[libvirt-users] problem when use tls to connect libvirt

Daniel P. Berrange berrange at redhat.com
Wed Dec 6 14:05:45 UTC 2017 

On Wed, Dec 06, 2017 at 09:44:47PM +0800, Yalan Zhang wrote:
> Hi guys,
> 
> I met a problem when I use tls to connect libvirt.
> When I set the CN in client.info, server.info as hostname(FDQN), the tls
> check will fail with ip; and vice versa, when set CN as ip address, the tls
> check will fail with hostname. Only use what we set in can succeed. If this
> is expected? or I there was some issue in my env. or setup steps?
> 
> 
> 1. set tls env with hostname, then it will fail to check with ip
> 
> # virsh -c qemu+tls://192.168.122.4/system
> 2017-12-06 13:24:52.346+0000: 3954: info : libvirt version: x.x.x, package:
> 4.el7 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>,
> 2017-11-30-07:57:27, x.x.x.redhat.com)
> 2017-12-06 13:24:52.346+0000: 3954: info : hostname: work.englab.cn
> 2017-12-06 13:24:52.346+0000: 3954: warning :
> virNetTLSContextCheckCertificate:1125 : Certificate check failed
> Certificate [session] owner does not match the hostname 192.168.122.4
> error: failed to connect to the hypervisor
> error: authentication failed: Failed to verify peer's certificate
> 
> 2. use the hostname as what we set can succeed.
> 
> # virsh -c qemu+tls://test.englab.cn/system
> Welcome to virsh, the virtualization interactive terminal.
> 
> Type:  'help' for help with commands
>        'quit' to quit
> 
> virsh #

X509 certificates contain one or more hostnames + IP addresses that are
associated with the server that owns them.  The error message you see
shows that the certificate you have created only contains the hostname
"test.englab.cn", and does *not* contain the IP address "192.168.122.4".

If you want to be able to connect to libvirt using and IP address then
you need to make sure the certificate contains the IP address too.

If you're following the libvirt guide at

  https://libvirt.org/remote.html#Remote_TLS_server_certificates

Then, instead of creating server.info containing:

  organization = Name of your organization
  cn = test.englab.cn
  tls_www_server
  encryption_key
  signing_key

use this:

  organization = Name of your organization
  cn = test.englab.cn
  dns_name = test.englab.cn
  dns_name = test
  ip_address = 192.168.122.4
  tls_www_server
  encryption_key
  signing_key


notice you can list multiple dns_name entries and multiple ip_address
entries if needed - I show using the short + fully qualified hostname
here. Adjust as desired.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvirt-users mailing list