Public bug reported:
Binary package hint: libvirt-bin
I'm having a problem with remote TLS libvirt connections from a jaunty
client. I just upgraded my client to jaunty from Intrepid and I can no
longer connect to hardy or intrepid libvirt servers that have TLS
enabled. I get the following errors:
$ virt-viewer -c qemu+tls://example.com/system virt.example.com
libvir: Remote error : server certificate failed validation: The certificate is
not trusted.
libvir: Remote error : unable to connect to 'example.com': Invalid argument
unable to connect to libvirt qemu+tls://example.com/system
$
In the past (ie hardy, intrepid) I was able to use the following command. Now I
get an error:
$ virt-viewer -c qemu://example.com/system virt.example.com
libvir: error : could not connect to qemu://example.com/system
unable to connect to libvirt qemu://example.com/system
$
The server's config has not changed (I've tested against libvirt-bin
versions 0.4.4-3ubuntu3.1 and 0.4.0-2ubuntu8.1 on the server side). I
have the CA certificate installed on both server and client (in
/etc/pki/CA/cacert.pem). That cert signed both my x509 client cert and
the server cert. Here is some proof that it *should* work:
$ openssl s_client -CAfile /etc/pki/CA/cacert.pem -cert
/etc/pki/libvirt/clientcert.pem -key /etc/pki/libvirt/private/clientkey.pem
-connect example.com:16514 2>/dev/null|sed -ne '/-BEGIN CERTIFICATE-/,/-END
CERTIFICATE-/p' >servercert.pem
$ openssl verify -CAfile /etc/pki/CA/cacert.pem servercert.pem
servercert.pem: OK
$ openssl verify -CAfile /etc/pki/CA/cacert.pem
/etc/pki/libvirt-vnc/clientcert.pem
/etc/pki/libvirt-vnc/clientcert.pem: OK
$
When I run strace against virt-viewer I can see that it is accessing and
(successfully opening) the correct certs/keys:
$ grep /etc/pki /tmp/out
stat64("/etc/pki/CA/cacert.pem", {st_mode=S_IFREG|0644, st_size=1716, ...}) = 0
stat64("/etc/pki/libvirt/private/clientkey.pem", {st_mode=S_IFREG|0644,
st_size=887, ...}) = 0
stat64("/etc/pki/libvirt/clientcert.pem", {st_mode=S_IFREG|0644, st_size=1172,
...}) = 0
open("/etc/pki/CA/cacert.pem", O_RDONLY) = 5
open("/etc/pki/libvirt/private/clientkey.pem", O_RDONLY) = 5
open("/etc/pki/libvirt/clientcert.pem", O_RDONLY) = 5
$
I'm using virt-viewer 0.0.3-6ubuntu7 and libvirt-bin 0.6.1-0ubuntu5
** Affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
--
qemu+tls server certificate validation failure (The certificate is not trusted)
https://bugs.launchpad.net/bugs/366455
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
