[PATCH v2 2/3] Add suggestions for virt-pki-query-dn usage

[Martin Kletzander]

To make it easier for users to figure out how the DN should be formatted.

Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
---
 docs/remote.html.in             | 4 ++++
 src/remote/libvirtd.conf.in     | 5 +++++
 src/rpc/virnettlscontext.c      | 2 +-
 tests/virconfdata/libvirtd.conf | 4 ++++
 tests/virconfdata/libvirtd.out  | 4 ++++
 5 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/docs/remote.html.in b/docs/remote.html.in
index 66f56a3a64fc..efdb2b32535d 100644
--- a/docs/remote.html.in
+++ b/docs/remote.html.in
@@ -259,6 +259,10 @@ Blank lines and comments beginning with <code>#</code> are ignored.
   Note also that GnuTLS returns DNs without spaces
   after commas between the fields (and this is what we check against),
   but the <code>openssl x509</code> tool shows spaces.
+  </p>
+  To make it easy to see the order of the fields in the DN a helper executable
+  <code>virt-pki-query-dn</code> is provided for this particular use case.
+          <p>
 </p>
         </td>
       </tr>
diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in
index b18c5885a1a7..2cd20aaa7f52 100644
--- a/src/remote/libvirtd.conf.in
+++ b/src/remote/libvirtd.conf.in
@@ -292,6 +292,11 @@
 #
 # Any * matches any number of consecutive spaces, like a simplified glob(7).
 #
+# The format of the DN for a particular certificate can be queried
+# using:
+#
+#    virt-pki-query-dn clientcert.pem
+#
 # NB If this is an empty list, no client can connect, so comment out
 # entirely rather than using empty list to disable these checks
 #
diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c
index 3babf3ee4dc3..1a3dd92676f7 100644
--- a/src/rpc/virnettlscontext.c
+++ b/src/rpc/virnettlscontext.c
@@ -371,7 +371,7 @@ virNetTLSContextCheckCertDNACL(const char *dname,
     virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
                    _("Client's Distinguished Name is not on the list "
                      "of allowed clients (tls_allowed_dn_list).  Use "
-                     "'certtool -i --infile clientcert.pem' to view the "
+                     "'virt-pki-query-dn clientcert.pem' to view the "
                      "Distinguished Name field in the client certificate, "
                      "or run this daemon with --verbose option."));
     return 0;
diff --git a/tests/virconfdata/libvirtd.conf b/tests/virconfdata/libvirtd.conf
index f4c35e9e430f..c5a225e42f6f 100644
--- a/tests/virconfdata/libvirtd.conf
+++ b/tests/virconfdata/libvirtd.conf
@@ -185,6 +185,10 @@ tls_no_verify_certificate = 1
 #
 # Any * matches any number of consecutive spaces, like a simplified glob(7).
 #
+# The format of the DN for a particular certificate can be queried
+# using:
+#
+#    virt-pki-query-dn clientcert.pem
 #
 # NB If this is an empty list, no client can connect, so comment out
 # entirely rather than using empty list to disable these checks
diff --git a/tests/virconfdata/libvirtd.out b/tests/virconfdata/libvirtd.out
index a407c5f189e9..754bf56ee4dd 100644
--- a/tests/virconfdata/libvirtd.out
+++ b/tests/virconfdata/libvirtd.out
@@ -149,6 +149,10 @@ tls_no_verify_certificate = 1
 #
 # Any * matches any number of consecutive spaces, like a simplified glob(7).
 #
+# The format of the DN for a particular certificate can be queried
+# using:
+#
+#    virt-pki-query-dn clientcert.pem
 #
 # NB If this is an empty list, no client can connect, so comment out
 # entirely rather than using empty list to disable these checks
-- 
2.33.1