[Users] migration & missing cert - 3.2 alpha
Hi, I have an F18 Beta + oVirt 3.2 alpha setup with two hosts. When I try to migrate from one host to the other I get 2012-12-15 15:18:51.381+0000: 1541: error : virNetTLSContextCheckCertFile:113 : Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory in libvirtd.log on the source host. Is that actually where the cert should be and I should try to track down why it's not there or should it be somewhere else? If it should be somewhere else where would that be configured? The default location for the client certificates seems to be /etc/pki/libvirt which doesn't exist so even with a cacert it still probably wouldn't work. Could this be related to the missing spice certificates (I manually made the symbolic links for those). Thanks, Jeff
----- Original Message -----
From: "Jeff Bailey" <bailey@cs.kent.edu> To: users@ovirt.org Sent: Saturday, December 15, 2012 6:28:20 PM Subject: [Users] migration & missing cert - 3.2 alpha
Hi,
I have an F18 Beta + oVirt 3.2 alpha setup with two hosts. When I try to migrate from one host to the other I get
2012-12-15 15:18:51.381+0000: 1541: error : virNetTLSContextCheckCertFile:113 : Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory
in libvirtd.log on the source host. Is that actually where the cert should be and I should try to track down why it's not there or should it be somewhere else? If it should be somewhere else where would that be configured? The default location for the client certificates seems to be /etc/pki/libvirt which doesn't exist so even with a cacert it still probably wouldn't work. Could this be related to the missing spice certificates (I manually made the symbolic links for those).
Thanks, Jeff
This is interesting... What do you have in both machines at /etc/libvirt/libvirtd.conf in ca_file, cert_file, key_file? As as far as I seen these variables set to /etc/pki/vdsm/*, I did not duplicate these files to libvirtd. I would like to understand why the default libvirt setting are in effect. Regards, Alon
On 12/15/2012 1:49 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Jeff Bailey" <bailey@cs.kent.edu> To: users@ovirt.org Sent: Saturday, December 15, 2012 6:28:20 PM Subject: [Users] migration & missing cert - 3.2 alpha
Hi,
I have an F18 Beta + oVirt 3.2 alpha setup with two hosts. When I try to migrate from one host to the other I get
2012-12-15 15:18:51.381+0000: 1541: error : virNetTLSContextCheckCertFile:113 : Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory
in libvirtd.log on the source host. Is that actually where the cert should be and I should try to track down why it's not there or should it be somewhere else? If it should be somewhere else where would that be configured? The default location for the client certificates seems to be /etc/pki/libvirt which doesn't exist so even with a cacert it still probably wouldn't work. Could this be related to the missing spice certificates (I manually made the symbolic links for those).
Thanks, Jeff This is interesting...
What do you have in both machines at /etc/libvirt/libvirtd.conf in ca_file, cert_file, key_file?
In /etc/libvirt/libvirtd.conf on both hosts: ca_file="/etc/pki/vdsm/certs/cacert.pem" cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" key_file="/etc/pki/vdsm/keys/vdsmkey.pem" It looks like it pulled libvirt-0.10.2.2-1.fc18.x86_64 from the F18 updates-testing repository. Maybe that's the problem. I'll try to install a clean F18 beta with the updates-testing repo disabled.
As as far as I seen these variables set to /etc/pki/vdsm/*, I did not duplicate these files to libvirtd.
I would like to understand why the default libvirt setting are in effect.
Regards, Alon
----- Original Message -----
From: "Jeff Bailey" <bailey@cs.kent.edu> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Sunday, December 16, 2012 12:39:48 AM Subject: Re: [Users] migration & missing cert - 3.2 alpha
On 12/15/2012 1:49 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Jeff Bailey" <bailey@cs.kent.edu> To: users@ovirt.org Sent: Saturday, December 15, 2012 6:28:20 PM Subject: [Users] migration & missing cert - 3.2 alpha
Hi,
I have an F18 Beta + oVirt 3.2 alpha setup with two hosts. When I try to migrate from one host to the other I get
2012-12-15 15:18:51.381+0000: 1541: error : virNetTLSContextCheckCertFile:113 : Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory
in libvirtd.log on the source host. Is that actually where the cert should be and I should try to track down why it's not there or should it be somewhere else? If it should be somewhere else where would that be configured? The default location for the client certificates seems to be /etc/pki/libvirt which doesn't exist so even with a cacert it still probably wouldn't work. Could this be related to the missing spice certificates (I manually made the symbolic links for those).
