<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif"><span style="font-family:arial">On Sun, Sep 15, 2013 at 9:34 PM, Dan Kenigsberg </span><span dir="ltr" style="font-family:arial"><<a href="mailto:danken@redhat.com" target="_blank">danken@redhat.com</a>></span><span style="font-family:arial"> wrote:</span><br>
</div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="">
<div class="h5">On Sun, Sep 15, 2013 at 08:44:18PM +1000, Andrew Lau wrote:<br>
> On Sun, Sep 15, 2013 at 8:00 PM, Dan Kenigsberg <<a href="mailto:danken@redhat.com">danken@redhat.com</a>> wrote:<br>
><br>
> > On Sun, Sep 15, 2013 at 06:48:41PM +1000, Andrew Lau wrote:<br>
> > > Hi Dan,<br>
> > ><br>
> > > Certainly, I've uploaded them to fedora's paste bin and tried to snip<br>
> > just<br>
> > > the relevant details.<br>
> > ><br>
> > > Sender (<a href="http://hv01.melb.domain.net" target="_blank">hv01.melb.domain.net</a>):<br>
> > > <a href="http://paste.fedoraproject.org/39660/92339651/" target="_blank">http://paste.fedoraproject.org/39660/92339651/</a><br>
> ><br>
> > This one has<br>
> ><br>
> > libvirtError: operation failed: Failed to connect to remote libvirt<br>
> > URI qemu+tls://<a href="http://hv02.melb.domain.net/system" target="_blank">hv02.melb.domain.net/system</a><br>
> ><br>
> > which is most often related to firewall issues, and some time to key<br>
> > mismatch.<br>
> ><br>
> > Does<br>
> > virsh -c qemu+tls://<a href="http://hv02.melb.domain.net/system" target="_blank">hv02.melb.domain.net/system</a> capabilities<br>
> > work when run from the command line of hv01?<br>
> ><br>
> > Dan.<br>
> > > Receiver (<a href="http://hv02.melb.domain.net" target="_blank">hv02.melb.domain.net</a>): `<br>
> > > <a href="http://paste.fedoraproject.org/39661/23406913/" target="_blank">http://paste.fedoraproject.org/39661/23406913/</a><br>
> > ><br>
> > > VM being transfered is ovirt_guest_vm<br>
> > ><br>
> > > Thanks,<br>
> > > Andrew<br>
> ><br>
><br>
> virsh -c qemu+tls://<a href="http://hv02.melb.domain.net/system" target="_blank">hv02.melb.domain.net/system</a><br>
> 2013-09-15 10:41:10.620+0000: 23994: info : libvirt version: 0.10.2,<br>
> package: 18.el6_4.9 (CentOS BuildSystem <<a href="http://bugs.centos.org" target="_blank">http://bugs.centos.org</a>>,<br>
> 2013-07-02-11:19:29, <a href="http://c6b8.bsys.dev.centos.org" target="_blank">c6b8.bsys.dev.centos.org</a>)<br>
> 2013-09-15 10:41:10.620+0000: 23994: warning :<br>
> virNetTLSContextCheckCertificate:1102 : Certificate check failed<br>
> Certificate failed validation: The certificate hasn't got a known issuer.<br>
<br>
</div></div><div class=""><div class="h5">Would you share your<br>
<br>
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline"></div>openssl x509 -in <div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline"></div>/etc/pki/vdsm/certs/cacert.pem -text<br>
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline"></div>openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -text<br>
<br>
on both hosts? This content may be sensitive, and may not<br>
provide an answer why libvirt on src cannot contact libvirtd on the<br>
other host. So before you do that, would you test if<br>
<br>
<div class="gmail_default" style="font-family:tahoma,sans-serif;display:inline"></div> vdsClient -s <a href="http://hv02.melb.domain.net" target="_blank">hv02.melb.domain.net</a> getVdsCapabilities<br>
<br>
works when run on hv01? It may be that the certificates are fine, but<br>
libvirt is not configured to use the correct ones.<br>
<br>
Dan.<br>
<br>
</div></div></blockquote></div><br></div><div class="gmail_extra"><div class="gmail_default" style="font-family:tahoma,sans-serif">vdsClient -s <a href="http://hv02.melb.domain.net">hv02.melb.domain.net</a> getVdsCapabilities runs fine</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">I did a quick comparison between the files on both hosts, they seem to have the right details (host names, authority etc.)</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif">cacert.pem matches</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">
/etc/libvirt/libvirtd.conf</div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default"><div class="gmail_default"><font face="tahoma, sans-serif">ca_file="/etc/pki/vdsm/certs/cacert.pem"</font></div>
<div class="gmail_default"><font face="tahoma, sans-serif">cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"</font></div><div class="gmail_default"><font face="tahoma, sans-serif">key_file="/etc/pki/vdsm/keys/vdsmkey.pem"</font></div>
<div style="font-family:tahoma,sans-serif"><br></div></div><br></div></div>