[libvirt] Can't connect ESXi ssl with virsh

Zhimou Peng zhpeng at redhat.com
Mon Mar 5 07:04:05 UTC 2012 

Hi,

I try to use virsh connect ESXi5.0 with ssl

[root at zheng ~]#  virsh -c esx://10.66.6.211/
Enter username for 10.66.6.211 [root]: 
Enter root's password for 10.66.6.211: 
error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates
error: failed to connect to the hypervisor

I create kew key singed by my CA certificate, still the same error.
But i can use vsphere client and https://10.66.6.211/, the new certs are ok.

Here are my steps:


1, create a CA center.

ENV prepare:
# cd /etc/pki/CA/
# mkdir {certs,crl,newcerts}
# touch index.txt
# echo 00 > serial

create private key:
[root at zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650
Generating a 2048 bit RSA private key
................................................................+++
...............................................+++
writing new private key to 'myroot.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:REDHAT
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:10.66.6.209
Email Address []:

[root at zheng CA]# mv myroot.key private/cakey.pem
[root at zheng CA]# mv myroot.crt cacert.pem

2, create private key and certificate request file for ESXi5.0 server.
# openssl req -new -nodes -out mycsr.csr
Generating a 2048 bit RSA private key
........+++
...............+++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:REDHAT
Organizational Unit Name (eg, section) []:QE
Common Name (eg, your name or your server's hostname) []:10.66.6.211
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3,scp the certificate request file to CA and certificate it.
[root at zheng CA]# openssl ca -out rui.crt  -infiles mycsr.csr 
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Mar  5 06:53:52 2012 GMT
            Not After : Mar  5 06:53:52 2013 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BEIJING
            organizationName          = REDHAT
            organizationalUnitName    = QE
            commonName                = 10.66.6.211
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A
            X509v3 Authority Key Identifier: 
                keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD

Certificate is to be certified until Mar  5 06:53:52 2013 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server
   then quit the maintance mode.

5, test it with vsphere client and firefox. new ssl keys works well.

6,[root at zheng ~]# virsh -c esx://10.66.6.211
Enter username for 10.66.6.211 [root]: 
Enter root's password for 10.66.6.211: 
error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates
error: failed to connect to the hypervisor



So, i don't know if i have wrong steps or it's a bug?

More information about the libvir-list mailing list