[libvirt] Can't connect ESXi ssl with virsh

Matthias Bolte matthias.bolte at googlemail.com
Thu Mar 8 16:23:16 UTC 2012 

2012/3/5 Zhimou Peng <zhpeng at redhat.com>:
> Hi,
>
> I try to use virsh connect ESXi5.0 with ssl
>
> [root at zheng ~]#  virsh -c esx://10.66.6.211/
> Enter username for 10.66.6.211 [root]:
> Enter root's password for 10.66.6.211:
> error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates
> error: failed to connect to the hypervisor
>
> I create kew key singed by my CA certificate, still the same error.
> But i can use vsphere client and https://10.66.6.211/, the new certs are ok.
>
> Here are my steps:
>
>
> 1, create a CA center.
>
> ENV prepare:
> # cd /etc/pki/CA/
> # mkdir {certs,crl,newcerts}
> # touch index.txt
> # echo 00 > serial
>
> create private key:
> [root at zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650
> Generating a 2048 bit RSA private key
> ................................................................+++
> ...............................................+++
> writing new private key to 'myroot.key'
> Enter PEM pass phrase:
> Verifying - Enter PEM pass phrase:
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [XX]:CN
> State or Province Name (full name) []:BEIJING
> Locality Name (eg, city) [Default City]:BEIJING
> Organization Name (eg, company) [Default Company Ltd]:REDHAT
> Organizational Unit Name (eg, section) []:QE
> Common Name (eg, your name or your server's hostname) []:10.66.6.209
> Email Address []:
>
> [root at zheng CA]# mv myroot.key private/cakey.pem
> [root at zheng CA]# mv myroot.crt cacert.pem
>
> 2, create private key and certificate request file for ESXi5.0 server.
> # openssl req -new -nodes -out mycsr.csr
> Generating a 2048 bit RSA private key
> ........+++
> ...............+++
> writing new private key to 'privkey.pem'
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [XX]:CN
> State or Province Name (full name) []:BEIJING
> Locality Name (eg, city) [Default City]:BEIJING
> Organization Name (eg, company) [Default Company Ltd]:REDHAT
> Organizational Unit Name (eg, section) []:QE
> Common Name (eg, your name or your server's hostname) []:10.66.6.211
> Email Address []:
>
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:
>
> 3,scp the certificate request file to CA and certificate it.
> [root at zheng CA]# openssl ca -out rui.crt  -infiles mycsr.csr
> Using configuration from /etc/pki/tls/openssl.cnf
> Enter pass phrase for /etc/pki/CA/private/cakey.pem:
> Check that the request matches the signature
> Signature ok
> Certificate Details:
>        Serial Number: 0 (0x0)
>        Validity
>            Not Before: Mar  5 06:53:52 2012 GMT
>            Not After : Mar  5 06:53:52 2013 GMT
>        Subject:
>            countryName               = CN
>            stateOrProvinceName       = BEIJING
>            organizationName          = REDHAT
>            organizationalUnitName    = QE
>            commonName                = 10.66.6.211
>        X509v3 extensions:
>            X509v3 Basic Constraints:
>                CA:FALSE
>            Netscape Comment:
>                OpenSSL Generated Certificate
>            X509v3 Subject Key Identifier:
>                84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A
>            X509v3 Authority Key Identifier:
>                keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD
>
> Certificate is to be certified until Mar  5 06:53:52 2013 GMT (365 days)
> Sign the certificate? [y/n]:y
>
>
> 1 out of 1 certificate requests certified, commit? [y/n]y
> Write out database with 1 new entries
> Data Base Updated
>
> 4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server
>   then quit the maintance mode.

Until here everything is fine. The ESXi server has a new and working
SSL certificate.

> 5, test it with vsphere client and firefox. new ssl keys works well.

You should have tested with curl instead, because libvirt uses libcurl
to talk to the ESXi server.

# curl https://10.66.6.211/sdk
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

And curl still gives you error number 60, the same as libvirt.

This is correct because you missed the final step. You need to tell
your client computer to trust your new CA certificate. The one you
just created and used to sign the new SSL certificate with.

On a Debian-based system you need to do the following as root to trust
the new CA certificate and make libcurl find it:

# mkdir /usr/share/ca-certificates/esx-certs
# cp /etc/pki/CA/cacert.pem /usr/share/ca-certificates/esx-certs/
# echo esx-certs/cacert.pem >> /etc/ca-certificates.conf
# update-ca-certificates

I've no clue how to do this on a Red Hat Linux-based system, that's
your part to figure out :)

Now curl and virsh should work as expected.

-- 
Matthias Bolte
http://photron.blogspot.com

More information about the libvir-list mailing list