Hello! I am part of infrastructure team at BFH and we are building an
openstack installation.
A couple of months ago I was experimenting with setting up noVNC
consoles with encryption.
Connecting until the novncproxy service with TLS can be done with no
issues, but the connection between libvirt and the proxy turned out to
be problematic.
We would really love to use letsencrypt certificates which are generated
for each server/container, instead of relying on creating own CA and
generate certificates.
With libvirt, using letsencrypt is impossible, since the code does bunch
of checks for properties of the TLS certificates, see:
https://github.com/libvirt/libvirt/blob/bf79a021a6437b4f85469a53f650bff62db5f674/src/rpc/virnettlscert.c#L165
Does anybody know, why these checks exist? They de facto prevent using
anything else than self-generated certificates for securing vnc console
traffic.
Is using my own self-created CA somehow more trustworthy than
LetsEncrypt root CA?
Best, Jani Heikkinen
--
Berner Fachhochschule / Bern University of Applied Sciences
IT-Services / Team Linux & Infrastructure Services
Jani Heikkinen
IT Linux Engineer
___________________________________________________________
Dammweg 3, CH-3013 Bern
Telefon direkt +41 31 848 68 14
Telefon Servicedesk +41 31 848 48 48
jani.heikki...@bfh.ch
