Hi, OK, I'm not really understanding why this fails (since I give the CA-cert as well as the certificate to verify in both cases), but either way it doesn't matter. My point, all certificates based on a self-signed CA-certificate cease working with libvirt with the testing package still is valid, and I'd consider it a bug, whether I'd used the wrong command to try to give you guys clues or not.
BR Jo Am Sonntag, den 22.06.2014, 19:54 +0200 schrieb Andreas Metzler: > On 2014-06-22 Jo Drexl <jo.dr...@poly-tick.de> wrote: > > Am Sonntag, den 22.06.2014, 08:22 +0200 schrieb Andreas Metzler: > > >> On 2014-06-22 Jo Drexl <jo.dr...@poly-tick.de> wrote: > >>> After installing the stable package and rerunning 'certtool -e > >>> --load-ca-certificate cacert.pem --infile servercert.pem', the outcome > >>> was: > >> [...] > >>> It seems the self-sign for snakeoil CAs is broken. > >>> Good luck, I don't think I'm of much use here, still playing around and > >>> trying to find out what I'm doing here ;) > > >> You are trying to use -e but you are passing a single certificate > >> instead of a certificate chain. > > >> | -e, --verify-chain > >> | Verify a PEM encoded certificate chain. > >> | > >> | The last certificate in the chain must be a self signed one. > > >> If you used --verify instead the command would succeed. > > > Sure I do only give him one ca-certificate - because it's the next and > > last one in the chain and is self-signed (certtool > > --generate-self-signed --load-privkey cakey.pem --template ca.info > > --outfile cacert.pem). I did follow the howto step by step. > > Hello, > > I am not sure you are understanding me correctly. -e needs a chain as > infile. You are passing a single non-self-signed certificate. > > i.e. while either of these succeed > > * certtool --verify --load-ca-certificate cacert.pem --infile \ > servercert.pem > * cat servercert.pem cacert.pem > chain.pem && \ > certtool --verify-chain --infile chain.pem > > this one always fails: > > * certtool --verify-chain file-containing-only-a-single-non-self-signed-cert > > cu Andreas
signature.asc
Description: This is a digitally signed message part