[libvirt] Can't connect ESXi ssl with virsh
Zhimou Peng
zhpeng at redhat.com
Mon Mar 5 07:42:38 UTC 2012
Ehh.....
Not familiar with it.
Can you give me one example?
----- Original Message -----
From: "Hu Tao" <hutao at cn.fujitsu.com>
To: "Zhimou Peng" <zhpeng at redhat.com>
Cc: libvir-list at redhat.com, "Tingting Zheng" <tzheng at redhat.com>
Sent: Monday, March 5, 2012 3:22:22 PM
Subject: Re: [libvirt] Can't connect ESXi ssl with virsh
On Mon, Mar 05, 2012 at 02:04:05AM -0500, Zhimou Peng wrote:
> Hi,
>
> I try to use virsh connect ESXi5.0 with ssl
>
> [root at zheng ~]# virsh -c esx://10.66.6.211/
> Enter username for 10.66.6.211 [root]:
> Enter root's password for 10.66.6.211:
> error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates
> error: failed to connect to the hypervisor
>
> I create kew key singed by my CA certificate, still the same error.
> But i can use vsphere client and https://10.66.6.211/, the new certs are ok.
>
> Here are my steps:
>
>
> 1, create a CA center.
>
> ENV prepare:
> # cd /etc/pki/CA/
> # mkdir {certs,crl,newcerts}
> # touch index.txt
> # echo 00 > serial
>
> create private key:
> [root at zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650
> Generating a 2048 bit RSA private key
> ................................................................+++
> ...............................................+++
> writing new private key to 'myroot.key'
> Enter PEM pass phrase:
> Verifying - Enter PEM pass phrase:
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [XX]:CN
> State or Province Name (full name) []:BEIJING
> Locality Name (eg, city) [Default City]:BEIJING
> Organization Name (eg, company) [Default Company Ltd]:REDHAT
> Organizational Unit Name (eg, section) []:QE
> Common Name (eg, your name or your server's hostname) []:10.66.6.209
> Email Address []:
>
> [root at zheng CA]# mv myroot.key private/cakey.pem
> [root at zheng CA]# mv myroot.crt cacert.pem
>
> 2, create private key and certificate request file for ESXi5.0 server.
> # openssl req -new -nodes -out mycsr.csr
> Generating a 2048 bit RSA private key
> ........+++
> ...............+++
> writing new private key to 'privkey.pem'
> -----
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [XX]:CN
> State or Province Name (full name) []:BEIJING
> Locality Name (eg, city) [Default City]:BEIJING
> Organization Name (eg, company) [Default Company Ltd]:REDHAT
> Organizational Unit Name (eg, section) []:QE
> Common Name (eg, your name or your server's hostname) []:10.66.6.211
> Email Address []:
>
> Please enter the following 'extra' attributes
> to be sent with your certificate request
> A challenge password []:
> An optional company name []:
>
> 3,scp the certificate request file to CA and certificate it.
> [root at zheng CA]# openssl ca -out rui.crt -infiles mycsr.csr
> Using configuration from /etc/pki/tls/openssl.cnf
> Enter pass phrase for /etc/pki/CA/private/cakey.pem:
> Check that the request matches the signature
> Signature ok
> Certificate Details:
> Serial Number: 0 (0x0)
> Validity
> Not Before: Mar 5 06:53:52 2012 GMT
> Not After : Mar 5 06:53:52 2013 GMT
> Subject:
> countryName = CN
> stateOrProvinceName = BEIJING
> organizationName = REDHAT
> organizationalUnitName = QE
> commonName = 10.66.6.211
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> 84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A
> X509v3 Authority Key Identifier:
> keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD
>
> Certificate is to be certified until Mar 5 06:53:52 2013 GMT (365 days)
> Sign the certificate? [y/n]:y
>
>
> 1 out of 1 certificate requests certified, commit? [y/n]y
> Write out database with 1 new entries
> Data Base Updated
>
> 4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server
> then quit the maintance mode.
>
> 5, test it with vsphere client and firefox. new ssl keys works well.
>
> 6,[root at zheng ~]# virsh -c esx://10.66.6.211
> Enter username for 10.66.6.211 [root]:
> Enter root's password for 10.66.6.211:
> error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates
> error: failed to connect to the hypervisor
I didn't see any steps to install your self-signed CA certificate
(cacert.pem in your example) on client.
--
Thanks,
Hu Tao
More information about the libvir-list
mailing list