Hi Daniel,
thanks for the reply - The procedure I use is the same as I use for XenServer, and the certificate exchange works just fine. The only thing I'm a bit unclear on, is the location of the CA cert, which in the case of XenServer, I simply put it in /etc/pki/CA. And when I start the libvirtd daemon, it successfully picks it up. If I put the Server key and cert in /etc/vmware/ssl for ESXi, is there a location where I put the CA cert (cacert.pem)? Also, following are the log errors that I see -
2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] SSLStreamImpl::DoServerHandshake (ffd005d0) SSL_accept failed. Dumping SSL error queue:
2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] [0] error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
2013-10-30T18:32:25.405Z [FFE81B90 warning 'Default'] SSL Handshake failed for stream TCP(local=<ESXi>:443, peer=<client>:33776), error: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca)
Doesn't this mean the CA cert wasn't found on the ESXi?
Regards,
Shiva
On Wed, Oct 30, 2013 at 2:45 AM, Daniel P. Berrange <berrange@xxxxxxxxxx> wrote:
I'm not sure what you're missing, but the error message means that theOn Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote:
> Hello,
>
> I'm using certtool to generate the server certificates for ESXi -
> http://libvirt.org/remote.html#Remote_TLS_CA. I just copy the server
> certificate and key as /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key.
> And then use virsh to connect from a CentOS 6.4 VM running on it - "virsh
> -c esx://<esx IP>. I get the following error -
>
> error: internal error curl_easy_perform() returned an error: Peer
> certificate cannot be authenticated with known CA certificates (60) : Peer
> certificate cannot be authenticated with known CA certificates
> error: failed to connect to the hypervisor
>
> is there something basic that I'm missing?
VMWare server certificate was not signed by any CA certificate that
the libvirt client has access to. So it is a client side CA cert config
problem most likely.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
_______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
