Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-112085

qemu-nbd with TLS exports image fails with Certificate $server-cert.pem usage does not permit key encipherment

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • No
    • Moderate
    • rhel-virt-storage
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      ..What were you trying to do that didn't work?

      qemu-nbd with TLS exports image fails with Certificate $server-cert.pem usage does not permit key encipherment

      Please provide the package NVR for which the bug is seen:

      gnutls-3.8.10-2.el10.x86_64

      crypto-policies-20250804-1.git2ca4115.el10.noarch

      kernel-6.12.0-119.el10.x86_64

      qemu-kvm-10.0.0-10.el10.x86_64

      How reproducible is this bug?:

      100%

      Steps to reproduce

      Step 1: Set Variables and Create Directories

      First, define your variables and create the necessary directories for the certificates.

      hostname="dell-per760-14.lab.eng.pek2.redhat.com"

      host_ip="10.73.194.29"

       

      server_dir="/etc/pki/qemu-nbd"

      client_dir="/etc/pki/qemu-kvm"

       

      #Delete and recreate directories to ensure a clean environment

      sudo rm -rf "$server_dir" "$client_dir"

      sudo mkdir -p "$server_dir" "$client_dir"

       

      echo "Certificate directories created: $server_dir and $client_dir"

      Step 2: Generate the Certificate Authority (CA) Key and Certificate

      This step creates the root CA for your TLS environment.

      #Generate the CA private key with ML-DSA-65 algorithm

      sudo certtool --generate-privkey --key-type=mldsa65 > "$server_dir/ca-key.pem"

       

      #Create the CA certificate information file

      cat <<EOF | sudo tee "$server_dir/ca.info"

      cn = $hostname

      ca

      cert_signing_key

      EOF

       

      #Generate the self-signed CA certificate

      sudo certtool --generate-self-signed --load-privkey "$server_dir/ca-key.pem" \

      --template "$server_dir/ca.info" --outfile "$server_dir/ca-cert.pem"

       

      echo "CA key and certificate generated."

      Step 3: Generate the Server Key and Certificate

      This step generates the key and a signed certificate for your NBD server.

      #Generate the server private key with ML-DSA-65 algorithm

      sudo certtool --generate-privkey --key-type=mldsa65 > "$server_dir/server-key.pem"

       

      #Create the server certificate information file

      cat <<EOF | sudo tee "$server_dir/server.info"

      organization = AUTOTEST.QEMU

      cn = $hostname

      dns_name = $hostname

      ip_address = $host_ip

      tls_www_server

      encryption_key

      signing_key

      EOF

       

      #Generate the server certificate signed by the CA

      sudo certtool --generate-certificate --load-privkey "$server_dir/server-key.pem" \

      --load-ca-certificate "$server_dir/ca-cert.pem" \

      --load-ca-privkey "$server_dir/ca-key.pem" \

      --template "$server_dir/server.info" --outfile "$server_dir/server-cert.pem"

       

      echo "Server key and certificate generated."

      Step 4: Generate the Client Key and Certificate

      This step generates the key and a signed certificate for your NBD client.

      #Copy the CA certificate and key to the client directory

      sudo cp -rp "$server_dir/ca-cert.pem" "$client_dir/"

      sudo cp -rp "$server_dir/ca-key.pem" "$client_dir/"

       

      #Generate the client private key with ML-DSA-65 algorithm

      sudo certtool --generate-privkey --key-type=mldsa65 > "$client_dir/client-key.pem"

       

      #Create the client certificate information file

      cat <<EOF | sudo tee "$client_dir/client.info"

      organization = AUTOTEST.QEMU

      cn = $hostname

      tls_www_client

      encryption_key

      signing_key

      EOF

       

      #Generate the client certificate signed by the CA

      sudo certtool --generate-certificate --load-privkey "$client_dir/client-key.pem" \

      --load-ca-certificate "$client_dir/ca-cert.pem" \

      --load-ca-privkey "$client_dir/ca-key.pem" \

      --template "$client_dir/client.info" --outfile "$client_dir/client-cert.pem"

       

      echo "Client key and certificate generated."

      Step 5: Create the image and export it via nbd

      #qemu-img create -f raw os.img 20G

      #qemu-nbd -f raw --object tls-creds-x509,id=os_raw_server,endpoint=server,dir=/etc/pki/qemu-nbd --tls-creds os_raw_server os.img
      qemu-nbd: Certificate /etc/pki/qemu-nbd/server-cert.pem usage does not permit key encipherment

      Expected results

      qemu-nbd exporting successes.

      Actual results

      As above.

              timao@redhat.com Tingting Mao
              timao@redhat.com Tingting Mao
              virt-maint virt-maint
              Tingting Mao Tingting Mao
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: