Bug 815825

Summary: vdsm - libvirt daemon is not starting: The certificate hasn't got a known issuer.
Product: Red Hat Enterprise Linux 6 Reporter: Douglas Schilling Landgraf <dougsland>
Component: vdsmAssignee: Douglas Schilling Landgraf <dougsland>
Status: CLOSED DUPLICATE QA Contact: yeylon <yeylon>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.3CC: abaron, bazulay, iheim, srevivo, ykaul
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 815850 (view as bug list) Environment:
Last Closed: 2012-05-04 02:19:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Douglas Schilling Landgraf 2012-04-24 15:35:24 UTC 
Description of problem:

/var/log/libvirtd.log says:
===============================
2012-04-24 09:55:12.860+0000: 7098: info : libvirt version: 0.9.10, package: 11.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2012-04-10-23:22:55, x86-010.build.bos.redhat.com)
2012-04-24 09:55:12.860+0000: 7098: error : virNetTLSContextCheckCertPair:471 : Our own certificate /etc/pki/vdsm/certs/vdsmcert.pem failed validation against /etc/pki/vdsm/certs/cacert.pem: The certificate hasn't got a known issuer.
=========

This error shows up when registering RHEV-M on RHEV-H TUI but on RHEV-M side the host doesn't get approved by the Administrator. When RHEV-H TUI register a new RHEV-M it will delete the current /etc/pki/vdsm/certs/cacert.pem and put the new one downloaded from RHEV-M. However, the /etc/pki/vdsm/certs/vdsmcert.pem doens't recognize this new cacert.pem issuer and if the host get rebooted libvirt will fail to start with the above error.

As example:

Output from openssl (in a clean RHEV-H installation, no register happened)
===========================================================================
# openssl verify -CAfile /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/certs/vdsmcert.pem
vdsmcert.pem: OK

Output from openssl (after registering a new RHEV-M and not getting it approved by administrator)
=============================================================================
# openssl verify -CAfile /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/certs/vdsmcert.pem
error 20 at 0 depth lookup: unable to get local issuer certificate

Expected since we vdsmcert doesn't know about this new cacert and we achieved a race condition which can make libvirt daemon fail to start.

On the other hand, if the host get approved on RHEV-M side after the registration step, the vdsmcert is updated and libvirtd will start correctly.
Comment 2 Douglas Schilling Landgraf 2012-04-24 16:09:08 UTC 
Upstream patches:

BZ#815825 validate vdsmcert against cacert
http://gerrit.ovirt.org/#change,3885

BZ#815825: deployUtil Do not overwrite cacert.pem
http://gerrit.ovirt.org/#change,3883
Comment 4 Douglas Schilling Landgraf 2012-05-04 02:19:30 UTC 

*** This bug has been marked as a duplicate of bug 806625 ***