1462125 – Peer's certificate issue when boot with https drive

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1462125 - Peer's certificate issue when boot with https drive

Summary: Peer's certificate issue when boot with https drive

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm-rhev
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Hai Huang
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-16 09:16 UTC by Suqin Huang
Modified:	2017-07-23 04:39 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-06-16 12:28:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Suqin Huang 2017-06-16 09:16:49 UTC

Description of problem:


Version-Release number of selected component (if applicable):
qemu-kvm-rhev-2.9.0-10.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. install guest with iso in https server

cmd:
    -drive id=drive_cd1,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file=https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso \
    -device ide-cd,id=cd1,drive=drive_cd1,bootindex=2,bus=ide.0,unit=0 \


full cmd:

/usr/libexec/qemu-kvm \
    -S  \
    -name 'avocado-vt-vm1'  \
    -sandbox off  \
    -machine pc  \
    -nodefaults  \
    -vga cirrus  \
    -chardev socket,id=qmp_id_qmpmonitor1,path=/var/tmp/avocado_9Mqshs/monitor-qmpmonitor1-20170615-232743-2CHamBNy,server,nowait \
    -mon chardev=qmp_id_qmpmonitor1,mode=control  \
    -chardev socket,id=qmp_id_catch_monitor,path=/var/tmp/avocado_9Mqshs/monitor-catch_monitor-20170615-232743-2CHamBNy,server,nowait \
    -mon chardev=qmp_id_catch_monitor,mode=control \
    -device pvpanic,ioport=0x505,id=idcGKndE  \
    -chardev socket,id=serial_id_serial0,path=/var/tmp/avocado_9Mqshs/serial-serial0-20170615-232743-2CHamBNy,server,nowait \
    -device isa-serial,chardev=serial_id_serial0  \
    -chardev socket,id=seabioslog_id_20170615-232743-2CHamBNy,path=/var/tmp/avocado_9Mqshs/seabios-20170615-232743-2CHamBNy,server,nowait \
    -device isa-debugcon,chardev=seabioslog_id_20170615-232743-2CHamBNy,iobase=0x402 \
    -device ich9-usb-ehci1,id=usb1,addr=0x1d.7,multifunction=on,bus=pci.0 \
    -device ich9-usb-uhci1,id=usb1.0,multifunction=on,masterbus=usb1.0,addr=0x1d.0,firstport=0,bus=pci.0 \
    -device ich9-usb-uhci2,id=usb1.1,multifunction=on,masterbus=usb1.0,addr=0x1d.2,firstport=2,bus=pci.0 \
    -device ich9-usb-uhci3,id=usb1.2,multifunction=on,masterbus=usb1.0,addr=0x1d.4,firstport=4,bus=pci.0 \
    -drive id=drive_image1,if=none,snapshot=off,aio=native,cache=none,format=qcow2,file=/home/kvm_autotest_root/images/rhel74-64-virtio.qcow2 \
    -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=1,bus=pci.0,addr=0x3 \
    -device virtio-net-pci,mac=9a:07:08:09:0a:0b,id=idNwxJpW,vectors=4,netdev=idBKm7hg,bus=pci.0,addr=0x4  \
    -netdev tap,id=idBKm7hg,vhost=on,script=/etc/qemu-ifup \
    -m 8192  \
    -smp 8,cores=4,threads=1,sockets=2  \
    -cpu 'Westmere',+kvm_pv_unhalt \
    -drive id=drive_cd1,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file=https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso \
    -device ide-cd,id=cd1,drive=drive_cd1,bootindex=2,bus=ide.0,unit=0 \
    -drive id=drive_unattended,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file=/home/kvm_autotest_root/images/rhel74-64/ks.iso \
    -device ide-cd,id=unattended,drive=drive_unattended,bootindex=3,bus=ide.0,unit=1 \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1  \
    -kernel '/home/kvm_autotest_root/images/rhel74-64/vmlinuz'  \
    -append 'ksdevice=link inst.repo=cdrom:/dev/sr0 inst.ks=cdrom:/dev/sr1:/ks.cfg nicdelay=60 console=ttyS0,115200 console=tty0 biosdevname=0 net.ifnames=0'  \
    -initrd '/home/kvm_autotest_root/images/rhel74-64/initrd.img'  \
    -vnc :0  \
    -rtc base=utc,clock=host,driftfix=slew  \
    -boot order=cdn,once=d,menu=off,strict=off  \
    -no-shutdown \
    -enable-kvm


2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Suqin Huang 2017-06-16 09:17:24 UTC

I can reproduce with qemu-kvm-rhev-2.6.0-28.el7_3.2.x86_64

Comment 3 Suqin Huang 2017-06-16 09:18:18 UTC

error:

qemu-kvm: -drive id=drive_cd1,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file=https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso: CURL: Error opening file: Peer's certificate issuer has been marked as not trusted by the user.

Comment 4 Hai Huang 2017-06-16 12:28:57 UTC

The reported failure:
qemu-kvm: -drive id=drive_cd1,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file=https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso: CURL: Error opening file: Peer's certificate issuer has been marked as not trusted by the user.

is cause by the host not having the necessary certificate for the https
server 10.66.10.53.

Demonstrating the error without the certificate:
$ wget https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso
--2017-06-16 08:00:36-- https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso
Connecting to 10.66.10.53:443... connected.
ERROR: cannot verify 10.66.10.53's certificate, issued by ‘O=Default Company Ltd,L=Default City,C=XX’:
Self-signed certificate encountered.
ERROR: certificate common name ‘’ doesn't match requested host name ‘10.66.10.53’.
To connect to 10.66.10.53 insecurely, use `--no-check-certificate'.

Another demonstration is to launch Firefox and try to access:
https://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso

Your connection is not secure

The owner of 10.66.10.53 has configured their website improperly. To protect
your information from being stolen, Firefox has not connected to this website.

By adding the security exception, and confirming the security exception,
the https access will succeed in Firefox and wget:

wget http://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso
--2017-06-16 08:16:21-- http://10.66.10.53/test/RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso
Connecting to 10.66.10.53:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4471128064 (4.2G) [application/octet-stream]
Saving to: ‘RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso.1’

RHEL-7.4-201 0%[ ] 89.07K 65.7KB/s

Closing this BZ as NOTABUG.

Comment 5 Suqin Huang 2017-06-19 05:48:14 UTC

need to add file.sslverify=off to cmd

Note You need to log in before you can comment on or make changes to this bug.