万恶的资本主义啊,这什么破东西,去年的时候,同事生成的key,结果现在过期了。问他有没有加实现,说没有,原来是默认有效期一年。
下午刚装完10台虚拟机,bingo,可是再装10台就over了,说是
1
error: server verification (of your certificate or IP address) failed
不解,为什么会突然间全部连接不上?!
后来一遍又一遍的整,把libvirt卸载了,
1
[root@kvm134002.sqa.cm4 ~]
# sudo yum remove libvirt-0.8.7-23tb.el6.x86_64 \
1
libvirt-client-0.8.7-23tb.el6.x86_64 libvirt-debuginfo-0.8.7-23tb.el6.x86_64
1
libvirt-python-0.8.7-23tb.el6.x86_64 libvirt-devel-0.8.7-23tb.el6.x86_64
01
Loaded plugins: branch, product-
id
, refresh-packagekit, subscription-manager
02
Updating Red Hat repositories.
03
Setting up Remove Process
04
Resolving Dependencies
05
--> Running transaction check
06
---> Package libvirt.x86_64 0:0.8.7-23tb.el6 will be erased
07
---> Package libvirt-client.x86_64 0:0.8.7-23tb.el6 will be erased
08
---> Package libvirt-debuginfo.x86_64 0:0.8.7-23tb.el6 will be erased
09
---> Package libvirt-devel.x86_64 0:0.8.7-23tb.el6 will be erased
10
---> Package libvirt-python.x86_64 0:0.8.7-23tb.el6 will be erased
11
--> Finished Dependency Resolution
12
Removed:
13
libvirt.x86_64 0:0.8.7-23tb.el6 libvirt-client.x86_64 0:0.8.7-23tb.el6 libvirt-debuginfo.x86_64 0:0.8.7-23tb.el6
14
libvirt-devel.x86_64 0:0.8.7-23tb.el6 libvirt-python.x86_64 0:0.8.7-23tb.el6
接着又重新安装,
1
root@kvm134002.sqa.cm4 x86_64]
# rpm -ivh *
2
Preparing...
########################################### [100%]
3
1:libvirt-client
########################################### [ 20%]
4
2:libvirt
########################################### [ 40%]
5
3:libvirt-devel
########################################### [ 60%]
6
4:libvirt-python
########################################### [ 80%]
7
5:libvirt-debuginfo
########################################### [100%]
就连conf文件我都是重新改的,可是还是那个问题,炯。 后来没办法,重搞就彻底点,连证书文件都重做一遍,
突然发现可以。再一联想,去年同事做这个vmms开发的时候,差不多就是这个时候,那看来真的是过期了,一年期啊。
太万恶了啊,干嘛要过期呢,还要TSL连接,唉。还是现在正在开发中的vmms靠谱,哇卡卡。
顺便把生成ca_file的命令记录下:
1
lingjiao.lc@opstest097104 ~/ca_file $
cat
server.info
2
organization = www.taobao.com
3
cn = opstest097104.sqa.cm4
4
tls_www_server
5
encryption_key
6
signing_key
1
lingjiao.lc@opstest097104 ~/ca_file $
cat
client.info
2
country = China
3
state = Hangzhou
4
locality = Hangzhou
5
organization = www.taobao.com
6
cn = opstest097104.sqa.cm4
7
tls_www_client
8
encryption_key
9
signing_key
1
lingjiao.lc@opstest097104 ~/ca_file $
cat
ca.info
2
cn = www.taobao.com
3
ca
4
cert_signing_key
生成cacert.pem,生成后,根据libvirt配置文件里的ca_file路径存放,server和client都需要此文件。
1
certtool --generate-self-signed --load-privkey cakey.pem --template ca.info --outfile cacert.pem
生成一对私有文件:
1
certtool --generate-privkey > cakey.pem
1
certtool --generate-privkey > serverkey.pem
1
certtool --generate-privkey > clientkey.pem
再用刚才的公钥和私钥生成证书:
1
certtool --generate-certificate --load-privkey serverkey.pem --load-ca-certificate cacert.pem \
2
--load-ca-privkey cakey.pem --template server.info --outfile servercert.pem
1
certtool --generate-certificate --load-privkey clientkey.pem --load-ca-certificate cacert.pem \
2
--load-ca-privkey cakey.pem --template client.info --outfile clientcert.pem
将servercert.pem放到server的/etc/pki/libvirt/目录,将serverkey.pem放到server的/etc/pki/libvirt/private目录。
将clientcert.pem放到client的/etc/pki/libvirt/目录,将clientkey.pem放在client的/etc/pki/libvirt/private目录。
ok,这里重启libvirt,就可以正常连接了。