Bug 815825 - vdsm - libvirt daemon is not starting: The certificate hasn't got a known issuer.
vdsm - libvirt daemon is not starting: The certificate hasn't got a known iss...
Status: CLOSED DUPLICATE of bug 806625
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: vdsm (Show other bugs)
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Douglas Schilling Landgraf
Depends On:
  Show dependency treegraph
Reported: 2012-04-24 11:35 EDT by Douglas Schilling Landgraf
Modified: 2016-04-18 02:44 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 815850 (view as bug list)
Last Closed: 2012-05-03 22:19:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Douglas Schilling Landgraf 2012-04-24 11:35:24 EDT
Description of problem:

/var/log/libvirtd.log says:
2012-04-24 09:55:12.860+0000: 7098: info : libvirt version: 0.9.10, package: 11.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2012-04-10-23:22:55, x86-010.build.bos.redhat.com)
2012-04-24 09:55:12.860+0000: 7098: error : virNetTLSContextCheckCertPair:471 : Our own certificate /etc/pki/vdsm/certs/vdsmcert.pem failed validation against /etc/pki/vdsm/certs/cacert.pem: The certificate hasn't got a known issuer.

This error shows up when registering RHEV-M on RHEV-H TUI but on RHEV-M side the host doesn't get approved by the Administrator. When RHEV-H TUI register a new RHEV-M it will delete the current /etc/pki/vdsm/certs/cacert.pem and put the new one downloaded from RHEV-M. However, the /etc/pki/vdsm/certs/vdsmcert.pem doens't recognize this new cacert.pem issuer and if the host get rebooted libvirt will fail to start with the above error.

As example:

Output from openssl (in a clean RHEV-H installation, no register happened)
# openssl verify -CAfile /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/certs/vdsmcert.pem
vdsmcert.pem: OK

Output from openssl (after registering a new RHEV-M and not getting it approved by administrator)
# openssl verify -CAfile /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/certs/vdsmcert.pem
error 20 at 0 depth lookup: unable to get local issuer certificate

Expected since we vdsmcert doesn't know about this new cacert and we achieved a race condition which can make libvirt daemon fail to start.

On the other hand, if the host get approved on RHEV-M side after the registration step, the vdsmcert is updated and libvirtd will start correctly.
Comment 2 Douglas Schilling Landgraf 2012-04-24 12:09:08 EDT
Upstream patches:

BZ#815825 validate vdsmcert against cacert

BZ#815825: deployUtil Do not overwrite cacert.pem
Comment 4 Douglas Schilling Landgraf 2012-05-03 22:19:30 EDT

*** This bug has been marked as a duplicate of bug 806625 ***

Note You need to log in before you can comment on or make changes to this bug.