[libvirt] Can't connect ESXi ssl with virsh

Zhimou Peng zhpeng at redhat.com
Mon Mar 5 07:42:38 UTC 2012 

Ehh.....
Not familiar with it.
Can you give me one example?



----- Original Message -----
From: "Hu Tao" <hutao at cn.fujitsu.com>
To: "Zhimou Peng" <zhpeng at redhat.com>
Cc: libvir-list at redhat.com, "Tingting Zheng" <tzheng at redhat.com>
Sent: Monday, March 5, 2012 3:22:22 PM
Subject: Re: [libvirt] Can't connect ESXi ssl with virsh

On Mon, Mar 05, 2012 at 02:04:05AM -0500, Zhimou Peng wrote:
> Hi,
> 
> I try to use virsh connect ESXi5.0 with ssl
> 
> [root at zheng ~]#  virsh -c esx://10.66.6.211/
> Enter username for 10.66.6.211 [root]: 
> Enter root's password for 10.66.6.211: 
> error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates
> error: failed to connect to the hypervisor
> 
> I create kew key singed by my CA certificate, still the same error.
> But i can use vsphere client and https://10.66.6.211/, the new certs are ok.
> 
> Here are my steps:
> 
> 
> 1, create a CA center.
> 
> ENV prepare:
> # cd /etc/pki/CA/
> # mkdir {certs,crl,newcerts}
> # touch index.txt
> # echo 00 > serial
> 
> create private key:
> [root at zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650
> Generating a 2048 bit RSA private key
> ................................................................+++
> ...............................................+++
> writing new private key to 'myroot.key'
> Enter PEM pass phrase:
> Verifying - Enter PEM pass phrase:
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [XX]:CN
> State or Province Name (full name) []:BEIJING
> Locality Name (eg, city) [Default City]:BEIJING
> Organization Name (eg, company) [Default Company Ltd]:REDHAT
> Organizational Unit Name (eg, section) []:QE
> Common Name (eg, your name or your server's hostname) []:10.66.6.209
> Email Address []:
> 
> [root at zheng CA]# mv myroot.key private/cakey.pem
> [root at zheng CA]# mv myroot.crt cacert.pem
> 
> 2, create private key and certificate request file for ESXi5.0 server.
> # openssl req -new -nodes -out mycsr.csr
> Generating a 2048 bit RSA private key
> ........+++
> ...............+++
> writing new private key to 'privkey.pem'
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [XX]:CN
> State or Province Name (full name) []:BEIJING
> Locality Name (eg, city) [Default City]:BEIJING
> Organization Name (eg, company) [Default Company Ltd]:REDHAT
> Organizational Unit Name (eg, section) []:QE
> Common Name (eg, your name or your server's hostname) []:10.66.6.211
> Email Address []:
> 
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:
> 
> 3,scp the certificate request file to CA and certificate it.
> [root at zheng CA]# openssl ca -out rui.crt  -infiles mycsr.csr 
> Using configuration from /etc/pki/tls/openssl.cnf
> Enter pass phrase for /etc/pki/CA/private/cakey.pem:
> Check that the request matches the signature
> Signature ok
> Certificate Details:
>         Serial Number: 0 (0x0)
>         Validity
>             Not Before: Mar  5 06:53:52 2012 GMT
>             Not After : Mar  5 06:53:52 2013 GMT
>         Subject:
>             countryName               = CN
>             stateOrProvinceName       = BEIJING
>             organizationName          = REDHAT
>             organizationalUnitName    = QE
>             commonName                = 10.66.6.211
>         X509v3 extensions:
>             X509v3 Basic Constraints: 
>                 CA:FALSE
>             Netscape Comment: 
>                 OpenSSL Generated Certificate
>             X509v3 Subject Key Identifier: 
>                 84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A
>             X509v3 Authority Key Identifier: 
>                 keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD
> 
> Certificate is to be certified until Mar  5 06:53:52 2013 GMT (365 days)
> Sign the certificate? [y/n]:y
> 
> 
> 1 out of 1 certificate requests certified, commit? [y/n]y
> Write out database with 1 new entries
> Data Base Updated
> 
> 4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server
>    then quit the maintance mode.
> 
> 5, test it with vsphere client and firefox. new ssl keys works well.
> 
> 6,[root at zheng ~]# virsh -c esx://10.66.6.211
> Enter username for 10.66.6.211 [root]: 
> Enter root's password for 10.66.6.211: 
> error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates
> error: failed to connect to the hypervisor

I didn't see any steps to install your self-signed CA certificate
(cacert.pem in your example) on client.

-- 
Thanks,
Hu Tao

More information about the libvir-list mailing list