/etc/pki/libvirt/servercert.pem has expired

Presentation

It is pretty easy to set up a KVM host on RHEL 7/CentOS 7. Several packages to install and you are ready to host VMs. A lot of operations are made for you to facilitate this installation.

However, you need to be aware of some assumptions made during this easy installation. One of them is the certification duration period: 1 year!

When you pass the default year period and reboot the KVM host, the libvirt daemon doesn’t start anymore, leaving the “journal: The server certificate /etc/pki/libvirt/servercert.pem has expired” message in the /var/log/messages file.

Hopefully, the procedure to follow is very well documented at the Libvirt website. However, this procedure takes the more complicated case of a professional installation with several KVM hosts.

Here, the tutorial will detail the case of a home configuration with only one KVM host.

We will assume that your KVM host is called kvm.mydomain.com.

Main Directories Involved

In a default KVM installation on RHEL 7/CentOS 7, you get the following main directories:

  • /etc/pki/CA where the public Certificate Authority certificate is stored,
  • /etc/pki/CA/private where the private Certificate Authority key is located,
  • /etc/pki/libvirt where the public KVM host server certificate is stored,
  • /etc/pki/libvirt/private where the private KVM host server key is located.

CA Certificate Generation

To create a new KVM host server certificate with a duration period of more than 1 year, you first need to create a new CA certificate:

# cd /etc/pki/CA/private

Create a file called certificate_authority_template.info and paste the following lines into:

cn = mydomain.com
ca
cert_signing_key
expiration_days = 2000

Note: By default, the expiration_days variable worths 365 (1 year). Here, we use 2000 days, ie more than 5 years.

Then, generate a private CA key:

# (umask 277 && certtool --generate-privkey > certificate_authority_key.pem)
Generating a 2048 bit RSA private key...

Now, you can combine the CA template with the CA key to get the CA certificate:

# certtool --generate-self-signed \
           --template certificate_authority_template.info \
           --load-privkey certificate_authority_key.pem \
           --outfile certificate_authority_certificate.pem

Next, you need to copy the new public CA certificate to the right location with the right default name (cacert.pem):

# cp -p certificate_authority_certificate.pem ../cacert.pem

Finally, you have to set the correct permissions:

# chmod 444 /etc/pki/CA/cacert.pem
# restorecon /etc/pki/CA/cacert.pem

KVM Host Certificate Generation

To create a new KVM host certificate, you need to copy the public CA certificate and the private CA key into the /etc/pki/libvirt/private directory:

# cp -p certificate_authority_certificate.pem certificate_authority_key.pem /etc/pki/libvirt/private

Then, you need to go into the /etc/pki/libvirt/private directory:

# cd /etc/pki/libvirt/private

You need to create a file called server_template.info and paste the following lines into:

organization = mydomain.com 
cn = kvm
tls_www_server
encryption_key
signing_key
expiration_days = 2000

Next, you need to generate a private KVM host key:

# (umask 277 && certtool --generate-privkey > serverkey.pem)
Generating a 2048 bit RSA private key...

Now, you can combine the server template with the private KVM host key to get the public KVM host certificate:

# certtool --generate-certificate \
           --template server_template.info \
           --load-privkey serverkey.pem \
           --load-ca-certificate certificate_authority_certificate.pem \
           --load-ca-privkey certificate_authority_key.pem \
           --outfile server_certificate.pem

Next, you need to copy the new public KVM host certificate to the right location with the right default name (servercert.pem):

# cp -p server_certificate.pem ../servercert.pem

Finally, you have to set the correct permissions:

# chmod 440 /etc/pki/libvirt/private/serverkey.pem
# chgrp qemu /etc/pki/libvirt/private/serverkey.pem
# restorecon /etc/pki/libvirt/private/serverkey.pem
# chmod 440 /etc/pki/libvirt/servercert.pem
# chgrp qemu /etc/pki/libvirt/servercert.pem
# restorecon /etc/pki/libvirt/servercert.pem

At this point, you should be able to start the libvirtd daemon:

# systemctl start libvirtd

KVM Client Certificate Generation

Optionally, you may need to create a new KVM client certificate. Create a new file called client_template.info and paste the following lines into:

country = DE
state = Berlin
locality = Berlin
organization = mydomain.com 
cn = kvm
tls_www_client
encryption_key
signing_key
expiration_days = 2000

Then, you need to generate a private KVM client key:

# (umask 277 && certtool --generate-privkey > clientkey.pem)
Generating a 2048 bit RSA private key...

Now, you can combine the client template with the private KVM client key to get the public KVM client certificate:

# certtool --generate-certificate \
           --template client_template.info \
           --load-privkey clientkey.pem \
           --load-ca-certificate certificate_authority_certificate.pem \
           --load-ca-privkey certificate_authority_key.pem \
           --outfile client_certificate.pem

Next, you need to copy the new public KVM client certificate to the right location with the right default name (clientcert.pem):

# cp -p client_certificate.pem ../clientcert.pem

Finally, you have to set the correct permissions:

# chmod 400 /etc/pki/libvirt/private/clientkey.pem
# restorecon /etc/pki/libvirt/private/clientkey.pem
# chmod 400 /etc/pki/libvirt/clientcert.pem
# restorecon /etc/pki/libvirt/clientcert.pem

Source: Libvirt website.

