Pasquale Dir
2014-Feb-28 18:48 UTC
[libvirt-users] Set a domain name instead of an ip address into tls certificate
I tried to set cn=myMachine instead of cn=192.168.1.x and...everything frezees! virsh -c qemu://.../system tries to connect forever. You really need static ip addresses in the cn field?? I think this is an HUGE bug: you are saying to me that each time I change network or ip (because, dear sirs, dhcp exists) I have to generate a whole new couple of certificates?? I hope it is not the case.... regards Pasquale
Daniel P. Berrange
2014-Mar-03 09:47 UTC
[libvirt-users] Set a domain name instead of an ip address into tls certificate
On Fri, Feb 28, 2014 at 07:48:35PM +0100, Pasquale Dir wrote:> I tried to set cn=myMachine instead of cn=192.168.1.x > and...everything frezees! > virsh -c qemu://.../system > > tries to connect forever. > > You really need static ip addresses in the cn field?? > I think this is an HUGE bug: you are saying to me that each time I change > network or ip (because, dear sirs, dhcp exists) I have to generate a whole > new couple of certificates?? > I hope it is not the case....Not sure why you're thinking libvirt only allows IP address - AFAIK our docs don't say that, and indeed illustrate certifcate setup using hostnames. http://libvirt.org/remote.html#Remote_certificates The only requirement is that whatever string is in the 'server name' part of the URI, is also present in the certificate in either the CommonName or subjectaltname fields. When creating the certificate you're free to use IP addresses or dns names, or a mixture of both with subjectaltname Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|