X509 certificate is missing missing basic constraints for a CA when starting libvirtd
This document (000019820) is provided subject to the disclaimer at the end of this document.
Environment
Situation
When trying to start libvirtd with tls enabled as outlined here:
https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-libvirt-connect.html#sec-libvirt-connect-remote-tls-server
Using command gensslcert as shown here:
https://www.suse.com/c/generating-self-signed-ssl-certificates/
Produces an error message in "journalctl -xe -u libvirtd"
libvirtd[30638]: The certificate /etc/pki/CA/cacert.pem is missing basic constraints for a CA
Resolution
If it is not possible to update the server, please contact Support for assistance applying a temporary fix.
Cause
The script /usr/bin/gensslcertgensslcert is not adding extensions to set constrain to CA:true:
x509_extensions = v3_ca [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. basicConstraints = critical,CA:true
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000019820
- Creation Date: 04-Jan-2021
- Modified Date:02-Apr-2024
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
