Unix Like

libvirtd: virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found.

Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found.
Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: warning : virNetTLSContextCheckCertificate:1125 : Certificate check failed Unable to verify TLS peer: No certificate was found.
Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextCheckCertificate:1128 : authentication failed: Failed to verify peer's certificate

使用TLS连接libvirtd时,默认需要验证客户端是否拥有由CA签名的证书,详见libvirtd配置文件(/etc/libvirt/libvirtd.conf):

# Flag to disable verification of client certificates
#
# Client certificate verification is the primary authentication mechanism.
# Any client which does not present a certificate signed by the CA
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set
#tls_no_verify_certificate = 1

 

取消此行的注释即可关闭此验证(当然你得启用其它身份认证途径):

#tls_no_verify_certificate = 1

 

也可选择以让CA给客户端签发证书:

# 自行修改CA私钥与证书的路径
CA_KEY_FILE_PATH="/etc/pki/libvirt/private/cakey.pem"
CA_CERTIFICATE_FILE_PATH="/etc/pki/CA/cacert.pem"

# 客户端私钥,CSR,证书保存路径
PKI_PREFIX="/tmp/client_pki/"
CLIENT_PRIVATE_KEY_FILE_PATH="${PKI_PREFIX}/clientkey.pem"
CLIENT_CSR_FILE_PATH="${PKI_PREFIX}/clientcsr.pem"
CLIENT_CERTIFICATE_FILE_PATH="${PKI_PREFIX}/clientcert.pem"

oldUmask=$(umask)
umask 0077
mkdir -p ${PKI_PREFIX}

# 生成客户端私钥
openssl genrsa -out ${CLIENT_PRIVATE_KEY_FILE_PATH} 2048
# 生成客户端CSR,根据自己需要自行修改subjects
openssl req -new -key ${CLIENT_PRIVATE_KEY_FILE_PATH} -subj "/C=CN/ST=China/L=China/O=China/OU=China/CN=ClientCommonName" -out ${CLIENT_CSR_FILE_PATH}
# CA通过CSR签发证书,根据需要自行修改有效期
openssl x509 -req -in ${CLIENT_CSR_FILE_PATH} -CA ${CA_CERTIFICATE_FILE_PATH} -CAkey ${CA_KEY_FILE_PATH} -CAcreateserial -out ${CLIENT_CERTIFICATE_FILE_PATH} -days 3650
# 把CA证书放进去
cat ${CA_CERTIFICATE_FILE_PATH} > ${PKI_PREFIX}/cacert.pem

umask ${oldUmask}

# 把${PKI_PREFIX}传送到客户端
# scp -r ${PKI_PREFIX} username@host:~/libvirt-server-pki

完成上面的操作后,把整个${PKI_PREFIX}目录打包到客户端服务器上,在libvirt connection uri上加上参数pkipath=${PKI_PREFIX}即可:

virsh --connect qemu+tls://LIBVIRT_SERVER_HOST/system?pkipath=${HOME}/libvirt-server-pki

当然如果CA证书,客户端私钥以及证书都放在默认位置,可以不使用pkipath参数,详见References [1]。

 

References:

[1] https://libvirt.org/remote.html#Remote_URI_reference

105 Posts

自信、努力、活出精彩;以前未所见的颜色,绘大千世界!
View all posts

Leave a reply

Your email address will not be published. Required fields are marked *