From nobody Mon Sep 8 04:04:38 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1754987123; cv=none; d=zohomail.com; s=zohoarc; b=kCj/N/60N/5iQKxbn/kiblzfKDWCJ530rHwapS5569o/uLSzhah6TXZbRAoDWSkUIcLiX4cnGzK3zw3vZeuB9ppvuhvjfc+5353tfz6h6q5tbHAeGNpouOu4lt7D+QH/S2y33Oawp3ll1lBlnK6Rq2uLO0cjpUDqkOlkbC5eDOk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1754987123; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=JYKBSsMonYOKkf3ztkzBbZywuJblKKarZafuhhfsnIs=; b=l0Og2Vl/2Jsip0eaiaD7eLxDVPfBm9+NlRIVuXjSriIQZEQHGEeQMUApkiXljvJW+f3tt0DEO5fSP5u0FwSU5R/kuG75pARUyu4OfsOIZV+WLnag15YxguBBx90oVVpwJ4+YJOryUW7rSoircWsILcGv2GN5ak/lJ2uvk+bqkkM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 175498712393682.73780252590552; Tue, 12 Aug 2025 01:25:23 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 0A26D1170; Tue, 12 Aug 2025 04:25:22 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 8B3E8A20; Tue, 12 Aug 2025 04:10:47 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id ECD9A29D2; Thu, 7 Aug 2025 09:43:37 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id B92E2283E for ; Thu, 7 Aug 2025 09:43:35 -0400 (EDT) Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-303-vOdXLFOqPmKAK-83m3I7rQ-1; Thu, 07 Aug 2025 09:43:33 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 2F21918002C2 for ; Thu, 7 Aug 2025 13:43:33 +0000 (UTC) Received: from smitterl-thinkpadp1gen4i.remote.csb (unknown [10.44.33.23]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A1A9C3001452; Thu, 7 Aug 2025 13:43:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1754574215; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=V9uvyUoxsCpBpS/pxHnkStdOAjBqathKmp8H6jH8PMg=; b=K0FXUMvdLgpKuqcK++Unwx2iFqHB6lziUA0kflgPPdYBYveAcfUU5YHbqJqnWiq6x1USwb 9x7TxV/eWpQj4EZku3KpSnENrWXwt4LtrxtElq1y++LESpkRxfOQeRuJTPw2EuyZeUxe7I 9j4KF9wM/DCEYPP3F04nhF1XAd8wMZo= X-MC-Unique: vOdXLFOqPmKAK-83m3I7rQ-1 X-Mimecast-MFC-AGG-ID: vOdXLFOqPmKAK-83m3I7rQ_1754574213 To: devel@lists.libvirt.org Subject: [PATCH v1 1/2] docs/tlscerts: document need for socket activation Date: Thu, 7 Aug 2025 15:39:10 +0200 Message-ID: <20250807134243.36092-3-smitterl@redhat.com> In-Reply-To: <20250807134243.36092-1-smitterl@redhat.com> References: <20250807134243.36092-1-smitterl@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: qxwrLSTOWu_jfHXhwDC3ra_4JPfGmH4uxkjwYN63eBE_1754574213 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 4TPN7KKFZC3JOUHIU7N4DDTK2YPYHFEZ X-Message-ID-Hash: 4TPN7KKFZC3JOUHIU7N4DDTK2YPYHFEZ X-MailFrom: smitterl@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: Sebastian Mitterle X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Sebastian Mitterle via Devel Reply-To: Sebastian Mitterle X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1754987124441116600 Content-Type: text/plain; charset="utf-8" Mention that the tls socket needs to be started and the libvirtd or virtproxyd service might have to be started. If this is not done the user might run into connection issues and it seems this is not mentioned elsewhere in the docs. Suggested-by: Daniel P. Berrang=C3=A9 Signed-off-by: Sebastian Mitterle Reviewed-by: Daniel P. Berrang=C3=A9 --- docs/kbase/tlscerts.rst | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst index 215d454998..5a1cb4be0d 100644 --- a/docs/kbase/tlscerts.rst +++ b/docs/kbase/tlscerts.rst @@ -317,10 +317,32 @@ briefly cover the steps. Troubleshooting TLS certificate problems ---------------------------------------- =20 -failed to verify client's certificate - On the server side, run the libvirtd server with the '--listen' and - '--verbose' options while the client is connecting. The verbose log mes= sages - should tell you enough to diagnose the problem. +* TLS socket + + After setting up your sever certificates you'll have to start libvirt's + tls socket and restart the corresponding daemon if it was already runnin= g, + i.e. + + * for modular daemon setup run + + :: + =20 + systemctl start virtproxyd-tls.socket + systemctl try-start virtproxyd.service + + * for monolithic daemon setup run + + :: + =20 + systemctl start libvirtd-tls.socket + systemctl try-start libvirtd.service + + +* failed to verify client's certificate + + On the server side, run the libvirtd server with the '--listen' and + '--verbose' options while the client is connecting. The verbose log mess= ages + should tell you enough to diagnose the problem. =20 You can use the virt-pki-validate shell script to analyze the setup on the client or server machines, preferably as root. It will try to point out the --=20 2.50.1 From nobody Mon Sep 8 04:04:38 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1754986243; cv=none; d=zohomail.com; s=zohoarc; b=jhJbY7QprOTJTBXB+9+q8jvar8nwC15Yfx4agWPgPKaZECIpM6HlXeOXg6Tz6B4PB3w5CccmYVS0LrYnMADelWb8hHjDXcsN06fWyPzH+AAH0VhTAlvra5dZmvPshpUakqIMlzU37XsvOoPhTZDzXrQNYttzM3QjG/znFNqXlds= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1754986243; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=apXX3WLkLraIPQCxhJ43XIUBGyDU/fRPN30D7BsFhE0=; b=XqMI1VvPuU7I+tX+W7HfJtY3DuTb5THhrliCpywSicVuo9mJwUgES3kmQJgONR8ZNIxRhl8aIpVOND0o6dVijBs8fFRvxnktzqadlVhc0ia+YECTeBe//nSKuuFD3eefRLrGEcGZGi19nMXdORv1IRugpog2/WtwzYOKZsXt3Ho= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1754986243354532.9588056479049; Tue, 12 Aug 2025 01:10:43 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 00132A14; Tue, 12 Aug 2025 04:10:43 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 53663979; Tue, 12 Aug 2025 04:05:42 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 2BBCD29D3; Thu, 7 Aug 2025 09:43:57 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id AF50B29D0 for ; Thu, 7 Aug 2025 09:43:56 -0400 (EDT) Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-80-ySyK09CHP26AdQDvYFeCUg-1; Thu, 07 Aug 2025 09:43:55 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 02FDA1956094 for ; Thu, 7 Aug 2025 13:43:54 +0000 (UTC) Received: from smitterl-thinkpadp1gen4i.remote.csb (unknown [10.44.33.23]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 6E2F83001452; Thu, 7 Aug 2025 13:43:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1754574236; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mcW1OKK5rjROBlt7LGULwvguaw6iTUXbUG/v9YXz4/g=; b=We79l/KpOImzbXY0fVuk1REMVk/2EM3ecvncADYqbp2wRldezF7t9yefEIrt78gifkT3dM PkwcNWu9jA8cmx5kpApiPHF0EbjBZTgi3IMeniVY5egbk/Tu2TLbOnOLQQ3Mjczy2ckLMu /Bl/mlDiUn6u9hmnfA9zSbrN5H43yFs= X-MC-Unique: ySyK09CHP26AdQDvYFeCUg-1 X-Mimecast-MFC-AGG-ID: ySyK09CHP26AdQDvYFeCUg_1754574234 To: devel@lists.libvirt.org Subject: [PATCH v1 2/2] docs/tlscerts: mention dropped 'encryption_key' Date: Thu, 7 Aug 2025 15:39:12 +0200 Message-ID: <20250807134243.36092-5-smitterl@redhat.com> In-Reply-To: <20250807134243.36092-1-smitterl@redhat.com> References: <20250807134243.36092-1-smitterl@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: jyXogUQR5WdhoI8kCzwH98cPkCmo-ppnXUv3zIzDsYo_1754574234 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: HATORI6VYJTSYDKUZDWCCGZS524CPQ44 X-Message-ID-Hash: HATORI6VYJTSYDKUZDWCCGZS524CPQ44 X-MailFrom: smitterl@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: Sebastian Mitterle X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Sebastian Mitterle via Devel Reply-To: Sebastian Mitterle X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1754986263296124100 Content-Type: text/plain; charset="utf-8" Older libvirt versions still only work if 'encryption_key' is enabled in the server and client certificates. Add a note. Suggested-by: Daniel P. Berrang=C3=A9 Signed-off-by: Sebastian Mitterle Reviewed-by: Daniel P. Berrang=C3=A9 --- docs/kbase/tlscerts.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst index 5a1cb4be0d..2104e7a88b 100644 --- a/docs/kbase/tlscerts.rst +++ b/docs/kbase/tlscerts.rst @@ -104,6 +104,18 @@ connect provided they have a valid certificate issued = by the CA for their own IP address. You may want to change this to make it less (or more) permissive, depending on your needs. =20 +The following sections will describe how to created the data needed for th= e TLS +setup. They use templates to create Certificate Authority, server and clie= nt +certificates. + +Important: versions of libvirt before 11.6.0 also required the ``encryptio= n_key`` +flag in the server and client template. This is no longer mandated since i= t is +not applicable for use with many modern cryptographic algorithms, but it is +harmless if present as it will be ignored. If compatibility with both old = and +new libvirt versions is required, then this extra flag must be added when +creating the certificate. + + Setting up a Certificate Authority (CA) --------------------------------------- =20 --=20 2.50.1