Bug 1462125 - Peer's certificate issue when boot with https drive
Peer's certificate issue when boot with https drive
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Hai Huang
Virtualization Bugs
Depends On:
  Show dependency treegraph
Reported: 2017-06-16 05:16 EDT by Suqin Huang
Modified: 2017-07-23 00:39 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-06-16 08:28:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Suqin Huang 2017-06-16 05:16:49 EDT
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. install guest with iso in https server

    -drive id=drive_cd1,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file= \
    -device ide-cd,id=cd1,drive=drive_cd1,bootindex=2,bus=ide.0,unit=0 \

full cmd:

/usr/libexec/qemu-kvm \
    -S  \
    -name 'avocado-vt-vm1'  \
    -sandbox off  \
    -machine pc  \
    -nodefaults  \
    -vga cirrus  \
    -chardev socket,id=qmp_id_qmpmonitor1,path=/var/tmp/avocado_9Mqshs/monitor-qmpmonitor1-20170615-232743-2CHamBNy,server,nowait \
    -mon chardev=qmp_id_qmpmonitor1,mode=control  \
    -chardev socket,id=qmp_id_catch_monitor,path=/var/tmp/avocado_9Mqshs/monitor-catch_monitor-20170615-232743-2CHamBNy,server,nowait \
    -mon chardev=qmp_id_catch_monitor,mode=control \
    -device pvpanic,ioport=0x505,id=idcGKndE  \
    -chardev socket,id=serial_id_serial0,path=/var/tmp/avocado_9Mqshs/serial-serial0-20170615-232743-2CHamBNy,server,nowait \
    -device isa-serial,chardev=serial_id_serial0  \
    -chardev socket,id=seabioslog_id_20170615-232743-2CHamBNy,path=/var/tmp/avocado_9Mqshs/seabios-20170615-232743-2CHamBNy,server,nowait \
    -device isa-debugcon,chardev=seabioslog_id_20170615-232743-2CHamBNy,iobase=0x402 \
    -device ich9-usb-ehci1,id=usb1,addr=0x1d.7,multifunction=on,bus=pci.0 \
    -device ich9-usb-uhci1,id=usb1.0,multifunction=on,masterbus=usb1.0,addr=0x1d.0,firstport=0,bus=pci.0 \
    -device ich9-usb-uhci2,id=usb1.1,multifunction=on,masterbus=usb1.0,addr=0x1d.2,firstport=2,bus=pci.0 \
    -device ich9-usb-uhci3,id=usb1.2,multifunction=on,masterbus=usb1.0,addr=0x1d.4,firstport=4,bus=pci.0 \
    -drive id=drive_image1,if=none,snapshot=off,aio=native,cache=none,format=qcow2,file=/home/kvm_autotest_root/images/rhel74-64-virtio.qcow2 \
    -device virtio-blk-pci,id=image1,drive=drive_image1,bootindex=1,bus=pci.0,addr=0x3 \
    -device virtio-net-pci,mac=9a:07:08:09:0a:0b,id=idNwxJpW,vectors=4,netdev=idBKm7hg,bus=pci.0,addr=0x4  \
    -netdev tap,id=idBKm7hg,vhost=on,script=/etc/qemu-ifup \
    -m 8192  \
    -smp 8,cores=4,threads=1,sockets=2  \
    -cpu 'Westmere',+kvm_pv_unhalt \
    -drive id=drive_cd1,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file= \
    -device ide-cd,id=cd1,drive=drive_cd1,bootindex=2,bus=ide.0,unit=0 \
    -drive id=drive_unattended,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file=/home/kvm_autotest_root/images/rhel74-64/ks.iso \
    -device ide-cd,id=unattended,drive=drive_unattended,bootindex=3,bus=ide.0,unit=1 \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1  \
    -kernel '/home/kvm_autotest_root/images/rhel74-64/vmlinuz'  \
    -append 'ksdevice=link inst.repo=cdrom:/dev/sr0 inst.ks=cdrom:/dev/sr1:/ks.cfg nicdelay=60 console=ttyS0,115200 console=tty0 biosdevname=0 net.ifnames=0'  \
    -initrd '/home/kvm_autotest_root/images/rhel74-64/initrd.img'  \
    -vnc :0  \
    -rtc base=utc,clock=host,driftfix=slew  \
    -boot order=cdn,once=d,menu=off,strict=off  \
    -no-shutdown \


Actual results:

Expected results:

Additional info:
Comment 2 Suqin Huang 2017-06-16 05:17:24 EDT
I can reproduce with qemu-kvm-rhev-2.6.0-28.el7_3.2.x86_64
Comment 3 Suqin Huang 2017-06-16 05:18:18 EDT

qemu-kvm: -drive id=drive_cd1,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file= CURL: Error opening file: Peer's certificate issuer has been marked as not trusted by the user.
Comment 4 Hai Huang 2017-06-16 08:28:57 EDT
The reported failure:
qemu-kvm: -drive id=drive_cd1,if=none,snapshot=off,aio=native,cache=none,media=cdrom,file= CURL: Error opening file: Peer's certificate issuer has been marked as not trusted by the user.

is cause by the host not having the necessary certificate for the https

Demonstrating the error without the certificate:
$ wget
--2017-06-16 08:00:36--
Connecting to connected.
ERROR: cannot verify's certificate, issued by ‘O=Default Company Ltd,L=Default City,C=XX’:
  Self-signed certificate encountered.
    ERROR: certificate common name ‘’ doesn't match requested host name ‘’.
To connect to insecurely, use `--no-check-certificate'.

Another demonstration is to launch Firefox and try to access:

Your connection is not secure

  The owner of has configured their website improperly. To protect
  your information from being stolen, Firefox has not connected to this website.
By adding the security exception, and confirming the security exception, 
the https access will succeed in Firefox and wget:

--2017-06-16 08:16:21--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 4471128064 (4.2G) [application/octet-stream]
Saving to: ‘RHEL-7.4-20170608.3-Server-x86_64-dvd1.iso.1’

       RHEL-7.4-201   0%[                    ]  89.07K  65.7KB/s             

Closing this BZ as NOTABUG.
Comment 5 Suqin Huang 2017-06-19 01:48:14 EDT
need to add file.sslverify=off to cmd

Note You need to log in before you can comment on or make changes to this bug.