Bug 529179 - Better error messages for CA's certificates lacking basicConstraints=CA:TRUE extension
Better error messages for CA's certificates lacking basicConstraints=CA:TRUE ...
Product: Virtualization Tools
Classification: Community
Component: libvirt (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Veillard
Depends On:
  Show dependency treegraph
Reported: 2009-10-15 07:22 EDT by Daniel Berrange
Modified: 2012-04-17 10:22 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-04-17 10:22:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Daniel Berrange 2009-10-15 07:22:19 EDT
Some products create certificates without the basicConstraints=CA:TRUE extension. This causes gnutls to treat the certificate as untrusted when libvirtd tries to validate it.

 libvirtd: 17:17:21.919: error : remoteCheckCertificate: the client certificate is not trusted. 
 libvirtd: 17:17:21.919: error : remoteCheckCertificate: failed to verify client's certificate 

while the error message is technically correct, it is not helpful for users trying to figure out what is wrong with their certs. It is very easy to create broken CA certs like this using openssl command line tool, so it would be better if libvirt could detect this particular scenario and log a more explicit messages.

eg the trouble cert shows

#      Extensions:

while a good cert shows

#       Extensions:
#               Basic Constraints (critical):
#                       Certificate Authority (CA): TRUE
#               Key Usage (critical):
#                       Certificate signing.
#               Subject Key Identifier (not critical):
#                       f2a0611cc5f3d8491e225bb215cff6a64192db5f
Comment 1 Daniel Berrange 2011-07-15 08:00:14 EDT
This patch adds such checking

Comment 2 Cole Robinson 2012-04-17 10:22:18 EDT
Been upstream for a while

Note You need to log in before you can comment on or make changes to this bug.