libvirt users - Aug 2010 - [virt-tools-list] Client certificate paths?

On 08/12/2010 10:29 AM, Lars Kellogg-Stedman wrote:
> Hello all,
> 
> I'm trying to get virsh (and virt-manager) to talk to a remote libvirt
> instance.  I cannot for the life of me figure out how to tell either
> tool where to find client or CA certificates.  Do they *really* need
> to access the ones in /etc/pki?  In particular, the client seems to
> want to read the *server's* private key, which for obvious reasons is
> only readable by root.
> 
> I feel like I must be missing something obvious...if someone can point
> me towards a solution I would really appreciate it.  Thanks!
> 
> If it's relevant, I'm running everything under Fedora 13 right now,
so
> that means libvirt-0.8.2-1.fc13.x86_64 and
> qemu-kvm-0.12.3-8.fc13.x86_64.
> 
This is more a libvirt question, so CC-ing libvirt-users.

- Cole

On 08/20/2010 12:59 AM, Cole Robinson wrote:
> On 08/12/2010 10:29 AM, Lars Kellogg-Stedman wrote:
>> Hello all,
>>
>> I'm trying to get virsh (and virt-manager) to talk to a remote
libvirt
>> instance.  I cannot for the life of me figure out how to tell either
>> tool where to find client or CA certificates.  Do they *really* need
>> to access the ones in /etc/pki?  In particular, the client seems to
>> want to read the *server's* private key, which for obvious reasons
is
>> only readable by root.
>>
>> I feel like I must be missing something obvious...if someone can point
>> me towards a solution I would really appreciate it.  Thanks!
Hi Lars,

There wasn't a mention a which type of certificates you're trying to
use, so I'll assume TLS, as that's what /etc/pki is for.

virsh
*****

With virsh, it is hard coded to use a server wide path for its client
certificate.  (found this out yesterday)  It's been mentioned
there's an RFE for having that configurable, but it's not something
I've
looked into.

   $ ls -la /etc/pki/libvirt/clientcert.pem 
/etc/pki/libvirt/private/clientkey.pem
   -rw-r--r-- 1 root root 1220 Aug 19 02:34 /etc/pki/libvirt/clientcert.pem
   -rw-r--r-- 1 root root 1675 Aug 19 02:32 
/etc/pki/libvirt/private/clientkey.pem
   $

It also needs the CA Certificate (not the key) here:

   /etc/pki/CA/cacert.pem

   $ sudo ls -la /etc/pki/CA/cacert.pem
   -rw-r--r-- 1 root root 1070 Aug 19 01:06 /etc/pki/CA/cacert.pem
   $

Real life example of it working
*******************************

   $ virsh -c qemu://host1/system
   Welcome to virsh, the virtualization interactive terminal.

   Type:  'help' for help with commands
          'quit' to quit

   virsh #

(the qemu:// bit works there without saying qemu+tls://, because TLS
is the default)


virt-manager
************

virt-manager though, uses the client certificate in a different spot.
It has them per user, and they're stored in:

   ~/.pki/libvirt-vnc/clientcert.pem
   ~/.pki/libvirt-vnc/private/clientkey.pem

It needs the CA Certificate in:

   ~/.pki/CA/ca-cert.pem

   $ ls -la ~/.pki/libvirt-vnc/clientcert.pem 
~/.pki/libvirt-vnc/private/clientkey.pem ~/.pki/CA/ca-cert.pem

   $ ls -la ~/.pki/libvirt-vnc/clientcert.pem 
~/.pki/libvirt-vnc/private/clientkey.pem ~/.pki/CA/ca-cert.pem
   -rw-r--r-- 1 jc jc 1070 Aug 19 20:48 
/export/backend/home/jc/.pki/CA/ca-cert.pem
   -rw-r--r-- 1 jc jc 1220 Aug 19 20:48 
/export/backend/home/jc/.pki/libvirt-vnc/clientcert.pem
   lrwxrwxrwx 1 jc jc   16 Aug 19 21:14 
/export/backend/home/jc/.pki/libvirt-vnc/private/clientkey.pem -> 
../clientkey.pem
   $

You'll be able to see that pointing to the keys in my home dir. 
Something you'll notice is that in this instance, my clientkey.pem is 
itself NOT in the "private" sub-dir.  It's in a folder below that,
with
a link in the private sub-dir, which is good enough.

I have it this way only because I created it in a different spot 
initially when trying to get it to work, and it turns out that 
virt-viewer (another VNC viewing thing) needs it there instead.  i.e. in 
the directory below "private".

Anyway, the above works. :)

If you have troubles with the TLS key generation, the docs on the 
libvirt.org site work:

   http://libvirt.org/remote.html

And the paths for virt-manager are given on the last part of this page:

 
http://virt-manager.org/page/RemoteTLS#virt-manager.2Fvirsh.2Fvirt-viewer_client_setup

>> If it's relevant, I'm running everything under Fedora 13 right
now, so
>> that means libvirt-0.8.2-1.fc13.x86_64 and
>> qemu-kvm-0.12.3-8.fc13.x86_64.
Similar.  All of the above is on an F13 workstation as well.

All good now? :)

Regards and best wishes,

Justin Clift

-- 
Salasaga  -  Open Source eLearning IDE
               http://www.salasaga.org