On Wed, Jul 11, 2007 at 08:51:26PM +0100, Daniel P. Berrange wrote: > On the server end if you try to start the server with TLS enabled and you > don't have the certs setup, you get a cryptic: > > gnutls_certificate_set_x509_trust_file: Error while reading file. > > Rather useless the gnutls error message not telling you what file was > missing. > > Similarly with virsh: > > # ~/usr/bin/virsh --connect qemu://localhost/system list > libvir: Remote error : Error while reading file. > > Since GNU TLS doesn't even tell you the actual problem - was it wrong > permissions, or missing file altogether, I decided its better to do an > explicit 'stat' check ahead of time. > > So now it gives: > > $ ~/usr/bin/virsh --connect qemu://celery.virt.boston.redhat.com/system start demo > libvir: Remote error : Cannot access CA certificate > '/home/berrange/usr/etc/pki/CA/cacert.pem': No such file or directory (2) > > Or > > $ ~/usr/bin/virsh --connect qemu://celery.virt.boston.redhat.com/system start demo > libvir: Remote error : Cannot access CA certificate > '/home/berrange/usr/etc/pki/CA/cacert.pem': Permission denied (13) > > Or in the daemon > > # /usr/sbin/libvirtd --listen > Cannot access CA certificate '/home/berrange/usr/etc/pki/CA/cacert.pem': No such file or directory (2) > All sounds good, > +#define CHECK_CERT(type, file) \ > + do { if (stat(file, &sb) < 0) { \ > + qemudLog (QEMUD_ERR, "Cannot access " type " '%s': %s (%d)", \ > + file, strerror(errno), errno); \ > + return -1; \ > + } } while (0) > + Why not make a function instead of this convoluted construct ? And same in src/remote_internal.c too. I started writing a shell script which would allow checking the certificates, and could be extended to generate some of them if needed. But good run-time error sounds even better ! Daniel -- Red Hat Virtualization group http://redhat.com/virtualization/ Daniel Veillard | virtualization library http://libvirt.org/ veillard@xxxxxxxxxx | libxml GNOME XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/ -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list