[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] Failed when client connects to the hypervisor running on Server using TLS



Hi all,

Failed when client connects to the hypervisor running on Server using TLS and the details can be seen as follows:

I Test Procedures:
On server (10.66.92.154)
1. Set up a Certificate Authority (CA)
1.1 # certtool --generate-privkey > cakey.pem
1.2 self-sign cakey.pem by creating a file with the signature details called ca.info containing:
cn=10.66.92.154
ca
cert_signing_key
1.3 # certtool --generate-self-signed --load-privkey cakey.pem --template ca.info --outfile cacert.pem

2. Create server certificates
2.1 certtool --generate-privkey > serverkey.pem
2.2 sign that key with the CA's private key by first creating a template file called server.info
organization=Red Hat
cn=10.66.92.154
tls_www_server
encryption_key
signing_key
2.3 # certtool --generate-certificate --load-privkey serverkey.pem --load-ca-certificate cacert.pem \
--load-ca-privkey cakey.pem --template server.info --outfile servercert.pem

3. Copy CA key and server key to correct directory
3.1 # cp cakey.pem cacert.pem /etc/pki/CA
3.2 # mkdir -p /etc/pki/libvirt/private
3.3 # cp serverkey.pem /etc/pki/libvirt/private
3.4 # cp servercert.pem /etc/pki/libvirt

4. Copy CA key to client(10.66.93.205) into correct directory
4.1 # scp cakey.pem cacert.pem root 10 66 93 205:/etc/pki/CA

5. Turn on libvird monitor listening in /etc/sysconfig/libvirtd
  -- uncomment LIBVIRTD_ARGS="--listen"
6. Edit /etc/libvirt/libvirtd.conf
  -- enbale listen_tls = 1
7. # service libvirtd restart
8. # service iptables stop

On client (10.66.93.205)
9.  Create client certificates
9.1 # certtool --generate-privkey > clientkey.pem
9.2 Act as CA and sign the certificate.  Create client.info containing:
9.1 # certtool --generate-privkey > clientkey.pem
9.2 Act as CA and sign the certificate.  Create client.info containing:
country=GB
state=London
locality=London
organization=Red Hat
cn=10.66.93.205
tls_www_client
encryption_key
signing_key
9.3 # certtool --generate-certificate  --load-privkey clientkey.pem --load-ca-certificate /etc/pki/CA/cacert.pem \
--load-ca-privkey /etc/pki/CA/cakey.pem --template client.info --outfile clientcert.pem

10. Copy client key to correct directory
10.1 # mkdir -p /etc/pki/libvirt/private
10.2 # cp clientkey.pem /etc/pki/libvirt/private
10.3 # cp clientcert.pem /etc/pki/libvirt/

11. Conect to server hypervisor
# virsh -c qemu+tls://10.66.92.154/system

II Test Result:
[root dhcp-93-205 images]# virsh -c qemu+tls://10.66.92.154/system
error: server verification (of our certificate or IP address) failed
error: failed to connect to the hypervisor

Note:
if I Step 9 as above on server and then the client can connect to the hypervisor running on Server using TLS successfully.

Regards!
Johnson


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]