| Summary: | [libvirt] libvirtd (0.9.3-6) fails to start with rhevm's cert configured : 'cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" # by vdsm' | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | David Naori <dnaori> | ||||
| Component: | libvirt | Assignee: | Daniel Berrangé <berrange> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.1 | CC: | acathrow, berrange, dallan, danken, dnaori, dyuan, hateya, iheim, mgoldboi, mzhan, nzhang, rwu, veillard, weizhan, whuang, ydu, ykaul | ||||
| Target Milestone: | rc | Keywords: | Regression | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | libvirt-0.9.3-7.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-12-06 11:17:04 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
It's the upstream commit 79591d4fbf666a5b1a5b93c9f30ddc81e77d593a
Add sanity checking of basic constraints, key purpose & key usage
Gnutls requires that certificates have basic constraints present
to be used as a CA certificate. OpenSSL doesn't add this data
by default, so add a sanity check to catch this situation. Also
validate that the key usage and key purpose constraints contain
correct data
* src/rpc/virnettlscontext.c: Add sanity checking of certificate
constraints
in that case gnutls_x509_crt_get_basic_constraints() returns 0 indicating
it doesn't think that this is a CA certificate.
RETURN VALUE
If the certificate is a CA a positive value will be returned, or zero
if the certificate does not have CA flag set. A negative value may be
returned in case of errors. If the certificate does not contain the
basicConstraints extension GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will
be returned.
then gnutls_x509_crt_get_key_usage() just fails on that certificate ad that
leads to the abort.
I note that we are passing NULL values for a bunch of arguments of gnutls
maybe this is working fine in recent versions but leads to troubles on the
RHEL-6 one ... we should check this
Daniel
Please attach both your CA certificate, and the VDSM server certificate to this bug > query certificate /etc/pki/vdsm/certs/vdsmcert.pem basic constraints The
requested data were not available.
This error message is actually wrong. It is actually missing 'key usage' data from the certificate. In the past libvirt did not enforce presence of this data, but now it does. While the CA cert looks OK, I believe the server certificate (vdsmcert.pem) was not created following the libvirt documentation.
When creating a server certificate, you need to create a .info file for certtool containing the following information:
#cat > server.info <<EOF
organization = Name of your organization
cn = fully.qualified.server.hostname
tls_www_server
encryption_key
signing_key
EOF
The 'tls_www_server', 'encryption_key' and 'signing_key' bits ensure you get the key usage & key purpose extension fields are filled in for the certificate.
For a correctly generated server cert, 'certtool -i --infile /path/to/cert' should show
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Server.
Key Usage (critical):
Digital signature.
Key encipherment.
While a client certificate should show
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
Key Usage (critical):
Digital signature.
Key encipherment.
And a CA cert should show
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
Opps, missed out the docs link for how to generate certs: http://libvirt.org/remote.html#Remote_TLS_server_certificates Created attachment 513977 [details]
vdsmcert.pem, cacert.pem
attached both cacert and vdsmcert.
While the VDSM certs are missing the key usage/purpose data, re-checking the relevant RFCs shows we should have treated that as non-fatal by default. We should only treat it as a fatal problem if the key usage + purpose *is* in the certificate and marked as 'critical': http://www.redhat.com/archives/libvir-list/2011-July/msg01333.html In addition to that, to get RHEV/VDSM to follow best practice recommendations from the libvirt.org/remote.html when generating certificates, there are a couple of changes that should be made to RHEV-M's code: In the file: rhevm/backend/manager/conf/ca/cert.template There should be two extra fields set under the '[ v3_ca ]' heading, just after the basicConstraints data: For client certificates: keyUsage=critical,digitalSignature,keyEncipherment extendedKeyUsage=critical,clientAuth For server certificates: keyUsage=critical,digitalSignature,keyEncipherment extendedKeyUsage=critical,serverAuth It seems like VDSM might in fact need a dual purpose certificate, which can be done with keyUsage=critical,digitalSignature,keyEncipherment extendedKeyUsage=critical,serverAuth,clientAuth To avoid future regressions in this area, I have created a comprehensive unit test case for libvirt's TLS cert handling http://www.redhat.com/archives/libvir-list/2011-July/msg01490.html Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1513.html |
