From nobody Mon Sep 8 17:03:34 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1754987123; cv=none; d=zohomail.com; s=zohoarc; b=kCj/N/60N/5iQKxbn/kiblzfKDWCJ530rHwapS5569o/uLSzhah6TXZbRAoDWSkUIcLiX4cnGzK3zw3vZeuB9ppvuhvjfc+5353tfz6h6q5tbHAeGNpouOu4lt7D+QH/S2y33Oawp3ll1lBlnK6Rq2uLO0cjpUDqkOlkbC5eDOk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1754987123; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=JYKBSsMonYOKkf3ztkzBbZywuJblKKarZafuhhfsnIs=; b=l0Og2Vl/2Jsip0eaiaD7eLxDVPfBm9+NlRIVuXjSriIQZEQHGEeQMUApkiXljvJW+f3tt0DEO5fSP5u0FwSU5R/kuG75pARUyu4OfsOIZV+WLnag15YxguBBx90oVVpwJ4+YJOryUW7rSoircWsILcGv2GN5ak/lJ2uvk+bqkkM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 175498712393682.73780252590552; Tue, 12 Aug 2025 01:25:23 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 0A26D1170; Tue, 12 Aug 2025 04:25:22 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 8B3E8A20; Tue, 12 Aug 2025 04:10:47 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id ECD9A29D2; Thu, 7 Aug 2025 09:43:37 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id B92E2283E for ; Thu, 7 Aug 2025 09:43:35 -0400 (EDT) Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-303-vOdXLFOqPmKAK-83m3I7rQ-1; Thu, 07 Aug 2025 09:43:33 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 2F21918002C2 for ; Thu, 7 Aug 2025 13:43:33 +0000 (UTC) Received: from smitterl-thinkpadp1gen4i.remote.csb (unknown [10.44.33.23]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A1A9C3001452; Thu, 7 Aug 2025 13:43:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1754574215; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=V9uvyUoxsCpBpS/pxHnkStdOAjBqathKmp8H6jH8PMg=; b=K0FXUMvdLgpKuqcK++Unwx2iFqHB6lziUA0kflgPPdYBYveAcfUU5YHbqJqnWiq6x1USwb 9x7TxV/eWpQj4EZku3KpSnENrWXwt4LtrxtElq1y++LESpkRxfOQeRuJTPw2EuyZeUxe7I 9j4KF9wM/DCEYPP3F04nhF1XAd8wMZo= X-MC-Unique: vOdXLFOqPmKAK-83m3I7rQ-1 X-Mimecast-MFC-AGG-ID: vOdXLFOqPmKAK-83m3I7rQ_1754574213 To: devel@lists.libvirt.org Subject: [PATCH v1 1/2] docs/tlscerts: document need for socket activation Date: Thu, 7 Aug 2025 15:39:10 +0200 Message-ID: <20250807134243.36092-3-smitterl@redhat.com> In-Reply-To: <20250807134243.36092-1-smitterl@redhat.com> References: <20250807134243.36092-1-smitterl@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: qxwrLSTOWu_jfHXhwDC3ra_4JPfGmH4uxkjwYN63eBE_1754574213 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 4TPN7KKFZC3JOUHIU7N4DDTK2YPYHFEZ X-Message-ID-Hash: 4TPN7KKFZC3JOUHIU7N4DDTK2YPYHFEZ X-MailFrom: smitterl@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: Sebastian Mitterle X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Sebastian Mitterle via Devel Reply-To: Sebastian Mitterle X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1754987124441116600 Content-Type: text/plain; charset="utf-8" Mention that the tls socket needs to be started and the libvirtd or virtproxyd service might have to be started. If this is not done the user might run into connection issues and it seems this is not mentioned elsewhere in the docs. Suggested-by: Daniel P. Berrang=C3=A9 Signed-off-by: Sebastian Mitterle --- docs/kbase/tlscerts.rst | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst index 215d454998..5a1cb4be0d 100644 --- a/docs/kbase/tlscerts.rst +++ b/docs/kbase/tlscerts.rst @@ -317,10 +317,32 @@ briefly cover the steps. Troubleshooting TLS certificate problems ---------------------------------------- =20 -failed to verify client's certificate - On the server side, run the libvirtd server with the '--listen' and - '--verbose' options while the client is connecting. The verbose log mes= sages - should tell you enough to diagnose the problem. +* TLS socket + + After setting up your sever certificates you'll have to start libvirt's + tls socket and restart the corresponding daemon if it was already runnin= g, + i.e. + + * for modular daemon setup run + + :: + =20 + systemctl start virtproxyd-tls.socket + systemctl try-start virtproxyd.service + + * for monolithic daemon setup run + + :: + =20 + systemctl start libvirtd-tls.socket + systemctl try-start libvirtd.service + + +* failed to verify client's certificate + + On the server side, run the libvirtd server with the '--listen' and + '--verbose' options while the client is connecting. The verbose log mess= ages + should tell you enough to diagnose the problem. =20 You can use the virt-pki-validate shell script to analyze the setup on the client or server machines, preferably as root. It will try to point out the --=20 2.50.1