qemu+tls server certificate validation failure (The certificate is not trusted)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libvirt (Ubuntu) |
Invalid
|
Low
|
Unassigned |
Bug Description
Binary package hint: libvirt-bin
I'm having a problem with remote TLS libvirt connections from a jaunty client. I just upgraded my client to jaunty from Intrepid and I can no longer connect to hardy or intrepid libvirt servers that have TLS enabled. I get the following errors:
$ virt-viewer -c qemu+tls:
libvir: Remote error : server certificate failed validation: The certificate is not trusted.
libvir: Remote error : unable to connect to 'example.com': Invalid argument
unable to connect to libvirt qemu+tls:
$
In the past (ie hardy, intrepid) I was able to use the following command. Now I get an error:
$ virt-viewer -c qemu://
libvir: error : could not connect to qemu://
unable to connect to libvirt qemu://
$
The server's config has not changed (I've tested against libvirt-bin versions 0.4.4-3ubuntu3.1 and 0.4.0-2ubuntu8.1 on the server side). I have the CA certificate installed on both server and client (in /etc/pki/
$ openssl s_client -CAfile /etc/pki/
$ openssl verify -CAfile /etc/pki/
servercert.pem: OK
$ openssl verify -CAfile /etc/pki/
/etc/pki/
$
When I run strace against virt-viewer I can see that it is accessing and (successfully opening) the correct certs/keys:
$ grep /etc/pki /tmp/out
stat64(
stat64(
stat64(
open("/
open("/
open("/
$
I'm using virt-viewer 0.0.3-6ubuntu7 and libvirt-bin 0.6.1-0ubuntu5
Changed in libvirt (Ubuntu): | |
importance: | Undecided → Low |
Oops I noticed an error in an openssl command above. It should read as follows:
$ openssl verify -CAfile /etc/pki/ CA/cacert. pem /etc/pki/ libvirt/ clientcert. pem libvirt/ clientcert. pem: OK
/etc/pki/
$
Sorry, I was playing with the client cert location. As you can see the clientcert.pem is valid.