On Wed, Aug 06, 2025 at 12:39:34PM +0200, Sebastian Mitterle wrote: > On Tue, Aug 5, 2025 at 1:54 PM Daniel P. Berrangé <berra...@redhat.com> wrote: > > > > On Mon, Aug 04, 2025 at 06:31:14PM +0200, Sebastian Mitterle via Devel > > wrote: > > > Older libvirt versions still only work if 'encryption_key' is enabled > > > in the server and client certificates. Add a note. > > > > > > While at it, also add a note that after setting the certificates up, > > > the TLS ports need to be restarted because I haven't found a mention > > > of it elsewhere. > > > > Do this bit in a separate patch, since it is logically independant > > of the other change. > You're right, I was lazy. > > > > > > > > Signed-off-by: Sebastian Mitterle <smitt...@redhat.com> > > > --- > > > docs/kbase/tlscerts.rst | 25 ++++++++++++++++++++----- > > > 1 file changed, 20 insertions(+), 5 deletions(-) > > > > > > diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst > > > index 215d454998..a1ea4d5f21 100644 > > > --- a/docs/kbase/tlscerts.rst > > > +++ b/docs/kbase/tlscerts.rst > > > @@ -213,6 +213,10 @@ clients to reach the server, both with and without > > > domain name qualifiers. If > > > clients are likely to connect to the server by IP address, then one or > > > more > > > 'ip_address' fields should also be added. > > > > > > +Important: If you're running a libvirt version before 11.6.0 you need to > > > also add > > > +``encryption_key`` to the template. Previous versions required this. > > > > Can we expand this > > > > Important: versions of libvirt before 11.6.0 also required the > > ``encryption_key`` > > flag in the template. This is no longer mandated since it is not > > applicable for > > use with many modern cryptographic algorithms, but it is harmless if > > present as > > it will be ignored. If compatibility with both old and new libvirt versions > > is required, then this extra flag must be added when creating the > > certificate. > > > > and likewise below > I wonder, with this expanded note, would it make sense to remove this from the > "Issuing server/client certificates" sections and instead move it up > to the previous section > "Background to TLS certificates"?
Yes, that would avoid the duplication. Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
