)

Scott Beardsley sc0ttbeardsley at gmail.com
Mon Apr 27 21:37:28 UTC 2009

I'm having a problem with remote TLS libvirt connections from an
Ubuntu Jaunty client. I've reported the bug here[1] but haven't had
any hits yet so I thought I'd come to the source. Let me know if ya'll
have any ideas or know of any bugs in the versions I'm using (see
below). I just upgraded my client to Jaunty from Intrepid and I can no
longer connect to Hardy or Intrepid libvirt servers that have TLS
enabled. I get the following errors:

$ virt-viewer -c qemu+tls://example.com/system virt.example.com
libvir: Remote error : server certificate failed validation: The
certificate is not trusted.
libvir: Remote error : unable to connect to 'example.com': Invalid argument
unable to connect to libvirt qemu+tls://example.com/system

In the past (ie hardy, intrepid) I was able to use the following
command. Now I get an error:
$ virt-viewer -c qemu://example.com/system virt.example.com
libvir: error : could not connect to qemu://example.com/system
unable to connect to libvirt qemu://example.com/system

The server's config has not changed (I've tested against libvirt-bin
versions 0.4.4-3ubuntu3.1 and 0.4.0-2ubuntu8.1 on the server side). I
have the CA certificate installed on both server and client (in
/etc/pki/CA/cacert.pem). That cert signed both my x509 client cert and
the server cert. Here is some proof that it *should* work:

$ openssl s_client -CAfile /etc/pki/CA/cacert.pem -cert
/etc/pki/libvirt/clientcert.pem -key
/etc/pki/libvirt/private/clientkey.pem -connect example.com:16514
2>/dev/null|sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
$ openssl verify -CAfile /etc/pki/CA/cacert.pem servercert.pem
servercert.pem: OK
$ openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/pki/libvirt/clientcert.pem
/etc/pki/libvirt/clientcert.pem: OK

When I run strace against virt-viewer I can see that it is accessing
and (successfully opening) the correct certs/keys:

$ grep /etc/pki /tmp/out
stat64("/etc/pki/CA/cacert.pem", {st_mode=S_IFREG|0644, st_size=1716, ...}) = 0
{st_mode=S_IFREG|0644, st_size=887, ...}) = 0
stat64("/etc/pki/libvirt/clientcert.pem", {st_mode=S_IFREG|0644,
st_size=1172, ...}) = 0
open("/etc/pki/CA/cacert.pem", O_RDONLY) = 5
open("/etc/pki/libvirt/private/clientkey.pem", O_RDONLY) = 5
open("/etc/pki/libvirt/clientcert.pem", O_RDONLY) = 5

Thanks in advance,
[1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/366455

More information about the libvir-list mailing list