Zvi Dubitzky wrote: > After generating TLS certificates for Libvirt remote access , I test the > certificates > by running pki_check.sh and get the following message : > The CA certificate and the client certificate do not match > > What can cause this message ? > > I guess this is a problem as I am trying to access remotely the host > machine and fail > with a message of :libvir: Remote error : Connection refused > > That happens even if I use a client and server on the same machine and try > : sudo virsh -c qemu://localhost/defualt. > I am using libvirt 0.6. You have quite a few problems in your configuration here, including using the wrong URI, and most probably an iptables problem. However, let's start simply... > > can I get first a connection with no certificate/encryption by using URI = > qemu+tcp://... by making the needed change on the libvirtd.conf file > on the server side ? that did not work either To begin with, I would start with just getting tcp going. It's totally insecure, but it's a good initial test of getting everything up and running. To do that, you have to enable "listen_tcp" in libvirtd.conf. You *also* have to change "auth_tcp" to "none" in libvirtd.conf; otherwise, it automatically tries to use SASL for authentication, which you don't want at this point. Then you need to start up libvirtd --verbose --listen. At this point, you should be able to do: virsh -c qemu+tcp://hostname/system list --all, and get at least "empty" output from the virsh list command. If you get a "connection refused", you most likely have a firewall blocking the port that libvirtd is listening on; you'll have to open up that part. Assuming you get the above working, go back into libvirtd.conf and disable TCP (like I said, it opens up a security issue). Then go back to the instructions on the website for generating and using TLS, and make sure you've followed the directions exactly. I've used those instructions many times, and they work just fine. Once you think you have it configured, then you can try: virsh -c qemu+tls://hostname/system list --all, and see if that works. Again, if you get "connection refused", it probably means your firewall is in the way; libvirtd uses a different port for listen_tcp and listen_tls. -- Chris Lalancette -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list