Hi Daniel, thanks for the reply - The procedure I use is the same as I use for XenServer, and the certificate exchange works just fine. The only thing I'm a bit unclear on, is the location of the CA cert, which in the case of XenServer, I simply put it in /etc/pki/CA. And when I start the libvirtd daemon, it successfully picks it up. If I put the Server key and cert in /etc/vmware/ssl for ESXi, is there a location where I put the CA cert (cacert.pem)? Also, following are the log errors that I see -
2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] SSLStreamImpl::DoServerHandshake (ffd005d0) SSL_accept failed. Dumping SSL error queue: 2013-10-30T18:32:25.405Z [FFE81B90 error 'Default'] [0] error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 2013-10-30T18:32:25.405Z [FFE81B90 warning 'Default'] SSL Handshake failed for stream TCP(local=<ESXi>:443, peer=<client>:33776), error: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca) Doesn't this mean the CA cert wasn't found on the ESXi? Regards, Shiva On Wed, Oct 30, 2013 at 2:45 AM, Daniel P. Berrange <berra...@redhat.com>wrote: > On Tue, Oct 29, 2013 at 06:48:46PM -0700, Shiva Bhanujan wrote: > > Hello, > > > > I'm using certtool to generate the server certificates for ESXi - > > http://libvirt.org/remote.html#Remote_TLS_CA. I just copy the server > > certificate and key as /etc/vmware/ssl/rui.crt and > /etc/vmware/ssl/rui.key. > > And then use virsh to connect from a CentOS 6.4 VM running on it - > "virsh > > -c esx://<esx IP>. I get the following error - > > > > error: internal error curl_easy_perform() returned an error: Peer > > certificate cannot be authenticated with known CA certificates (60) : > Peer > > certificate cannot be authenticated with known CA certificates > > error: failed to connect to the hypervisor > > > > is there something basic that I'm missing? > > I'm not sure what you're missing, but the error message means that the > VMWare server certificate was not signed by any CA certificate that > the libvirt client has access to. So it is a client side CA cert config > problem most likely. > > Daniel > -- > |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/:| > |: http://libvirt.org -o- http://virt-manager.org:| > |: http://autobuild.org -o- http://search.cpan.org/~danberr/:| > |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc:| >
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