Description of problem: Libvirtd fails to start with rhevm's certificate: 11:08:43.669: 27874: debug : virNetTLSContextNew:447 : cacert=/etc/pki/vdsm/certs/cacert.pem cacrl=(null) cert=/etc/pki/vdsm/certs/vdsmcert.pem key=/etc/pki/vdsm/keys/vdsmkey.pem requireValid=1 isServer=1 11:08:43.671: 27874: debug : virNetTLSContextSanityCheckCert:116 : isServer 1 isCA 0 certFile /etc/pki/vdsm/certs/vdsmcert.pem 11:08:43.672: 27874: debug : virNetTLSContextSanityCheckCert:161 : Cert /etc/pki/vdsm/certs/vdsmcert.pem basic constraints 0 11:08:43.672: 27874: debug : virNetTLSContextSanityCheckCert:194 : Cert /etc/pki/vdsm/certs/vdsmcert.pem key usage status -56 usage 0 11:08:43.672: 27874: error : virNetTLSContextSanityCheckCert:198 : Unable to query certificate /etc/pki/vdsm/certs/vdsmcert.pem basic constraints The requested data were not available. conf: 'cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" # by vdsm' #cat /etc/pki/vdsm/certs/vdsmcert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=RedHat, CN=CA-pink-vds2.qa.lab.tlv.redhat.com Validity Not Before: Mar 14 19:49:43 2011 Not After : Mar 12 17:49:43 2021 GMT Subject: C=US, O=RedHat, CN=CA-pink-vds2.qa.lab.tlv.redhat.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:bd:30:35:e9:87:63:75:36:92:96:5b:20:df:17: 53:c9:7c:7a:3f:11:51:31:e9:e2:09:b3:fa:fc:bc: b9:1b:b1:a3:16:53:22:9b:b9:68:07:7a:10:79:8f: d6:8b:35:6f:a2:37:99:5c:68:fa:03:89:63:89:22: dd:52:a1:38:4a:02:0e:a8:6d:81:9e:1b:85:94:b5: 6a:82:23:8c:25:7a:4f:19:8d:c8:f1:f9:b5:4d:56: 7e:0e:0f:f0:e3:db:a4:8a:14:69:c2:55:fa:4c:f3: 95:b2:15:2e:bb:cf:6f:97:14:41:ce:f5:b6:c4:8f: 3d:00:13:ef:0f:ec:0a:2f:69 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: CA:4C:6F:79:1F:8B:4A:31:6F:92:B1:7E:CD:F8:3B:64:58:A3:16:89 Authority Information Access: CA Issuers - URI:http://my.ca/ca.crt X509v3 Authority Key Identifier: keyid:CA:4C:6F:79:1F:8B:4A:31:6F:92:B1:7E:CD:F8:3B:64:58:A3:16:89 DirName:/C=US/O=RedHat/CN=CA-pink-vds2.qa.lab.tlv.redhat.com serial:01 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption 8c:84:a1:c7:ea:16:67:f7:15:3b:d7:79:be:d8:c8:75:88:24: 55:b9:94:9c:4d:d2:bc:30:ae:39:d7:ca:2e:d4:83:f6:e1:c7: 22:00:0e:a0:26:70:92:88:1b:3d:a5:60:63:33:d6:f1:71:76: a0:79:4f:4f:a3:b3:57:a1:bc:72:3a:76:3a:c4:e3:3e:25:25: c6:c8:75:c8:4b:c9:92:85:24:b3:5d:4e:ef:cb:1c:8f:2c:8d: d8:41:f5:05:e6:04:de:b8:00:19:5f:57:55:e1:78:ae:16:60: 39:0e:52:ca:fe:d4:c3:7f:79:9e:d9:02:35:75:ab:d7:e5:a2: 25:eb -----BEGIN CERTIFICATE----- MIIC+jCCAmOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJVUzEP MA0GA1UEChMGUmVkSGF0MSswKQYDVQQDEyJDQS1waW5rLXZkczIucWEubGFiLnRs di5yZWRoYXQuY29tMCIXETExMDMxNDE5NDk0MyswMjAwFw0yMTAzMTIxNzQ5NDNa MEsxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZSZWRIYXQxKzApBgNVBAMTIkNBLXBp bmstdmRzMi5xYS5sYWIudGx2LnJlZGhhdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD gY0AMIGJAoGBAL0wNemHY3U2kpZbIN8XU8l8ej8RUTHp4gmz+vy8uRuxoxZTIpu5 aAd6EHmP1os1b6I3mVxo+gOJY4ki3VKhOEoCDqhtgZ4bhZS1aoIjjCV6TxmNyPH5 tU1Wfg4P8OPbpIoUacJV+kzzlbIVLrvPb5cUQc71tsSPPQAT7w/sCi9pAgMBAAGj gekwgeYwHQYDVR0OBBYEFMpMb3kfi0oxb5Kxfs34O2RYoxaJMC8GCCsGAQUFBwEB BCMwITAfBggrBgEFBQcwAoYTaHR0cDovL215LmNhL2NhLmNydDBzBgNVHSMEbDBq gBTKTG95H4tKMW+SsX7N+DtkWKMWiaFPpE0wSzELMAkGA1UEBhMCVVMxDzANBgNV BAoTBlJlZEhhdDErMCkGA1UEAxMiQ0EtcGluay12ZHMyLnFhLmxhYi50bHYucmVk aGF0LmNvbYIBATAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkq hkiG9w0BAQUFAAOBgQCMhKHH6hZn9xU713m+2Mh1iCRVuZScTdK8MK4518ou1IP2 4cciAA6gJnCSiBs9pWBjM9bxcXageU9Po7NXobxyOnY6xOM+JSXGyHXIS8mShSSz XU7vyxyPLI3YQfUF5gTeuAAZX1dV4XiuFmA5DlLK/tTDf3me2QI1davX5aIl6w== -----END CERTIFICATE----- Version-Release number of selected component (if applicable): 0.9.3-6 How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: