qemu+tls server certificate validation failure (The certificate is not trusted)

Bug #366455 reported by Scott Beardsley on 2009-04-25
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)

Bug Description

Binary package hint: libvirt-bin

I'm having a problem with remote TLS libvirt connections from a jaunty client. I just upgraded my client to jaunty from Intrepid and I can no longer connect to hardy or intrepid libvirt servers that have TLS enabled. I get the following errors:

$ virt-viewer -c qemu+tls://example.com/system virt.example.com
libvir: Remote error : server certificate failed validation: The certificate is not trusted.
libvir: Remote error : unable to connect to 'example.com': Invalid argument
unable to connect to libvirt qemu+tls://example.com/system

In the past (ie hardy, intrepid) I was able to use the following command. Now I get an error:
$ virt-viewer -c qemu://example.com/system virt.example.com
libvir: error : could not connect to qemu://example.com/system
unable to connect to libvirt qemu://example.com/system

The server's config has not changed (I've tested against libvirt-bin versions 0.4.4-3ubuntu3.1 and 0.4.0-2ubuntu8.1 on the server side). I have the CA certificate installed on both server and client (in /etc/pki/CA/cacert.pem). That cert signed both my x509 client cert and the server cert. Here is some proof that it *should* work:

$ openssl s_client -CAfile /etc/pki/CA/cacert.pem -cert /etc/pki/libvirt/clientcert.pem -key /etc/pki/libvirt/private/clientkey.pem -connect example.com:16514 2>/dev/null|sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >servercert.pem
$ openssl verify -CAfile /etc/pki/CA/cacert.pem servercert.pem
servercert.pem: OK
$ openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/clientcert.pem
/etc/pki/libvirt-vnc/clientcert.pem: OK

When I run strace against virt-viewer I can see that it is accessing and (successfully opening) the correct certs/keys:

$ grep /etc/pki /tmp/out
stat64("/etc/pki/CA/cacert.pem", {st_mode=S_IFREG|0644, st_size=1716, ...}) = 0
stat64("/etc/pki/libvirt/private/clientkey.pem", {st_mode=S_IFREG|0644, st_size=887, ...}) = 0
stat64("/etc/pki/libvirt/clientcert.pem", {st_mode=S_IFREG|0644, st_size=1172, ...}) = 0
open("/etc/pki/CA/cacert.pem", O_RDONLY) = 5
open("/etc/pki/libvirt/private/clientkey.pem", O_RDONLY) = 5
open("/etc/pki/libvirt/clientcert.pem", O_RDONLY) = 5

I'm using virt-viewer 0.0.3-6ubuntu7 and libvirt-bin 0.6.1-0ubuntu5

Oops I noticed an error in an openssl command above. It should read as follows:

$ openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/pki/libvirt/clientcert.pem
/etc/pki/libvirt/clientcert.pem: OK

Sorry, I was playing with the client cert location. As you can see the clientcert.pem is valid.

Chuck Short (zulcss) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please answer these questions:
1. Is this reproducible?
2. If so, what specific steps should we take to recreate this bug? Be as detailed as possible.
This will help us to find and resolve the problem.

Changed in libvirt (Ubuntu):
status: New → Incomplete
Changed in libvirt (Ubuntu):
importance: Undecided → Low
Chuck Short (zulcss) wrote :

We'd like to figure out what's causing this bug for you, but we haven't heard back from you in a while. Could you please provide the requested information? Thanks!

Jamie Strandboge (jdstrand) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in libvirt (Ubuntu):
status: Incomplete → Invalid
Ishmael (ishmaelt3) wrote :


I see this is from 2010 but I am experiencing the same problem as seen below:

root@ceph1:/cert_files# virsh -c qemu+tls://ceph1/system hostname
2016-04-29 14:15:52.077+0000: 2741: info : libvirt version: 1.2.16, package: 1.2.16-2ubuntu11.15.10.3
2016-04-29 14:15:52.077+0000: 2741: warning : virNetTLSContextCheckCertificate:1145 : Certificate check failed Certificate failed validation: The certificate is not trusted.
error: failed to connect to the hypervisor
error: authentication failed: Failed to verify peer's certificate
root@ceph1:/cert_files# openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/pki/libvirt/clientcert.pem
/etc/pki/libvirt/clientcert.pem: OK

Please assist if possible

Simon Déziel (sdeziel) wrote :

Ishmael, on Ubuntu, the default location for CA cert is /etc/ssl/certs. Maybe you could try putting your trusted CA in there?

Ishmael (ishmaelt3) wrote :

Thank you for the response Simon,

Now I get this error:

2016-05-03 06:19:04.707+0000: 1119: warning : virNetTLSContextCheckCertificate:1145 : Certificate check failed Certificate [session] owner does not match the hostname localhost
error: failed to connect to the hypervisor
error: authentication failed: Failed to verify peer's certificate

I have used FQDN when generating certs. any idea?

Simon Déziel (sdeziel) wrote :

It seems that it wants the certificate to cover the name "localhost" instead or in addition to the FQDN.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers