Shiva Bhanujan
2013-Oct-30 01:48 UTC
[libvirt-users] Using certtool to generate certificates for ESXi
Hello, I'm using certtool to generate the server certificates for ESXi - http://libvirt.org/remote.html#Remote_TLS_CA. I just copy the server certificate and key as /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key. And then use virsh to connect from a CentOS 6.4 VM running on it - "virsh -c esx://<esx IP>. I get the following error - error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates error: failed to connect to the hypervisor is there something basic that I'm missing? Regards, Shiva
Daniel P. Berrange
2013-Oct-30 09:45 UTC
Re: [libvirt-users] Using certtool to generate certificates for ESXi
On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote:> Hello, > > I'm using certtool to generate the server certificates for ESXi - > http://libvirt.org/remote.html#Remote_TLS_CA. I just copy the server > certificate and key as /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key. > And then use virsh to connect from a CentOS 6.4 VM running on it - "virsh > -c esx://<esx IP>. I get the following error - > > error: internal error curl_easy_perform() returned an error: Peer > certificate cannot be authenticated with known CA certificates (60) : Peer > certificate cannot be authenticated with known CA certificates > error: failed to connect to the hypervisor > > is there something basic that I'm missing?I'm not sure what you're missing, but the error message means that the VMWare server certificate was not signed by any CA certificate that the libvirt client has access to. So it is a client side CA cert config problem most likely. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Shiva Bhanujan
2013-Oct-30 18:45 UTC
Re: [libvirt-users] Using certtool to generate certificates for ESXi
Hi Daniel, thanks for the reply - The procedure I use is the same as I use for XenServer, and the certificate exchange works just fine. The only thing I'm a bit unclear on, is the location of the CA cert, which in the case of XenServer, I simply put it in /etc/pki/CA. And when I start the libvirtd daemon, it successfully picks it up. If I put the Server key and cert in /etc/vmware/ssl for ESXi, is there a location where I put the CA cert (cacert.pem)? Also, following are the log errors that I see - 2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] SSLStreamImpl::DoServerHandshake (ffd005d0) SSL_accept failed. Dumping SSL error queue: 2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] [0] error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 2013-10-30T18:32:25.405Z [FFE81B90 warning 'Default'] SSL Handshake failed for stream TCP(local=<ESXi>:443, peer=<client>:33776), error: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca) Doesn't this mean the CA cert wasn't found on the ESXi? Regards, Shiva On Wed, Oct 30, 2013 at 2:45 AM, Daniel P. Berrange <berrange@redhat.com>wrote:> On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote: > > Hello, > > > > I'm using certtool to generate the server certificates for ESXi - > > http://libvirt.org/remote.html#Remote_TLS_CA. I just copy the server > > certificate and key as /etc/vmware/ssl/rui.crt and > /etc/vmware/ssl/rui.key. > > And then use virsh to connect from a CentOS 6.4 VM running on it - > "virsh > > -c esx://<esx IP>. I get the following error - > > > > error: internal error curl_easy_perform() returned an error: Peer > > certificate cannot be authenticated with known CA certificates (60) : > Peer > > certificate cannot be authenticated with known CA certificates > > error: failed to connect to the hypervisor > > > > is there something basic that I'm missing? > > I'm not sure what you're missing, but the error message means that the > VMWare server certificate was not signed by any CA certificate that > the libvirt client has access to. So it is a client side CA cert config > problem most likely. > > Daniel > -- > |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/:| > |: http://libvirt.org -o- http://virt-manager.org:| > |: http://autobuild.org -o- http://search.cpan.org/~danberr/:| > |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc:| >