[libvirt-users] Using certtool to generate certificates for ESXi

Thu Oct 31 14:16:55 UTC 2013

2013/10/30 Shiva Bhanujan <sxb075 at gmail.com>:
> Hi Daniel,
>
> thanks for the reply - The procedure I use is the same as I use for
> XenServer, and the certificate exchange works just fine.  The only thing I'm
> a bit unclear on, is the location of the CA cert, which in the case of
> XenServer, I simply put it in /etc/pki/CA.  And when I start the libvirtd
> daemon, it successfully picks it up.  If I put the Server key and cert in
> /etc/vmware/ssl for ESXi, is there a location where I put the CA cert
> (cacert.pem)?  Also, following are the log errors that I see -
>
> 2013-10-30T18:32:25.405Z [FFE81B90 error 'Default']
> SSLStreamImpl::DoServerHandshake (ffd005d0) SSL_accept failed. Dumping SSL
> error queue:
> 2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] [0] error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> 2013-10-30T18:32:25.405Z [FFE81B90 warning 'Default'] SSL Handshake failed
> for stream TCP(local=<ESXi>:443, peer=<client>:33776), error:
> N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca)
>
>
> Doesn't this mean the CA cert wasn't found on the ESXi?
>
> Regards,
> Shiva
>
>
>
> On Wed, Oct 30, 2013 at 2:45 AM, Daniel P. Berrange <berrange at redhat.com>
> wrote:
>>
>> On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote:
>> > Hello,
>> >
>> > I'm using certtool to generate the server certificates for ESXi -
>> > http://libvirt.org/remote.html#Remote_TLS_CA.  I just copy the server
>> > certificate and key as /etc/vmware/ssl/rui.crt and
>> > /etc/vmware/ssl/rui.key.
>> >  And then use virsh to connect from a CentOS 6.4 VM running on it -
>> > "virsh
>> > -c esx://<esx IP>.  I get the following error -
>> >
>> > error: internal error curl_easy_perform() returned an error: Peer
>> > certificate cannot be authenticated with known CA certificates (60) :
>> > Peer
>> > certificate cannot be authenticated with known CA certificates
>> > error: failed to connect to the hypervisor
>> >
>> > is there something basic that I'm missing?
>>
>> I'm not sure what you're missing, but the error message means that the
>> VMWare server certificate was not signed by any CA certificate that
>> the libvirt client has access to. So it is a client side CA cert config
>> problem most likely.

I think this problem has already been discussed on this mailing list, see:

https://www.redhat.com/archives/libvir-list/2012-March/msg00342.html

What you basically have to do is create your own Certificate Authority
(CA) and then issue a new server certificate with that CA as described
in the guide you mentioned. Then transfer this server certificate to
the ESX server and put it into the correct place. I think you already
have done this correctly

The last thing that's missing (the same as in the mailing list thread
I linked above) is that you need to configure your client properly.
The SSL infrastructure on your client needs to know about your custom
CA. libcurl has to be able to find and use it in order to verify that
the certificate your ESXi server present is valid. How this has to be
done depends on the SSL backend libcurl is using and on your distro.

-- 
Matthias Bolte
http://photron.blogspot.com