X509 certificate is missing missing basic constraints for a CA when starting libvirtd
This document (000019820) is provided subject to the disclaimer at the end of this document.
When trying to start libvirtd with tls enabled as outlined here:
Using command gensslcert as shown here:
Produces an error message in "journalctl -xe -u libvirtd"
libvirtd: The certificate /etc/pki/CA/cacert.pem is missing basic constraints for a CA
If it is not possible to update the server, please contact Support for assistance applying a temporarily fix.
The script /usr/bin/gensslcertgensslcert is not adding extensions to set constrain to CA:true:
x509_extensions = v3_ca [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. basicConstraints = critical,CA:true
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000019820
- Creation Date: 28-Jan-2021
- Modified Date:28-Jan-2021
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: firstname.lastname@example.org