[libvirt-users] Using certtool to generate certificates for ESXi

Shiva Bhanujan sxb075 at gmail.com
Mon Nov 4 18:57:02 UTC 2013 

Hi Matthias,

Thanks for the response.  For connecting to ESXi, I couldn't find any
environment setting to make 'curl' point to the client certificates.  So,
for the time being, I hard-coded the location in
libvirt-<version>/src/esx/esx_vi.c.

esx_vi.c:    curl_easy_setopt(curl->handle, CURLOPT_SSLCERT,
"/etc/pki/libvirt/clientcert.pem");
esx_vi.c:    curl_easy_setopt(curl->handle, CURLOPT_SSLKEY,
"/etc/pki/libvirt/private/clientkey.pem");
esx_vi.c:    curl_easy_setopt(curl->handle, CURLOPT_CAINFO,
"/etc/pki/CA/cacert.pem");


This has worked for me.  Perhaps there's a cleaner way of doing this?  If I
find something, I'll share w/ everybody on the list.

regards,
Shiva



On Thu, Oct 31, 2013 at 7:16 AM, Matthias Bolte <
matthias.bolte at googlemail.com> wrote:

> 2013/10/30 Shiva Bhanujan <sxb075 at gmail.com>:
> > Hi Daniel,
> >
> > thanks for the reply - The procedure I use is the same as I use for
> > XenServer, and the certificate exchange works just fine.  The only thing
> I'm
> > a bit unclear on, is the location of the CA cert, which in the case of
> > XenServer, I simply put it in /etc/pki/CA.  And when I start the libvirtd
> > daemon, it successfully picks it up.  If I put the Server key and cert in
> > /etc/vmware/ssl for ESXi, is there a location where I put the CA cert
> > (cacert.pem)?  Also, following are the log errors that I see -
> >
> > 2013-10-30T18:32:25.405Z [FFE81B90 error 'Default']
> > SSLStreamImpl::DoServerHandshake (ffd005d0) SSL_accept failed. Dumping
> SSL
> > error queue:
> > 2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] [0]
> error:14094418:SSL
> > routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> > 2013-10-30T18:32:25.405Z [FFE81B90 warning 'Default'] SSL Handshake
> failed
> > for stream TCP(local=<ESXi>:443, peer=<client>:33776), error:
> > N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094418:SSL
> > routines:SSL3_READ_BYTES:tlsv1 alert unknown ca)
> >
> >
> > Doesn't this mean the CA cert wasn't found on the ESXi?
> >
> > Regards,
> > Shiva
> >
> >
> >
> > On Wed, Oct 30, 2013 at 2:45 AM, Daniel P. Berrange <berrange at redhat.com
> >
> > wrote:
> >>
> >> On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote:
> >> > Hello,
> >> >
> >> > I'm using certtool to generate the server certificates for ESXi -
> >> > http://libvirt.org/remote.html#Remote_TLS_CA.  I just copy the server
> >> > certificate and key as /etc/vmware/ssl/rui.crt and
> >> > /etc/vmware/ssl/rui.key.
> >> >  And then use virsh to connect from a CentOS 6.4 VM running on it -
> >> > "virsh
> >> > -c esx://<esx IP>.  I get the following error -
> >> >
> >> > error: internal error curl_easy_perform() returned an error: Peer
> >> > certificate cannot be authenticated with known CA certificates (60) :
> >> > Peer
> >> > certificate cannot be authenticated with known CA certificates
> >> > error: failed to connect to the hypervisor
> >> >
> >> > is there something basic that I'm missing?
> >>
> >> I'm not sure what you're missing, but the error message means that the
> >> VMWare server certificate was not signed by any CA certificate that
> >> the libvirt client has access to. So it is a client side CA cert config
> >> problem most likely.
>
> I think this problem has already been discussed on this mailing list, see:
>
> https://www.redhat.com/archives/libvir-list/2012-March/msg00342.html
>
> What you basically have to do is create your own Certificate Authority
> (CA) and then issue a new server certificate with that CA as described
> in the guide you mentioned. Then transfer this server certificate to
> the ESX server and put it into the correct place. I think you already
> have done this correctly
>
> The last thing that's missing (the same as in the mailing list thread
> I linked above) is that you need to configure your client properly.
> The SSL infrastructure on your client needs to know about your custom
> CA. libcurl has to be able to find and use it in order to verify that
> the certificate your ESXi server present is valid. How this has to be
> done depends on the SSL backend libcurl is using and on your distro.
>
> --
> Matthias Bolte
> http://photron.blogspot.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20131104/9cef44c9/attachment.htm>

More information about the libvirt-users mailing list