Hi guys,
I met a problem when I use tls to connect libvirt.
When I set the CN in client.info, server.info as hostname(FDQN), the tls
check will fail with ip; and vice versa, when set CN as ip address, the tls
check will fail with hostname. Only use what we set in can succeed. If this
is expected? or I there was some issue in my env. or setup steps?
1. set tls env with hostname, then it will fail to check with ip
# virsh -c qemu+tls://192.168.122.4/system
2017-12-06 13:24:52.346+0000: 3954: info : libvirt version: x.x.x, package:
4.el7 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>,
2017-11-30-07:57:27, x.x.x.redhat.com)
2017-12-06 13:24:52.346+0000: 3954: info : hostname: work.englab.cn
2017-12-06 13:24:52.346+0000: 3954: warning :
virNetTLSContextCheckCertificate:1125 : Certificate check failed
Certificate [session] owner does not match the hostname 192.168.122.4
error: failed to connect to the hypervisor
error: authentication failed: Failed to verify peer's certificate
2. use the hostname as what we set can succeed.
# virsh -c qemu+tls://test.englab.cn/system
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh #
# ping test.englab.cn
PING test.englab.cn (192.168.122.4) 56(84) bytes of data.
64 bytes from test.englab.cn (192.168.122.4): icmp_seq=1 ttl=64 time=0.235
ms
64 bytes from test.englab.cn (192.168.122.4): icmp_seq=2 ttl=64 time=0.204
ms
...
-------
Best Regards,
Yalan Zhang
Daniel P. Berrange
2017-Dec-06 14:05 UTC
Re: [libvirt-users] problem when use tls to connect libvirt
On Wed, Dec 06, 2017 at 09:44:47PM +0800, Yalan Zhang wrote:> Hi guys, > > I met a problem when I use tls to connect libvirt. > When I set the CN in client.info, server.info as hostname(FDQN), the tls > check will fail with ip; and vice versa, when set CN as ip address, the tls > check will fail with hostname. Only use what we set in can succeed. If this > is expected? or I there was some issue in my env. or setup steps? > > > 1. set tls env with hostname, then it will fail to check with ip > > # virsh -c qemu+tls://192.168.122.4/system > 2017-12-06 13:24:52.346+0000: 3954: info : libvirt version: x.x.x, package: > 4.el7 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, > 2017-11-30-07:57:27, x.x.x.redhat.com) > 2017-12-06 13:24:52.346+0000: 3954: info : hostname: work.englab.cn > 2017-12-06 13:24:52.346+0000: 3954: warning : > virNetTLSContextCheckCertificate:1125 : Certificate check failed > Certificate [session] owner does not match the hostname 192.168.122.4 > error: failed to connect to the hypervisor > error: authentication failed: Failed to verify peer's certificate > > 2. use the hostname as what we set can succeed. > > # virsh -c qemu+tls://test.englab.cn/system > Welcome to virsh, the virtualization interactive terminal. > > Type: 'help' for help with commands > 'quit' to quit > > virsh #X509 certificates contain one or more hostnames + IP addresses that are associated with the server that owns them. The error message you see shows that the certificate you have created only contains the hostname "test.englab.cn", and does *not* contain the IP address "192.168.122.4". If you want to be able to connect to libvirt using and IP address then you need to make sure the certificate contains the IP address too. If you're following the libvirt guide at https://libvirt.org/remote.html#Remote_TLS_server_certificates Then, instead of creating server.info containing: organization = Name of your organization cn = test.englab.cn tls_www_server encryption_key signing_key use this: organization = Name of your organization cn = test.englab.cn dns_name = test.englab.cn dns_name = test ip_address = 192.168.122.4 tls_www_server encryption_key signing_key notice you can list multiple dns_name entries and multiple ip_address entries if needed - I show using the short + fully qualified hostname here. Adjust as desired. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|