2012/3/5 Zhimou Peng <zhpeng@xxxxxxxxxx>: > Hi, > > I try to use virsh connect ESXi5.0 with ssl > > [root@zheng ~]# virsh -c esx://10.66.6.211/ > Enter username for 10.66.6.211 [root]: > Enter root's password for 10.66.6.211: > error: internal error curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates > error: failed to connect to the hypervisor > > I create kew key singed by my CA certificate, still the same error. > But i can use vsphere client and https://10.66.6.211/,; the new certs are ok. > > Here are my steps: > > > 1, create a CA center. > > ENV prepare: > # cd /etc/pki/CA/ > # mkdir {certs,crl,newcerts} > # touch index.txt > # echo 00 > serial > > create private key: > [root@zheng CA]# openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650 > Generating a 2048 bit RSA private key > ................................................................+++ > ...............................................+++ > writing new private key to 'myroot.key' > Enter PEM pass phrase: > Verifying - Enter PEM pass phrase: > ----- > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [XX]:CN > State or Province Name (full name) []:BEIJING > Locality Name (eg, city) [Default City]:BEIJING > Organization Name (eg, company) [Default Company Ltd]:REDHAT > Organizational Unit Name (eg, section) []:QE > Common Name (eg, your name or your server's hostname) []:10.66.6.209 > Email Address []: > > [root@zheng CA]# mv myroot.key private/cakey.pem > [root@zheng CA]# mv myroot.crt cacert.pem > > 2, create private key and certificate request file for ESXi5.0 server. > # openssl req -new -nodes -out mycsr.csr > Generating a 2048 bit RSA private key > ........+++ > ...............+++ > writing new private key to 'privkey.pem' > ----- > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [XX]:CN > State or Province Name (full name) []:BEIJING > Locality Name (eg, city) [Default City]:BEIJING > Organization Name (eg, company) [Default Company Ltd]:REDHAT > Organizational Unit Name (eg, section) []:QE > Common Name (eg, your name or your server's hostname) []:10.66.6.211 > Email Address []: > > Please enter the following 'extra' attributes > to be sent with your certificate request > A challenge password []: > An optional company name []: > > 3,scp the certificate request file to CA and certificate it. > [root@zheng CA]# openssl ca -out rui.crt -infiles mycsr.csr > Using configuration from /etc/pki/tls/openssl.cnf > Enter pass phrase for /etc/pki/CA/private/cakey.pem: > Check that the request matches the signature > Signature ok > Certificate Details: > Serial Number: 0 (0x0) > Validity > Not Before: Mar 5 06:53:52 2012 GMT > Not After : Mar 5 06:53:52 2013 GMT > Subject: > countryName = CN > stateOrProvinceName = BEIJING > organizationName = REDHAT > organizationalUnitName = QE > commonName = 10.66.6.211 > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Comment: > OpenSSL Generated Certificate > X509v3 Subject Key Identifier: > 84:ED:53:00:56:7B:F3:AD:69:70:44:8C:D3:09:A0:6E:9D:69:30:0A > X509v3 Authority Key Identifier: > keyid:E5:FC:AC:8B:C4:6E:DD:DF:32:19:E3:C1:17:3E:08:5B:7D:0D:79:DD > > Certificate is to be certified until Mar 5 06:53:52 2013 GMT (365 days) > Sign the certificate? [y/n]:y > > > 1 out of 1 certificate requests certified, commit? [y/n]y > Write out database with 1 new entries > Data Base Updated > > 4, change the ESXi to maintance mode and change ssl keys on /etc/vmware/ssl. restart hostd server > then quit the maintance mode. Until here everything is fine. The ESXi server has a new and working SSL certificate. > 5, test it with vsphere client and firefox. new ssl keys works well. You should have tested with curl instead, because libvirt uses libcurl to talk to the ESXi server. # curl https://10.66.6.211/sdk curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html And curl still gives you error number 60, the same as libvirt. This is correct because you missed the final step. You need to tell your client computer to trust your new CA certificate. The one you just created and used to sign the new SSL certificate with. On a Debian-based system you need to do the following as root to trust the new CA certificate and make libcurl find it: # mkdir /usr/share/ca-certificates/esx-certs # cp /etc/pki/CA/cacert.pem /usr/share/ca-certificates/esx-certs/ # echo esx-certs/cacert.pem >> /etc/ca-certificates.conf # update-ca-certificates I've no clue how to do this on a Red Hat Linux-based system, that's your part to figure out :) Now curl and virsh should work as expected. -- Matthias Bolte http://photron.blogspot.com -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list