Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-58933

Libvirt reports unclear error if TLS Certificate does not match the hostname

XMLWordPrintable

    • Yes
    • Low
    • rhel-sst-virtualization
    • ssg_virtualization
    • 3
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      Libvirt report an unclearly error if TLS Certificate does not match the hostname

      What is the impact of this issue to you?

      Error message is not clear and this error message used to be "Certificate does not match the hostname xxx.com"

      Please provide the package NVR for which the bug is seen:

      libvirt-10.5.0-5.el10.x86_64
      libvirt-10.5.0-7.el9_5.x86_64

      How reproducible is this bug?:

      100%

      Steps to reproduce 

      1. prepare qemu tls file on source and target for migration
# ls /etc/pki/qemu/* 
/etc/pki/qemu/ca-cert.pem /etc/pki/qemu/ca-key.pem /etc/pki/qemu/server-cert.pem /etc/pki/qemu/server-key.pem 
 
2. set default_tls_x509_verify and migrate_tls_x509_verify in qemu.conf 
# cat /etc/libvirt/qemu.conf
default_tls_x509_verify = 0
migrate_tls_x509_verify = 0

3. start a vm and migrate it to target host which use a wrong tls destination
# virsh migrate vm2 qemu+ssh://target_host/system --live --tls --tls-destination xxx.com --p2p
error: internal error: QEMU unexpectedly closed the monitor (vm='vm2'): 2024-09-14T08:18:16.597435Z qemu-kvm: Not a migration stream 2024-09-14T08:18:16.597495Z qemu-kvm: load of migration failed: Invalid argument

      Expected results error:

      operation failed: job 'migration out' failed: Certificate does not match the hostname xxx.com

      Actual results error:

      internal error: QEMU unexpectedly closed the monitor (vm='vm2'): 2024-09-14T08:18:16.597435Z qemu-kvm: Not a migration stream 2024-09-14T08:18:16.597495Z qemu-kvm: load of migration failed: Invalid argument

      Additional Info

      From the virtqemud debug log, you can see that qemu report a clearly error "Certificate does not match the hostname xxx.com" but libvirt report an unclearly error to user"Not a migration stream" 

       2024-09-14 08:18:16.596+0000: 460013: debug : qemuProcessHandleMigrationStatus:1456 : Migration of domain 0x7f37cc08a220 vm2 changed state to failed
2024-09-14 08:18:16.596+0000: 460013: debug : qemuMonitorJSONIOProcessLine:191 : Line [{"return": {}, "id": "libvirt-22"}] 
2024-09-14 08:18:16.596+0000: 460013: info : qemuMonitorJSONIOProcessLine:210 : QEMU_MONITOR_RECV_REPLY: mon=0x7f37b4001b30 reply={"return": {}, "id": "libvirt-22"}
2024-09-14 08:18:16.596+0000: 459989: debug : qemuDomainObjExitMonitor:6585 : Exited monitor (mon=0x7f37b4001b30 vm=0x7f37cc08a220 name=vm2)
2024-09-14 08:18:16.597+0000: 459989: debug : qemuDomainObjEnterMonitorInternal:6556 : Entering monitor (mon=0x7f37b4001b30 vm=0x7f37cc08a220 name=vm2)
2024-09-14 08:18:16.597+0000: 459989: debug : qemuMonitorGetMigrationStats:2207 : mon:0x7f37b4001b30 vm:0x7f37cc08a220 fd:19
2024-09-14 08:18:16.597+0000: 459989: info : qemuMonitorSend:838 : QEMU_MONITOR_SEND_MSG: mon=0x7f37b4001b30 msg={"execute":"query-migrate","id":"libvirt-23"}^M fd=-1
2024-09-14 08:18:16.597+0000: 460013: info : qemuMonitorIOWrite:339 : QEMU_MONITOR_IO_WRITE: mon=0x7f37b4001b30 buf={"execute":"query-migrate","id":"libvirt-23"}^M len=47 ret=47 errno=0
2024-09-14 08:18:16.597+0000: 460013: debug : qemuMonitorJSONIOProcessLine:191 : Line [{"return": {"status": "failed", "error-desc": "Certificate does not match the hostname xxx.com"}, "id": "libvirt-23"}]
2024-09-14 08:18:16.597+0000: 460013: info : qemuMonitorJSONIOProcessLine:210 : QEMU_MONITOR_RECV_REPLY: mon=0x7f37b4001b30 reply={"return": {"status": "failed", "error-desc": "Certificate does not match the hostname xxx.com"}, "id": "libvirt-23"}
2024-09-14 08:18:16.598+0000: 459989: debug : qemuDomainObjExitMonitor:6585 : Exited monitor (mon=0x7f37b4001b30 vm=0x7f37cc08a220 name=vm2)
2024-09-14 08:18:16.598+0000: 459989: error : qemuMigrationJobCheckStatus:1919 : operation failed: job 'migration out' failed: Certificate does not match the hostname xxx.com
2024-09-14 08:18:16.598+0000: 459989: debug : qemuMigrationSrcPerformPeer2Peer3:5749 : Finish3 0x7f38240047d0 ret=-1 2024-09-14 08:18:16.598+0000: 459989: debug : qemuDomainObjEnterRemote:6666 : Entering remote (vm=0x7f37cc08a220 name=vm2)
2024-09-14 08:18:16.886+0000: 459989: error : virNetClientProgramDispatchError:170 : internal error: QEMU unexpectedly closed the monitor (vm='vm2'):
2024-09-14T08:18:16.597435Z qemu-kvm: Not a migration stream
2024-09-14T08:18:16.597495Z qemu-kvm: load of migration failed: Invalid argument
2024-09-14 08:18:16.886+0000: 459989: debug : qemuDomainObjExitRemote:6677 : Exited remote (vm=0x7f37cc08a220 name=vm2)
2024-09-14 08:18:16.886+0000: 459989: debug : qemuMigrationSrcPerformPeer2Peer3:5829 : Confirm3 0x7f37fc000f70 cancelled=1 vm=0x7f37cc08a220

              jdenemar@redhat.com Jiri Denemark
              rhn-support-lhuang Luyao Huang
              virt-maint virt-maint
              Luyao Huang Luyao Huang
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: