From nobody Mon Sep 8 04:06:14 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1754325116; cv=none; d=zohomail.com; s=zohoarc; b=cVeHkRy9GWZcf8DVoauri3fpHXzC18gc9V3/6oopsF4bMWpERZIBLMk3NzYF3ChHF6fZ/gqU7vGmvm33HnUCGjXFAnjmfOZNPaLn0ZsSKHjcYsTd9k0/5lGOxFtipo09fjKJqVwIHoMovg3RIlNGuOao9d689nNnAavQYmvkR4k= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1754325116; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:Subject:Subject:To:To:Message-Id; bh=RHld+zizmm2G2ARf/3OK4ajgBEmkglA3hfE9XJVE7fE=; b=K2yGRBi754ZJC4X4WMFzV8mcnOEV8UPxRsOrxojQQd9LP+QotQTgUIrgHEkHroYmTvVspa1EdBtTDYZPoAfHk6EdqMqRY8glaGq9EVTHy4pty9t/gX2KHdTq0CSjA4Eae7IewBOnj6LX9vUS3aK6cj47QFrjGDJF06hcQqwSpFc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1754325116518480.89945958850024; Mon, 4 Aug 2025 09:31:56 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 4F3D8BAB; Mon, 4 Aug 2025 12:31:55 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id B7C0FB48; Mon, 4 Aug 2025 12:31:30 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 8788CB39; Mon, 4 Aug 2025 12:31:27 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 58A60B38 for ; Mon, 4 Aug 2025 12:31:26 -0400 (EDT) Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-414-t_ZCm3VUOK-zwPxMnrnUVw-1; Mon, 04 Aug 2025 12:31:23 -0400 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 8E95B19373E5 for ; Mon, 4 Aug 2025 16:31:22 +0000 (UTC) Received: from smitterl-thinkpadp1gen4i.remote.csb (unknown [10.45.224.251]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 46E341800B4F; Mon, 4 Aug 2025 16:31:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: ** X-Spam-Status: No, score=2.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_PASS autolearn=no autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1754325086; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IloU7aL6e7pTmJI5rKLzreqS7N2+lqAD2/ZuGo0F0nc=; b=RNCG7BTwyhhL54EExTuVrerSth0MPPvFPLXMfVNLzWr+54tD031Z+fp1nbRKmhj6AABGVO tIWkr641pjxNjmB1tl1s6NQktBhmKDj2nVc4IvG+/illnHcjs7kQ9w7m4+D/zVk03OINS0 krIzf4y017jty9Vl9yQaqPcus2hfrE0= X-MC-Unique: t_ZCm3VUOK-zwPxMnrnUVw-1 X-Mimecast-MFC-AGG-ID: t_ZCm3VUOK-zwPxMnrnUVw_1754325082 To: devel@lists.libvirt.org Subject: [PATCH] docs: kbase/tlscerts: mention dropped 'encryption_key' Date: Mon, 4 Aug 2025 18:31:14 +0200 Message-ID: <20250804163116.36030-1-smitterl@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: V1PX7dLB8l8Y_6OEacIpS8_w0D3hEUuiUsyx5lWbLJw_1754325082 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 5PR5RSDEVNLYIOGXZTOQRXD44H66E32D X-Message-ID-Hash: 5PR5RSDEVNLYIOGXZTOQRXD44H66E32D X-MailFrom: smitterl@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: Sebastian Mitterle X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Sebastian Mitterle via Devel Reply-To: Sebastian Mitterle X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1754325119017116600 Content-Type: text/plain; charset="utf-8"; x-default="true" Older libvirt versions still only work if 'encryption_key' is enabled in the server and client certificates. Add a note. While at it, also add a note that after setting the certificates up, the TLS ports need to be restarted because I haven't found a mention of it elsewhere. Signed-off-by: Sebastian Mitterle --- docs/kbase/tlscerts.rst | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst index 215d454998..a1ea4d5f21 100644 --- a/docs/kbase/tlscerts.rst +++ b/docs/kbase/tlscerts.rst @@ -213,6 +213,10 @@ clients to reach the server, both with and without dom= ain name qualifiers. If clients are likely to connect to the server by IP address, then one or more 'ip_address' fields should also be added. =20 +Important: If you're running a libvirt version before 11.6.0 you need to a= lso add +``encryption_key`` to the template. Previous versions required this. + + Use the template file as input to a ``certtool`` command to sign the server certificate: =20 @@ -299,7 +303,11 @@ briefly cover the steps. tls_www_client signing_key =20 - and sign by doing: + + Important: If you're running a libvirt version before 11.6.0 you need t= o also add + ``encryption_key`` to the template. Previous versions required this. + + Create the certificate by running: =20 :: =20 @@ -317,10 +325,17 @@ briefly cover the steps. Troubleshooting TLS certificate problems ---------------------------------------- =20 -failed to verify client's certificate - On the server side, run the libvirtd server with the '--listen' and - '--verbose' options while the client is connecting. The verbose log mes= sages - should tell you enough to diagnose the problem. +* TLS socket + + After setting up your server certificates you'll have to restart the TLS= socket + ``systemctl restart virtproxyd-tls.socket`` for modular daemon setup, or + ``systemctl restart libvirtd-tls.socket`` for the monolithic daemon setu= p. + +* failed to verify client's certificate + + On the server side, run the libvirtd server with the '--listen' and + '--verbose' options while the client is connecting. The verbose log mess= ages + should tell you enough to diagnose the problem. =20 You can use the virt-pki-validate shell script to analyze the setup on the client or server machines, preferably as root. It will try to point out the --=20 2.50.1