OK, so I figured out my own problem. Basically I needed to add the ca chain to each of the cert files. The cacert.pem file had the entire chain but since the clientcert.pem and the servercert.pem files only had a single cert during the handshake the chains were not presented and so verification failed. Once I appended the chain to both the server and client certs the handshake passed. Thanks for the help. I hope this discussion helps others who have similar problems.
In summary the contents of each of my files is as follows: servercert.pem -- cert unique to server child-ca1 cert caroot cert clientcert.pem -- cert unique to client child-ca1 cert caroot cert cacert.pem -- child-ca1 cert caroot cert On Tue, Apr 22, 2014 at 8:35 AM, Daniel P. Berrange <berra...@redhat.com>wrote: > On Tue, Apr 22, 2014 at 08:24:43AM -0600, Nathaniel Cook wrote: > > Thanks for the response. > > > > My current chain is as follows: > > > > caroot -> child-ca1 -> server cert > > > > My cacert.pem file has both the caroot and the child-ca1 certs. I have > > recompiled libvirt on my machine with some extra debug statements and > > verified that both the caroot cert and the child-ca1 certs are being > > loaded. But when I try to connect the caroot and child-ca1 certs only > > appear under the "Acceptable client certificate CA names" not the > > certificate chain. The error I get on the client when connecting is that > > the server identity could not be verified since the server isn't > presenting > > the entire CA chain just its own cert. > > Are you willing / able to share the output of > > certtool -i --infile <filename>.pem > > for the cacert.pem and servercert.pem on the server, and the likewise for > the cacert.pem and clientcert.pem (if used) on the client the fails to > connect? > > Regards, > Daniel > -- > |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/:| > |: http://libvirt.org -o- http://virt-manager.org:| > |: http://autobuild.org -o- http://search.cpan.org/~danberr/:| > |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc:| > -- -Nathaniel Cook
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
