Description of problem:

/var/log/libvirtd.log says:
===============================
2012-04-24 09:55:12.860+0000: 7098: info : libvirt version: 0.9.10, package: 11.el6 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2012-04-10-23:22:55, x86-010.build.bos.redhat.com)
2012-04-24 09:55:12.860+0000: 7098: error : virNetTLSContextCheckCertPair:471 : Our own certificate /etc/pki/vdsm/certs/vdsmcert.pem failed validation against /etc/pki/vdsm/certs/cacert.pem: The certificate hasn't got a known issuer.
=========

This error shows up when registering RHEV-M on RHEV-H TUI but on RHEV-M side the host doesn't get approved by the Administrator. When RHEV-H TUI register a new RHEV-M it will delete the current /etc/pki/vdsm/certs/cacert.pem and put the new one downloaded from RHEV-M. However, the /etc/pki/vdsm/certs/vdsmcert.pem doens't recognize this new cacert.pem issuer and if the host get rebooted libvirt will fail to start with the above error.

As example:

Output from openssl (in a clean RHEV-H installation, no register happened)
===========================================================================
# openssl verify -CAfile /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/certs/vdsmcert.pem
vdsmcert.pem: OK

Output from openssl (after registering a new RHEV-M and not getting it approved by administrator)
=============================================================================
# openssl verify -CAfile /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/certs/vdsmcert.pem
error 20 at 0 depth lookup: unable to get local issuer certificate

Expected since we vdsmcert doesn't know about this new cacert and we achieved a race condition which can make libvirt daemon fail to start.

On the other hand, if the host get approved on RHEV-M side after the registration step, the vdsmcert is updated and libvirtd will start correctly.