Bug 1462125 - Peer's certificate issue when boot with https drive
Peer's certificate issue when boot with https drive
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev (Show other bugs)
7.4
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Hai Huang
Virtualization Bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-16 05:16 EDT by Suqin Huang
Modified: 2017-07-23 00:39 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-16 08:28:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Suqin Huang 2017-06-16 05:16:49 EDT
Description of problem:


Version-Release number of selected component (if applicable):
qemu-kvm-rhev-2.9.0-10.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. install guest with iso in https server

cmd:
    -drive id=drive_cd1,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file=https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso \
    -device ide-cd,id=cd1,drive=drive_cd1,bootindex=2,bus=ide.0,unit=0 \


full cmd:

/usr/libexec/qemu-kvm \
    -S  \
    -name 'avocado-vt-vm1'  \
    -sandbox off  \
    -machine pc  \
    -nodefaults  \
    -vga cirrus  \
    -chardev socket,id=qmp_id_qmpmonitor1,path=/var/tmp/avocado_9Mqshs/monitor-qmpmonitor1-20170615-232743-2CHamBNy,server,nowait \
    -mon chardev=qmp_id_qmpmonitor1,mode=control  \
    -chardev socket,id=qmp_id_catch_monitor,path=/var/tmp/avocado_9Mqshs/monitor-catch_monitor-20170615-232743-2CHamBNy,server,nowait \
    -mon chardev=qmp_id_catch_monitor,mode=control \
    -device pvpanic,ioport=0x505,id=idcGKndE  \
    -chardev socket,id=serial_id_serial0,path=/var/tmp/avocado_9Mqshs/serial-serial0-20170615-232743-2CHamBNy,server,nowait \
    -device isa-serial,chardev=serial_id_serial0  \
    -chardev socket,id=seabioslog_id_20170615-232743-2CHamBNy,path=/var/tmp/avocado_9Mqshs/seabios-20170615-232743-2CHamBNy,server,nowait \
    -device isa-debugcon,chardev=seabioslog_id_20170615-232743-2CHamBNy,iobase=0x402 \
    -device ich9-usb-ehci1,id=usb1,addr=0x1d.7,multifunction=on,bus=pci.0 \
    -device ich9-usb-uhci1,id=usb1.0,multifunction=on,masterbus=usb1.0,addr=0x1d.0,firstport=0,bus=pci.0 \
    -device ich9-usb-uhci2,id=usb1.1,multifunction=on,masterbus=usb1.0,addr=0x1d.2,firstport=2,bus=pci.0 \
    -device ich9-usb-uhci3,id=usb1.2,multifunction=on,masterbus=usb1.0,addr=0x1d.4,firstport=4,bus=pci.0 \
    -drive id=drive_image1,if=none,snapshot=off,aio=native,cache=none,format=qcow2,file=/home/kvm_autotest_root/images/rhel74-64-virtio.qcow2 \
    -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=1,bus=pci.0,addr=0x3 \
    -device virtio-net-pci,mac=9a:07:08:09:0a:0b,id=idNwxJpW,vectors=4,netdev=idBKm7hg,bus=pci.0,addr=0x4  \
    -netdev tap,id=idBKm7hg,vhost=on,script=/etc/qemu-ifup \
    -m 8192  \
    -smp 8,cores=4,threads=1,sockets=2  \
    -cpu 'Westmere',+kvm_pv_unhalt \
    -drive id=drive_cd1,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file=https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso \
    -device ide-cd,id=cd1,drive=drive_cd1,bootindex=2,bus=ide.0,unit=0 \
    -drive id=drive_unattended,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file=/home/kvm_autotest_root/images/rhel74-64/ks.iso \
    -device ide-cd,id=unattended,drive=drive_unattended,bootindex=3,bus=ide.0,unit=1 \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1  \
    -kernel '/home/kvm_autotest_root/images/rhel74-64/vmlinuz'  \
    -append 'ksdevice=link inst.repo=cdrom:/dev/sr0 inst.ks=cdrom:/dev/sr1:/ks.cfg nicdelay=60 console=ttyS0,115200 console=tty0 biosdevname=0 net.ifnames=0'  \
    -initrd '/home/kvm_autotest_root/images/rhel74-64/initrd.img'  \
    -vnc :0  \
    -rtc base=utc,clock=host,driftfix=slew  \
    -boot order=cdn,once=d,menu=off,strict=off  \
    -no-shutdown \
    -enable-kvm


2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Suqin Huang 2017-06-16 05:17:24 EDT
I can reproduce with qemu-kvm-rhev-2.6.0-28.el7_3.2.x86_64
Comment 3 Suqin Huang 2017-06-16 05:18:18 EDT
error:

qemu-kvm: -drive id=drive_cd1,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file=https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso: CURL: Error opening file: Peer's certificate issuer has been marked as not trusted by the user.
Comment 4 Hai Huang 2017-06-16 08:28:57 EDT
The reported failure:
qemu-kvm: -drive id=drive_cd1,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file=https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso: CURL: Error opening file: Peer's certificate issuer has been marked as not trusted by the user.

is cause by the host not having the necessary certificate for the https
server 10.66.10.53.

Demonstrating the error without the certificate:
$ wget https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso
--2017-06-16 08:00:36--  https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso
Connecting to 10.66.10.53:443... connected.
ERROR: cannot verify 10.66.10.53's certificate, issued by ‘O=Default Company Ltd,L=Default City,C=XX’:
  Self-signed certificate encountered.
    ERROR: certificate common name ‘’ doesn't match requested host name ‘10.66.10.53’.
To connect to 10.66.10.53 insecurely, use `--no-check-certificate'.

Another demonstration is to launch Firefox and try to access: 
  https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso

Your connection is not secure

  The owner of 10.66.10.53 has configured their website improperly. To protect
  your information from being stolen, Firefox has not connected to this website.
  
By adding the security exception, and confirming the security exception, 
the https access will succeed in Firefox and wget:

wget http://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso
--2017-06-16 08:16:21--  http://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso
Connecting to 10.66.10.53:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4471128064 (4.2G) [application/octet-stream]
Saving to: ‘RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso.1’

       RHEL-7.4-201   0%[                    ]  89.07K  65.7KB/s             

Closing this BZ as NOTABUG.
Comment 5 Suqin Huang 2017-06-19 01:48:14 EDT
need to add file.sslverify=off to cmd

Note You need to log in before you can comment on or make changes to this bug.