And my CA is also my client in this case. ----- Original Message ----- From: "Zhimou Peng" <zhpeng@xxxxxxxxxx> To: "Hu Tao" <hutao@xxxxxxxxxxxxxx> Cc: libvir-list@xxxxxxxxxx, "Tingting Zheng" <tzheng@xxxxxxxxxx> Sent: Monday, March 5, 2012 3:42:38 PM Subject: Re: Can't connect ESXi ssl with virsh Ehh..... Not familiar with it. Can you give me one example? ----- Original Message ----- From: "Hu Tao" <hutao@xxxxxxxxxxxxxx> To: "Zhimou Peng" <zhpeng@xxxxxxxxxx> Cc: libvir-list@xxxxxxxxxx, "Tingting Zheng" <tzheng@xxxxxxxxxx> Sent: Monday, March 5, 2012 3:22:22 PM Subject: Re: Can't connect ESXi ssl with virsh On Mon, Mar 05, 2012 at 02:04:05AM -0500, Zhimou Peng wrote: > Hi, > > I try to use virsh connect ESXi5.0 with ssl > > [root@zheng ~]# virsh -c esx://10.66.6.211/ > Enter username for 10.66.6.211 [root]: > Enter root's password for 10.66.6.211: > error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates > error: failed to connect to the hypervisor > > I create kew key singed by my CA certificate, still the same error. > But i can use vsphere client and https://10.66.6.211/,; the new certs are ok. > > Here are my steps: > > > 1, create a CA center. > > ENV prepare: > # cd /etc/pki/CA/ > # mkdir {certs,crl,newcerts} > # touch index.txt > # echo 00 > serial > > create private key: > [root@zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650 > Generating a 2048 bit RSA private key > ................................................................+++ > ...............................................+++ > writing new private key to 'myroot.key' > Enter PEM pass phrase: > Verifying - Enter PEM pass phrase: > ----- > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [XX]:CN > State or Province Name (full name) []:BEIJING > Locality Name (eg, city) [Default City]:BEIJING > Organization Name (eg, company) [Default Company Ltd]:REDHAT > Organizational Unit Name (eg, section) []:QE > Common Name (eg, your name or your server's hostname) []:10.66.6.209 > Email Address []: > > [root@zheng CA]# mv myroot.key private/cakey.pem > [root@zheng CA]# mv myroot.crt cacert.pem > > 2, create private key and certificate request file for ESXi5.0 server. > # openssl req -new -nodes -out mycsr.csr > Generating a 2048 bit RSA private key > ........+++ > ...............+++ > writing new private key to 'privkey.pem' > ----- > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [XX]:CN > State or Province Name (full name) []:BEIJING > Locality Name (eg, city) [Default City]:BEIJING > Organization Name (eg, company) [Default Company Ltd]:REDHAT > Organizational Unit Name (eg, section) []:QE > Common Name (eg, your name or your server's hostname) []:10.66.6.211 > Email Address []: > > Please enter the following 'extra' attributes > to be sent with your certificate request > A challenge password []: > An optional company name []: > > 3,scp the certificate request file to CA and certificate it. > [root@zheng CA]# openssl ca -out rui.crt -infiles mycsr.csr > Using configuration from /etc/pki/tls/openssl.cnf > Enter pass phrase for /etc/pki/CA/private/cakey.pem: > Check that the request matches the signature > Signature ok > Certificate Details: > Serial Number: 0 (0x0) > Validity > Not Before: Mar 5 06:53:52 2012 GMT > Not After : Mar 5 06:53:52 2013 GMT > Subject: > countryName = CN > stateOrProvinceName = BEIJING > organizationName = REDHAT > organizationalUnitName = QE > commonName = 10.66.6.211 > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Comment: > OpenSSL Generated Certificate > X509v3 Subject Key Identifier: > 84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A > X509v3 Authority Key Identifier: > keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD > > Certificate is to be certified until Mar 5 06:53:52 2013 GMT (365 days) > Sign the certificate? [y/n]:y > > > 1 out of 1 certificate requests certified, commit? [y/n]y > Write out database with 1 new entries > Data Base Updated > > 4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server > then quit the maintance mode. > > 5, test it with vsphere client and firefox. new ssl keys works well. > > 6,[root@zheng ~]# virsh -c esx://10.66.6.211 > Enter username for 10.66.6.211 [root]: > Enter root's password for 10.66.6.211: > error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates > error: failed to connect to the hypervisor I didn't see any steps to install your self-signed CA certificate (cacert.pem in your example) on client. -- Thanks, Hu Tao -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list