Certificate Expiration Date

At any time you can ask for the expiration date of a given certificate (here servercert.pem):

# certtool -i --infile /etc/pki/libvirt/servercert.pem | grep "Not After"
        Not After: Thu Jul 01 11:11:49 UTC 2021

 

Source : https://blog.diaboliko.net/linux/rhel7-deal-kvm-certificate-expiration/

How to install a Ubuntu 16.04 LTS (Xenial Xerus)

1. Requirements

To install a Ubuntu LTS Server, you will need the following prerequisites:

2. Preliminary Note

In this tutorial, I use the hostname server1.example.com with the IP address 192.168.1.100 and the gateway 192.168.1.1 These settings might differ for you, so you have to replace them where appropriate.

 

3. The Base System

Insert your Ubuntu install CD into your system and boot from it. When you install the OS in a virtual machine like I do it here, then you should be able to select the downloaded ISO file as source for the CD/DVD drive in VMWare and Virtualbox without burning it on CD first.

The first screen will show the language selector. Plese select your language:

Select the installation language

Then choose the option Install Ubuntu Server:

Choose to install Ubuntu Server

Select the language for the installed Operating System:
Read More

How to Install Ubuntu 18.04 (Bionic Beaver)

Introduction

Ubuntu 18.04 (codenamed Bionic Beaver) is a free, open-source distribution of Linux, based on the Debian operating system. 18.04 was released in April 2018 and it is an LTS (long-term support) version publicly supported until 2023.

In 2020, Ubuntu 18.04 was succeeded by Ubuntu 20.04 as the latest LTS version.

In this tutorial, you will learn how to install Ubuntu 18.04. 

Prerequisites

  • 2 GHz dual-core processor, at least
  • 4 GB system memory
  • 25 GB of free space on the hard drive
  • A DVD drive or USB port

Step 1: Download Ubuntu 18.04 ISO File

Before you start, make sure you have read the prerequisites, and you have all the recommended system requirements. If you are confident that your system can support the new OS installation, take the first step, and download Ubuntu 18.04.

1. Open a browser of your choice and navigate to the Ubuntu 18.04 official download page.

2. You will see two available packages – Ubuntu 18.04 for Desktop and Ubuntu 18.04 for Server.
We shall download and install the desktop version.

3. Select the 64-bit PC (AMD64) desktop image link to start downloading the package.

Click the 64-bit PC (AMD64) desktop image link to download Ubuntu for Desktop.

4. It will take a couple of minutes to download the .iso file. Once it is done, move on to creating a bootable USB or DVD.

Step 2: Create a Bootable USB

The next step is to create a way to transfer the installation package to your system. You will want your computer to boot from the USB on which the package is on. To do that, you need to create a bootable USB.

This process requires at least a 2GB flash drive and software that creates bootable USB flash drives. There are many options to choose from (RufusUUIUNetbootinPowerISO, and so on).

For this example, we are going to use Rufus, as it is much faster than the alternatives out there. It is also free and open-source.

1. Download Rufus from the official website. Navigate to the webpage and scroll down to the Download section.

Select option to download Rufus bootable.

2. You will find a list of the latest updated versions. Today, these include Rufus 3.5 and Rufus 3.5 Portable or other available versions. Click on either one of the first two, choose to Save and then Run the file.
Read More

How to Upgrade to Ubuntu 20.04

Prerequisites

  • A system running Ubuntu 18.04 or Ubuntu 19.10
  • Access to a terminal window / command line (Ctrl+Alt+T, search > terminal)
  • A user account with sudo or root privileges

Upgrade to Ubuntu 20.04 via GUI

If you prefer updating your system using the graphical user interface, follow the steps outlined below. The instructions apply to both Ubuntu 18.04 and Ubuntu 19.10 users.

Step 1: Update the System

Firstly, you need to start by updating the system and software running on your Ubuntu. You can easily switch to the newer version with the Debian upgrade process, but you need to ensure you have the latest packages.

1. Open the Search bar and type in Software Updater. Find the icon in the results and open the console.
Read More

Older Posts