Thanks, Jeff This is interesting...
What do you have in both machines at /etc/libvirt/libvirtd.conf in ca_file, cert_file, key_file?
In /etc/libvirt/libvirtd.conf on both hosts:
ca_file="/etc/pki/vdsm/certs/cacert.pem" cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
It looks like it pulled libvirt-0.10.2.2-1.fc18.x86_64 from the F18 updates-testing repository. Maybe that's the problem. I'll try to install a clean F18 beta with the updates-testing repo disabled.
OK... although it seems like libvirtd somehow ignores its own settings :)
As as far as I seen these variables set to /etc/pki/vdsm/*, I did not duplicate these files to libvirtd.
I would like to understand why the default libvirt setting are in effect.
Regards, Alon
On 12/15/2012 5:47 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Jeff Bailey" <bailey@cs.kent.edu> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Sunday, December 16, 2012 12:39:48 AM Subject: Re: [Users] migration & missing cert - 3.2 alpha
On 12/15/2012 1:49 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Jeff Bailey" <bailey@cs.kent.edu> To: users@ovirt.org Sent: Saturday, December 15, 2012 6:28:20 PM Subject: [Users] migration & missing cert - 3.2 alpha
Hi,
I have an F18 Beta + oVirt 3.2 alpha setup with two hosts. When I try to migrate from one host to the other I get
2012-12-15 15:18:51.381+0000: 1541: error : virNetTLSContextCheckCertFile:113 : Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory
in libvirtd.log on the source host. Is that actually where the cert should be and I should try to track down why it's not there or should it be somewhere else? If it should be somewhere else where would that be configured? The default location for the client certificates seems to be /etc/pki/libvirt which doesn't exist so even with a cacert it still probably wouldn't work. Could this be related to the missing spice certificates (I manually made the symbolic links for those).
Thanks, Jeff This is interesting...
What do you have in both machines at /etc/libvirt/libvirtd.conf in ca_file, cert_file, key_file? In /etc/libvirt/libvirtd.conf on both hosts:
ca_file="/etc/pki/vdsm/certs/cacert.pem" cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
It looks like it pulled libvirt-0.10.2.2-1.fc18.x86_64 from the F18 updates-testing repository. Maybe that's the problem. I'll try to install a clean F18 beta with the updates-testing repo disabled. OK... although it seems like libvirtd somehow ignores its own settings :)
Yes, it seems that way. I don't know exactly when these certificates are used. Is it just for libvirt to libvirt communication like when doing a migration? Does vdsm communicate locally without using TLS? I'm just wondering if it's something special about migration that's not using the right certificate path or is libvirt using the wrong path for everything and the only thing it affects is migration. Anyway, a clean F18 install with libvirt-0.10.2.1-3.fc18.x86_64 behaves the same way.
As as far as I seen these variables set to /etc/pki/vdsm/*, I did not duplicate these files to libvirtd.
I would like to understand why the default libvirt setting are in effect.
Regards, Alon
----- Original Message -----
From: "Jeff Bailey" <bailey@cs.kent.edu> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Sunday, December 16, 2012 2:51:21 AM Subject: Re: [Users] migration & missing cert - 3.2 alpha
On 12/15/2012 5:47 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Jeff Bailey" <bailey@cs.kent.edu> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Sunday, December 16, 2012 12:39:48 AM Subject: Re: [Users] migration & missing cert - 3.2 alpha
On 12/15/2012 1:49 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Jeff Bailey" <bailey@cs.kent.edu> To: users@ovirt.org Sent: Saturday, December 15, 2012 6:28:20 PM Subject: [Users] migration & missing cert - 3.2 alpha
Hi,
I have an F18 Beta + oVirt 3.2 alpha setup with two hosts. When I try to migrate from one host to the other I get
2012-12-15 15:18:51.381+0000: 1541: error : virNetTLSContextCheckCertFile:113 : Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory
in libvirtd.log on the source host. Is that actually where the cert should be and I should try to track down why it's not there or should it be somewhere else? If it should be somewhere else where would that be configured? The default location for the client certificates seems to be /etc/pki/libvirt which doesn't exist so even with a cacert it still probably wouldn't work. Could this be related to the missing spice certificates (I manually made the symbolic links for those).
