[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [virt-tools-list] [libvirt-users] Client certificate paths?



On 08/20/2010 12:59 AM, Cole Robinson wrote:
On 08/12/2010 10:29 AM, Lars Kellogg-Stedman wrote:
Hello all,

I'm trying to get virsh (and virt-manager) to talk to a remote libvirt
instance.  I cannot for the life of me figure out how to tell either
tool where to find client or CA certificates.  Do they *really* need
to access the ones in /etc/pki?  In particular, the client seems to
want to read the *server's* private key, which for obvious reasons is
only readable by root.

I feel like I must be missing something obvious...if someone can point
me towards a solution I would really appreciate it.  Thanks!

Hi Lars,

There wasn't a mention a which type of certificates you're trying to
use, so I'll assume TLS, as that's what /etc/pki is for.

virsh
*****

With virsh, it is hard coded to use a server wide path for its client
certificate.  (found this out yesterday)  It's been mentioned
there's an RFE for having that configurable, but it's not something I've
looked into.

$ ls -la /etc/pki/libvirt/clientcert.pem /etc/pki/libvirt/private/clientkey.pem
  -rw-r--r-- 1 root root 1220 Aug 19 02:34 /etc/pki/libvirt/clientcert.pem
-rw-r--r-- 1 root root 1675 Aug 19 02:32 /etc/pki/libvirt/private/clientkey.pem
  $

It also needs the CA Certificate (not the key) here:

  /etc/pki/CA/cacert.pem

  $ sudo ls -la /etc/pki/CA/cacert.pem
  -rw-r--r-- 1 root root 1070 Aug 19 01:06 /etc/pki/CA/cacert.pem
  $

Real life example of it working
*******************************

  $ virsh -c qemu://host1/system
  Welcome to virsh, the virtualization interactive terminal.

  Type:  'help' for help with commands
         'quit' to quit

  virsh #

(the qemu:// bit works there without saying qemu+tls://, because TLS
is the default)


virt-manager
************

virt-manager though, uses the client certificate in a different spot.
It has them per user, and they're stored in:

  ~/.pki/libvirt-vnc/clientcert.pem
  ~/.pki/libvirt-vnc/private/clientkey.pem

It needs the CA Certificate in:

  ~/.pki/CA/ca-cert.pem

$ ls -la ~/.pki/libvirt-vnc/clientcert.pem ~/.pki/libvirt-vnc/private/clientkey.pem ~/.pki/CA/ca-cert.pem

$ ls -la ~/.pki/libvirt-vnc/clientcert.pem ~/.pki/libvirt-vnc/private/clientkey.pem ~/.pki/CA/ca-cert.pem -rw-r--r-- 1 jc jc 1070 Aug 19 20:48 /export/backend/home/jc/.pki/CA/ca-cert.pem -rw-r--r-- 1 jc jc 1220 Aug 19 20:48 /export/backend/home/jc/.pki/libvirt-vnc/clientcert.pem lrwxrwxrwx 1 jc jc 16 Aug 19 21:14 /export/backend/home/jc/.pki/libvirt-vnc/private/clientkey.pem -> ../clientkey.pem
  $

You'll be able to see that pointing to the keys in my home dir. Something you'll notice is that in this instance, my clientkey.pem is itself NOT in the "private" sub-dir. It's in a folder below that, with a link in the private sub-dir, which is good enough.

I have it this way only because I created it in a different spot initially when trying to get it to work, and it turns out that virt-viewer (another VNC viewing thing) needs it there instead. i.e. in the directory below "private".

Anyway, the above works. :)

If you have troubles with the TLS key generation, the docs on the libvirt.org site work:

  http://libvirt.org/remote.html

And the paths for virt-manager are given on the last part of this page:


http://virt-manager.org/page/RemoteTLS#virt-manager.2Fvirsh.2Fvirt-viewer_client_setup


If it's relevant, I'm running everything under Fedora 13 right now, so
that means libvirt-0.8.2-1.fc13.x86_64 and
qemu-kvm-0.12.3-8.fc13.x86_64.

Similar.  All of the above is on an F13 workstation as well.

All good now? :)

Regards and best wishes,

Justin Clift

--
Salasaga  -  Open Source eLearning IDE
              http://www.salasaga.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]