[libvirt-users] Using certtool to generate certificates for ESXi

Shiva Bhanujan sxb075 at gmail.com
Wed Oct 30 18:45:51 UTC 2013 

Hi Daniel,

thanks for the reply - The procedure I use is the same as I use for
XenServer, and the certificate exchange works just fine.  The only thing
I'm a bit unclear on, is the location of the CA cert, which in the case of
XenServer, I simply put it in /etc/pki/CA.  And when I start the libvirtd
daemon, it successfully picks it up.  If I put the Server key and cert in
/etc/vmware/ssl for ESXi, is there a location where I put the CA cert
(cacert.pem)?  Also, following are the log errors that I see -

2013-10-30T18:32:25.405Z [FFE81B90 error 'Default']
SSLStreamImpl::DoServerHandshake (ffd005d0) SSL_accept failed. Dumping SSL
error queue:
2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] [0] error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
2013-10-30T18:32:25.405Z [FFE81B90 warning 'Default'] SSL Handshake failed
for stream TCP(local=<ESXi>:443, peer=<client>:33776), error:
N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca)


Doesn't this mean the CA cert wasn't found on the ESXi?

Regards,
Shiva



On Wed, Oct 30, 2013 at 2:45 AM, Daniel P. Berrange <berrange at redhat.com>wrote:

> On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote:
> > Hello,
> >
> > I'm using certtool to generate the server certificates for ESXi -
> > http://libvirt.org/remote.html#Remote_TLS_CA.  I just copy the server
> > certificate and key as /etc/vmware/ssl/rui.crt and
> /etc/vmware/ssl/rui.key.
> >  And then use virsh to connect from a CentOS 6.4 VM running on it -
> "virsh
> > -c esx://<esx IP>.  I get the following error -
> >
> > error: internal error curl_easy_perform() returned an error: Peer
> > certificate cannot be authenticated with known CA certificates (60) :
> Peer
> > certificate cannot be authenticated with known CA certificates
> > error: failed to connect to the hypervisor
> >
> > is there something basic that I'm missing?
>
> I'm not sure what you're missing, but the error message means that the
> VMWare server certificate was not signed by any CA certificate that
> the libvirt client has access to. So it is a client side CA cert config
> problem most likely.
>
> Daniel
> --
> |: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/:|
> |: http://libvirt.org              -o-             http://virt-manager.org:|
> |: http://autobuild.org       -o-         http://search.cpan.org/~danberr/:|
> |: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc:|
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20131030/5ffc745a/attachment.htm>

More information about the libvirt-users mailing list