Thanks, Jeff This is interesting...
What do you have in both machines at /etc/libvirt/libvirtd.conf in ca_file, cert_file, key_file? In /etc/libvirt/libvirtd.conf on both hosts:
ca_file="/etc/pki/vdsm/certs/cacert.pem" cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
It looks like it pulled libvirt-0.10.2.2-1.fc18.x86_64 from the F18 updates-testing repository. Maybe that's the problem. I'll try to install a clean F18 beta with the updates-testing repo disabled. OK... although it seems like libvirtd somehow ignores its own settings :)
Yes, it seems that way. I don't know exactly when these certificates are used. Is it just for libvirt to libvirt communication like when doing a migration? Does vdsm communicate locally without using TLS? I'm just wondering if it's something special about migration that's not using the right certificate path or is libvirt using the wrong path for everything and the only thing it affects is migration. Anyway, a clean F18 install with libvirt-0.10.2.1-3.fc18.x86_64 behaves the same way.
OK, for now you can copy manually the certificates. I will check libvirt sources.
As as far as I seen these variables set to /etc/pki/vdsm/*, I did not duplicate these files to libvirtd.
I would like to understand why the default libvirt setting are in effect.
Regards, Alon
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Jeff Bailey" <bailey@cs.kent.edu> Cc: users@ovirt.org Sent: Sunday, December 16, 2012 10:15:17 AM Subject: Re: [Users] migration & missing cert - 3.2 alpha
----- Original Message -----
From: "Jeff Bailey" <bailey@cs.kent.edu> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Sunday, December 16, 2012 2:51:21 AM Subject: Re: [Users] migration & missing cert - 3.2 alpha
On 12/15/2012 5:47 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Jeff Bailey" <bailey@cs.kent.edu> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Sunday, December 16, 2012 12:39:48 AM Subject: Re: [Users] migration & missing cert - 3.2 alpha
On 12/15/2012 1:49 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Jeff Bailey" <bailey@cs.kent.edu> To: users@ovirt.org Sent: Saturday, December 15, 2012 6:28:20 PM Subject: [Users] migration & missing cert - 3.2 alpha
Hi,
I have an F18 Beta + oVirt 3.2 alpha setup with two hosts. When I try to migrate from one host to the other I get
2012-12-15 15:18:51.381+0000: 1541: error : virNetTLSContextCheckCertFile:113 : Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory
in libvirtd.log on the source host. Is that actually where the cert should be and I should try to track down why it's not there or should it be somewhere else? If it should be somewhere else where would that be configured? The default location for the client certificates seems to be /etc/pki/libvirt which doesn't exist so even with a cacert it still probably wouldn't work. Could this be related to the missing spice certificates (I manually made the symbolic links for those).
Thanks, Jeff This is interesting...
What do you have in both machines at /etc/libvirt/libvirtd.conf in ca_file, cert_file, key_file? In /etc/libvirt/libvirtd.conf on both hosts:
ca_file="/etc/pki/vdsm/certs/cacert.pem" cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
It looks like it pulled libvirt-0.10.2.2-1.fc18.x86_64 from the F18 updates-testing repository. Maybe that's the problem. I'll try to install a clean F18 beta with the updates-testing repo disabled. OK... although it seems like libvirtd somehow ignores its own settings :)
Yes, it seems that way. I don't know exactly when these certificates are used. Is it just for libvirt to libvirt communication like when doing a migration? Does vdsm communicate locally without using TLS? I'm just wondering if it's something special about migration that's not using the right certificate path or is libvirt using the wrong path for everything and the only thing it affects is migration. Anyway, a clean F18 install with libvirt-0.10.2.1-3.fc18.x86_64 behaves the same way.
OK, for now you can copy manually the certificates. I will check libvirt sources.
It should be fixed in next nightly. Apparently, vdsm configure libvirt with pki artifacts locations when libvirt is used as server but not when libvirt is used as client. Thank you for the report! Alon
As as far as I seen these variables set to /etc/pki/vdsm/*, I did not duplicate these files to libvirtd.
I would like to understand why the default libvirt setting are in effect.
Regards, Alon
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (2)
-
Alon Bar-Lev -
Jeff Bailey