From 5d972ad910c1ffdf11fec7482db805329e8a01fd Mon Sep 17 00:00:00 2001 From: Martin Kletzander Date: Thu, 11 Nov 2021 15:56:05 +0100 Subject: [PATCH] Add suggestions for virt-pki-query-dn usage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To make it easier for users to figure out how the DN should be formatted. Signed-off-by: Martin Kletzander Reviewed-by: Daniel P. Berrangé --- docs/remote.html.in | 4 ++++ src/remote/libvirtd.conf.in | 5 +++++ src/rpc/virnettlscontext.c | 2 +- tests/virconfdata/libvirtd.conf | 4 ++++ tests/virconfdata/libvirtd.out | 4 ++++ 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/remote.html.in b/docs/remote.html.in index 66f56a3a64..efdb2b3253 100644 --- a/docs/remote.html.in +++ b/docs/remote.html.in @@ -259,6 +259,10 @@ Blank lines and comments beginning with # are ignored. Note also that GnuTLS returns DNs without spaces after commas between the fields (and this is what we check against), but the openssl x509 tool shows spaces. +

+ To make it easy to see the order of the fields in the DN a helper executable + virt-pki-query-dn is provided for this particular use case. +

diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in index b18c5885a1..2cd20aaa7f 100644 --- a/src/remote/libvirtd.conf.in +++ b/src/remote/libvirtd.conf.in @@ -292,6 +292,11 @@ # # Any * matches any number of consecutive spaces, like a simplified glob(7). # +# The format of the DN for a particular certificate can be queried +# using: +# +# virt-pki-query-dn clientcert.pem +# # NB If this is an empty list, no client can connect, so comment out # entirely rather than using empty list to disable these checks # diff --git a/src/rpc/virnettlscontext.c b/src/rpc/virnettlscontext.c index 3babf3ee4d..1a3dd92676 100644 --- a/src/rpc/virnettlscontext.c +++ b/src/rpc/virnettlscontext.c @@ -371,7 +371,7 @@ virNetTLSContextCheckCertDNACL(const char *dname, virReportError(VIR_ERR_SYSTEM_ERROR, "%s", _("Client's Distinguished Name is not on the list " "of allowed clients (tls_allowed_dn_list). Use " - "'certtool -i --infile clientcert.pem' to view the " + "'virt-pki-query-dn clientcert.pem' to view the " "Distinguished Name field in the client certificate, " "or run this daemon with --verbose option.")); return 0; diff --git a/tests/virconfdata/libvirtd.conf b/tests/virconfdata/libvirtd.conf index f4c35e9e43..c5a225e42f 100644 --- a/tests/virconfdata/libvirtd.conf +++ b/tests/virconfdata/libvirtd.conf @@ -185,6 +185,10 @@ tls_no_verify_certificate = 1 # # Any * matches any number of consecutive spaces, like a simplified glob(7). # +# The format of the DN for a particular certificate can be queried +# using: +# +# virt-pki-query-dn clientcert.pem # # NB If this is an empty list, no client can connect, so comment out # entirely rather than using empty list to disable these checks diff --git a/tests/virconfdata/libvirtd.out b/tests/virconfdata/libvirtd.out index a407c5f189..754bf56ee4 100644 --- a/tests/virconfdata/libvirtd.out +++ b/tests/virconfdata/libvirtd.out @@ -149,6 +149,10 @@ tls_no_verify_certificate = 1 # # Any * matches any number of consecutive spaces, like a simplified glob(7). # +# The format of the DN for a particular certificate can be queried +# using: +# +# virt-pki-query-dn clientcert.pem # # NB If this is an empty list, no client can connect, so comment out # entirely rather than using empty list to disable these checks