[libvirt] qemu+tls server certificate validation failure (The certificate is not trusted)
Scott Beardsley
sc0ttbeardsley at gmail.com
Tue Apr 28 00:05:06 UTC 2009
> This error message comes from gnutls_certificate_verify_peers2() and
> maps to the annoyingly generic GNUTLS_CERT_INVALID error code.
indeed
>> The server's config has not changed (I've tested against libvirt-bin
>> versions 0.4.4-3ubuntu3.1 and 0.4.0-2ubuntu8.1 on the server side). I
>> have the CA certificate installed on both server and client (in
>> /etc/pki/CA/cacert.pem). That cert signed both my x509 client cert and
>> the server cert. Here is some proof that it *should* work:
>
> I'd run some checks with the gnutls 'certtool' instead of openssl,
> so you can be sure you're running the same SSL code as libvirt
> uses. One random idea is that perhaps the newer GNUTLS in Jaunty
> has stopped supporting some feature used in your certificates.
> eg perhaps they finally disabled md5 algorithm for cert signing
> or similar ideas. certtool may give you info if this is the case
I just verified that our self-signed CA uses MD5 (boo). I'll have to
look into whether a SHA CA fixes the problem. I'm using gnutls
v2.4.2-6 (on the client side, 2.4.1-1ubuntu0.2 on the server side).
There is a changelog here[1]. According to that log:
"Verifying untrusted X.509 certificates signed with RSA-MD2 or RSA-MD5
will now fail with a GNUTLS_CERT_INSECURE_ALGORITHM verification
output."
I'm curious if there is a different problem. Or, perhaps virt-viewer
is detecting GNUTLS_CERT_INSECURE_ALGORITHM as GNUTLS_CERT_INVALID ?
Either way, we should fix our CA.
BTW, will certtool verify certs ala "openssl verify" ?
Scott
---------
[1] http://changelogs.ubuntu.com/changelogs/pool/main/g/gnutls26/gnutls26_2.4.2-6/changelog
More information about the libvir-list
mailing list