[libvirt] qemu+tls server certificate validation failure (The certificate is not trusted)

Daniel P. Berrange berrange at redhat.com
Mon Apr 27 21:59:05 UTC 2009

On Mon, Apr 27, 2009 at 02:37:28PM -0700, Scott Beardsley wrote:
> I'm having a problem with remote TLS libvirt connections from an
> Ubuntu Jaunty client. I've reported the bug here[1] but haven't had
> any hits yet so I thought I'd come to the source. Let me know if ya'll
> have any ideas or know of any bugs in the versions I'm using (see
> below). I just upgraded my client to Jaunty from Intrepid and I can no
> longer connect to Hardy or Intrepid libvirt servers that have TLS
> enabled. I get the following errors:
> $ virt-viewer -c qemu+tls://example.com/system virt.example.com
> libvir: Remote error : server certificate failed validation: The
> certificate is not trusted.
> libvir: Remote error : unable to connect to 'example.com': Invalid argument
> unable to connect to libvirt qemu+tls://example.com/system

This error message comes from gnutls_certificate_verify_peers2() and
maps to the annoyingly generic GNUTLS_CERT_INVALID error code.

> In the past (ie hardy, intrepid) I was able to use the following
> command. Now I get an error:
> $ virt-viewer -c qemu://example.com/system virt.example.com
> libvir: error : could not connect to qemu://example.com/system
> unable to connect to libvirt qemu://example.com/system
> $
> The server's config has not changed (I've tested against libvirt-bin
> versions 0.4.4-3ubuntu3.1 and 0.4.0-2ubuntu8.1 on the server side). I
> have the CA certificate installed on both server and client (in
> /etc/pki/CA/cacert.pem). That cert signed both my x509 client cert and
> the server cert. Here is some proof that it *should* work:

I'd run some checks with the gnutls 'certtool' instead of openssl,
so you can be sure you're running the same SSL code as libvirt
uses. One random idea is that perhaps the newer GNUTLS in Jaunty
has stopped supporting some feature used in your certificates.
eg perhaps they finally disabled md5 algorithm for cert signing
or similar ideas. certtool may give you info if this is the case

|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list