[libvirt] TLS for libvirt remote access

Chris Lalancette clalance at redhat.com
Fri Mar 20 08:01:37 UTC 2009

Zvi Dubitzky wrote:
> After  generating TLS certificates for Libvirt remote access , I test the 
> certificates
> by running  pki_check.sh and get the following  message :
> The CA certificate and the client certificate do not match
> What can cause this message ?
> I guess this is a problem as I am trying to access remotely the host 
> machine and  fail 
> with a message of  :libvir: Remote error : Connection refused
> That happens even if I use a client and server on the same machine and try 
> : sudo virsh -c qemu://localhost/defualt.
> I am using libvirt 0.6.

You have quite a few problems in your configuration here, including using the
wrong URI, and most probably an iptables problem.  However, let's start simply...

> can I get first a connection with no certificate/encryption by using URI = 
>  qemu+tcp://...    by making the needed change on the libvirtd.conf file 
> on the server side  ? that did not work either 

To begin with, I would start with just getting tcp going.  It's totally
insecure, but it's a good initial test of getting everything up and running.  To
do that, you have to enable "listen_tcp" in libvirtd.conf.  You *also* have to
change "auth_tcp" to "none" in libvirtd.conf; otherwise, it automatically tries
to use SASL for authentication, which you don't want at this point.  Then you
need to start up libvirtd --verbose --listen.

At this point, you should be able to do: virsh -c qemu+tcp://hostname/system
list --all, and get at least "empty" output from the virsh list command.  If you
get a "connection refused", you most likely have a firewall blocking the port
that libvirtd is listening on; you'll have to open up that part.

Assuming you get the above working, go back into libvirtd.conf and disable TCP
(like I said, it opens up a security issue).  Then go back to the instructions
on the website for generating and using TLS, and make sure you've followed the
directions exactly.  I've used those instructions many times, and they work just
fine.  Once you think you have it configured, then you can try: virsh -c
qemu+tls://hostname/system list --all, and see if that works.  Again, if you get
"connection refused", it probably means your firewall is in the way; libvirtd
uses a different port for listen_tcp and listen_tls.

Chris Lalancette

More information about the libvir-list mailing list