1949134 – Encrypted migrations fail in 8.4 with "No certificate was found"

Bug 1949134 - Encrypted migrations fail in 8.4 with "No certificate was found"

Summary: Encrypted migrations fail in 8.4 with "No certificate was found"

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux Advanced Virtualization
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	8.4
Assignee:	Virtualization Maintenance
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1948376
TreeView+	depends on / blocked

Reported:	2021-04-13 13:50 UTC by Milan Zamazal
Modified:	2021-04-14 11:22 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-04-14 11:21:55 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)
QEMU and libvirt logs (32.49 KB, application/x-xz) 2021-04-13 13:50 UTC, Milan Zamazal	no flags	Details
View All

Description Milan Zamazal 2021-04-13 13:50:46 UTC

Created attachment 1771626 [details]
QEMU and libvirt logs

Description of problem:

After upgrading from RHEL/AV 8.3 to 8.4, encrypted migrations no longer work in RHV. They fail when at the beginning and the destination QEMU log reports: 

  qemu-kvm: Verify failed: No certificate was found.

Encrypted migrations from 8.4 to 8.3 hosts still work, but encrypted migrations from 8.3 or 8.4 to 8.4 don't.

Migrations without encryption work normally on 8.4.

Version-Release number of selected component (if applicable):

libvirt-7.0.0-13.module+el8.4.0+10604+5608c2b4.x86_64
qemu-kvm-5.1.0-20.el8.x86_64
kernel-4.18.0-304.el8.x86_64

How reproducible:

100%

Steps to Reproduce:
1. Enable encrypted migrations for a RHV cluster.
2. Try to migrate any VM.

Actual results:

The migration fails at its beginning.

Expected results:

The migration works.

Additional info:

I'm not sure whether it's a problem in libvirt or QEMU.

Attaching libvirt and QEMU logs.

Comment 1 Fangge Jin 2021-04-14 04:25:37 UTC

I think it is due to the change in this RHELAV8.4 bug: Bug 1879477 - The default_tls_x509_verify should default to 1 for migration/chardev/NBD
Before bug 1879477, client cert(on source host) is not needed; after this bug, client cert is needed.

Pls confirm whether client-cert.pem and client-key.pem exist in RHV env.

Comment 2 Milan Zamazal 2021-04-14 11:21:55 UTC

The client migration certificates don't exist in RHV. After adding them, encrypted migrations work. Thank you for explanation.

Note You need to log in before you can comment on or make changes to this bug.