Ubuntu
libvirt package

libvirtd --listen fails with: Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory

Bug #979212 reported by Ryan Harper
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Won't Fix
Medium
Unassigned

Bug Description

Attempting to run libvirtd directly and enable the remote network driver, I run libvirtd with:

% sudo service libvirt-bin stop
% sudo /usr/sbin/libvirtd -v --listen
2012-04-11 18:27:53.674+0000: 6018: info : libvirt version: 0.9.8
2012-04-11 18:27:53.674+0000: 6018: error : virNetTLSContextCheckCertFile:92 : Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory

I believe the ubuntu equivalent is /etc/ca-certificates but it's empty.

/etc/libvirt/libvirtd.conf has variables to override these values, but not clear what should be set.

Here's the relevant section:

#################################################################
#
# TLS x509 certificate configuration
#

# Override the default server key file path
#
#key_file = "/etc/pki/libvirt/private/serverkey.pem"

# Override the default server certificate file path
#
#cert_file = "/etc/pki/libvirt/servercert.pem"

# Override the default CA certificate path
#
#ca_file = "/etc/pki/CA/cacert.pem"

# Specify a certificate revocation list.
#
# Defaults to not using a CRL, uncomment to enable it
#crl_file = "/etc/pki/CA/crl.pem"

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libvirt-bin 0.9.8-2ubuntu15
ProcVersionSignature: User Name 3.2.0-22.35-virtual 3.2.14
Uname: Linux 3.2.0-22-virtual x86_64
ApportVersion: 2.0-0ubuntu4
Architecture: amd64
Date: Wed Apr 11 18:29:31 2012
Ec2AMI: ami-7569b01c
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-east-1c
Ec2InstanceType: t1.micro
Ec2Kernel: aki-825ea7eb
Ec2Ramdisk: unavailable
ProcEnviron:
 TERM=xterm
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: libvirt
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Ryan Harper (raharper) wrote :
Scott Moser (smoser)
Changed in libvirt (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for reporting this bug.

Per the Ubuntu server guide (https://help.ubuntu.com/10.04/serverguide/C/certificates-and-security.html) I believe the location should be /etc/ssl/certs/. However I'm not sure whether we want to set the default in libvirtd.conf to a sample certificate, or leave it invalid to encourage admins to create their own certificate.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is documented in http://libvirt.org/remote.html#Remote_certificates. AIUI, this is typically used with a private CA, not necessarily with stuff you buy through say, Verisign since there might be a lot of certificates. Idea is you create the CA, you sign a server CSR with your CA, then you sign all your client CSRs with your CA and you put all this in /etc/pki/.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The equivalent for ca_file should be /etc/ssl/certs/ca-certificates.crt. That can be set, but we probably should set up key_file and cert_file.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

sorry, I meant "we probably _shouldn't_ set up key_file and cert_file"

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Actually, disregard my comments, Jamie is right, ca_file is typically for a self-created CA.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks. Given that this is something that simply needs to be customized locally and is documented (at links above), marking wontfix.

Changed in libvirt (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.