|
1 2 3 |
Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found. Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: warning : virNetTLSContextCheckCertificate:1125 : Certificate check failed Unable to verify TLS peer: No certificate was found. Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextCheckCertificate:1128 : authentication failed: Failed to verify peer's certificate |
使用TLS连接libvirtd时,默认需要验证客户端是否拥有由CA签名的证书,详见libvirtd配置文件(/etc/libvirt/libvirtd.conf):
|
1 2 3 4 5 6 7 8 9 |
# Flag to disable verification of client certificates # # Client certificate verification is the primary authentication mechanism. # Any client which does not present a certificate signed by the CA # will be rejected. # # Default is to always verify. Uncommenting this will disable # verification - make sure an IP whitelist is set #tls_no_verify_certificate = 1 |
取消此行的注释即可关闭此验证(当然你得启用其它身份认证途径):
|
1 |
#tls_no_verify_certificate = 1 |
也可选择以让CA给客户端签发证书:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
# 自行修改CA私钥与证书的路径 CA_KEY_FILE_PATH="/etc/pki/libvirt/private/cakey.pem" CA_CERTIFICATE_FILE_PATH="/etc/pki/CA/cacert.pem" # 客户端私钥,CSR,证书保存路径 PKI_PREFIX="/tmp/client_pki/" CLIENT_PRIVATE_KEY_FILE_PATH="${PKI_PREFIX}/clientkey.pem" CLIENT_CSR_FILE_PATH="${PKI_PREFIX}/clientcsr.pem" CLIENT_CERTIFICATE_FILE_PATH="${PKI_PREFIX}/clientcert.pem" oldUmask=$(umask) umask 0077 mkdir -p ${PKI_PREFIX} # 生成客户端私钥 openssl genrsa -out ${CLIENT_PRIVATE_KEY_FILE_PATH} 2048 # 生成客户端CSR,根据自己需要自行修改subjects openssl req -new -key ${CLIENT_PRIVATE_KEY_FILE_PATH} -subj "/C=CN/ST=China/L=China/O=China/OU=China/CN=ClientCommonName" -out ${CLIENT_CSR_FILE_PATH} # CA通过CSR签发证书,根据需要自行修改有效期 openssl x509 -req -in ${CLIENT_CSR_FILE_PATH} -CA ${CA_CERTIFICATE_FILE_PATH} -CAkey ${CA_KEY_FILE_PATH} -CAcreateserial -out ${CLIENT_CERTIFICATE_FILE_PATH} -days 3650 # 把CA证书放进去 cat ${CA_CERTIFICATE_FILE_PATH} > ${PKI_PREFIX}/cacert.pem umask ${oldUmask} # 把${PKI_PREFIX}传送到客户端 # scp -r ${PKI_PREFIX} username@host:~/libvirt-server-pki |
完成上面的操作后,把整个${PKI_PRE […]
