Hi Matthias, Thanks for the response. For connecting to ESXi, I couldn't find any environment setting to make 'curl' point to the client certificates. So, for the time being, I hard-coded the location in libvirt-<version>/src/esx/esx_vi.c.
esx_vi.c: curl_easy_setopt(curl->handle, CURLOPT_SSLCERT, "/etc/pki/libvirt/clientcert.pem"); esx_vi.c: curl_easy_setopt(curl->handle, CURLOPT_SSLKEY, "/etc/pki/libvirt/private/clientkey.pem"); esx_vi.c: curl_easy_setopt(curl->handle, CURLOPT_CAINFO, "/etc/pki/CA/cacert.pem"); This has worked for me. Perhaps there's a cleaner way of doing this? If I find something, I'll share w/ everybody on the list. regards, Shiva On Thu, Oct 31, 2013 at 7:16 AM, Matthias Bolte < matthias.bo...@googlemail.com> wrote: > 2013/10/30 Shiva Bhanujan <sxb...@gmail.com>: > > Hi Daniel, > > > > thanks for the reply - The procedure I use is the same as I use for > > XenServer, and the certificate exchange works just fine. The only thing > I'm > > a bit unclear on, is the location of the CA cert, which in the case of > > XenServer, I simply put it in /etc/pki/CA. And when I start the libvirtd > > daemon, it successfully picks it up. If I put the Server key and cert in > > /etc/vmware/ssl for ESXi, is there a location where I put the CA cert > > (cacert.pem)? Also, following are the log errors that I see - > > > > 2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] > > SSLStreamImpl::DoServerHandshake (ffd005d0) SSL_accept failed. Dumping > SSL > > error queue: > > 2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] [0] > error:14094418:SSL > > routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > > 2013-10-30T18:32:25.405Z [FFE81B90 warning 'Default'] SSL Handshake > failed > > for stream TCP(local=<ESXi>:443, peer=<client>:33776), error: > > N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094418:SSL > > routines:SSL3_READ_BYTES:tlsv1 alert unknown ca) > > > > > > Doesn't this mean the CA cert wasn't found on the ESXi? > > > > Regards, > > Shiva > > > > > > > > On Wed, Oct 30, 2013 at 2:45 AM, Daniel P. Berrange <berra...@redhat.com > > > > wrote: > >> > >> On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote: > >> > Hello, > >> > > >> > I'm using certtool to generate the server certificates for ESXi - > >> > http://libvirt.org/remote.html#Remote_TLS_CA. I just copy the server > >> > certificate and key as /etc/vmware/ssl/rui.crt and > >> > /etc/vmware/ssl/rui.key. > >> > And then use virsh to connect from a CentOS 6.4 VM running on it - > >> > "virsh > >> > -c esx://<esx IP>. I get the following error - > >> > > >> > error: internal error curl_easy_perform() returned an error: Peer > >> > certificate cannot be authenticated with known CA certificates (60) : > >> > Peer > >> > certificate cannot be authenticated with known CA certificates > >> > error: failed to connect to the hypervisor > >> > > >> > is there something basic that I'm missing? > >> > >> I'm not sure what you're missing, but the error message means that the > >> VMWare server certificate was not signed by any CA certificate that > >> the libvirt client has access to. So it is a client side CA cert config > >> problem most likely. > > I think this problem has already been discussed on this mailing list, see: > > https://www.redhat.com/archives/libvir-list/2012-March/msg00342.html > > What you basically have to do is create your own Certificate Authority > (CA) and then issue a new server certificate with that CA as described > in the guide you mentioned. Then transfer this server certificate to > the ESX server and put it into the correct place. I think you already > have done this correctly > > The last thing that's missing (the same as in the mailing list thread > I linked above) is that you need to configure your client properly. > The SSL infrastructure on your client needs to know about your custom > CA. libcurl has to be able to find and use it in order to verify that > the certificate your ESXi server present is valid. How this has to be > done depends on the SSL backend libcurl is using and on your distro. > > -- > Matthias Bolte > http://photron.blogspot.com >
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users