[libvirt] Failed when client connects to the hypervisor running on Server using TLS

Xiaoqiang Hu xhu at redhat.com
Fri Jul 30 10:11:18 UTC 2010 

Hi all,

Failed when client connects to the hypervisor running on Server using TLS and the details can be seen as follows:

I Test Procedures:
On server (10.66.92.154)
1. Set up a Certificate Authority (CA)
1.1 # certtool --generate-privkey > cakey.pem
1.2 self-sign cakey.pem by creating a file with the signature details called ca.info containing:
cn=10.66.92.154
ca
cert_signing_key
1.3 # certtool --generate-self-signed --load-privkey cakey.pem --template ca.info --outfile cacert.pem

2. Create server certificates
2.1 certtool --generate-privkey > serverkey.pem
2.2 sign that key with the CA's private key by first creating a template file called server.info
organization=Red Hat
cn=10.66.92.154
tls_www_server
encryption_key
signing_key
2.3 # certtool --generate-certificate --load-privkey serverkey.pem --load-ca-certificate cacert.pem \
--load-ca-privkey cakey.pem --template server.info --outfile servercert.pem

3. Copy CA key and server key to correct directory
3.1 # cp cakey.pem cacert.pem /etc/pki/CA
3.2 # mkdir -p /etc/pki/libvirt/private
3.3 # cp serverkey.pem /etc/pki/libvirt/private
3.4 # cp servercert.pem /etc/pki/libvirt

4. Copy CA key to client(10.66.93.205) into correct directory
4.1 # scp cakey.pem cacert.pem root at 10.66.93.205:/etc/pki/CA

5. Turn on libvird monitor listening in /etc/sysconfig/libvirtd
  -- uncomment LIBVIRTD_ARGS="--listen"
6. Edit /etc/libvirt/libvirtd.conf
  -- enbale listen_tls = 1
7. # service libvirtd restart
8. # service iptables stop

On client (10.66.93.205)
9.  Create client certificates
9.1 # certtool --generate-privkey > clientkey.pem
9.2 Act as CA and sign the certificate.  Create client.info containing:
9.1 # certtool --generate-privkey > clientkey.pem
9.2 Act as CA and sign the certificate.  Create client.info containing:
country=GB
state=London
locality=London
organization=Red Hat
cn=10.66.93.205
tls_www_client
encryption_key
signing_key
9.3 # certtool --generate-certificate  --load-privkey clientkey.pem --load-ca-certificate /etc/pki/CA/cacert.pem \
--load-ca-privkey /etc/pki/CA/cakey.pem --template client.info --outfile clientcert.pem

10. Copy client key to correct directory
10.1 # mkdir -p /etc/pki/libvirt/private
10.2 # cp clientkey.pem /etc/pki/libvirt/private
10.3 # cp clientcert.pem /etc/pki/libvirt/

11. Conect to server hypervisor
# virsh -c qemu+tls://10.66.92.154/system

II Test Result:
[root at dhcp-93-205 images]# virsh -c qemu+tls://10.66.92.154/system
error: server verification (of our certificate or IP address) failed
error: failed to connect to the hypervisor

Note:
if I Step 9 as above on server and then the client can connect to the hypervisor running on Server using TLS successfully.

Regards!
Johnson

More information about the libvir-list mailing list