[lxc-users] What is the best way to report bug issues with LXD rest server?

Kevin LaTona lists at studiosola.com
Sat May 23 17:01:17 UTC 2015 

On May 23, 2015, at 12:13 AM, Janjaap Bos <janjaapbos at gmail.com> wrote:

> Yes, you are a step further now that TLS is spoken. However, I would suggest to first get your test working locally on the lxd server, since my homebrew OSX curl has further restrictions. You can only use certificates that are in the keychain:
> * WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure Transport. The private key must be in the Keychain.
> * WARNING: SSL: Certificate type not set, assuming PKCS#12 format.


When I did all of the steps you suggested the nev version of Curl sent back

curl: (58) SSL: Can't load the certificate "server.crt" and its private key: OSStatus -50


I tried to import the server.crt into keychain and it choked.

Not sure why maybe it just didn't like how I created it or ???



> 
> When trying your example on my lxd server, I do the following steps (as root user).
> 
> # cd /root/.config/lxc
> # ls
> client.crt  client.key  config.yml  servercerts


Interesting as the config.yaml and servercert where not in my folder just now.

I double checked my steps taken notes and do see I issued a call to  lxc remote add lxc-org images.linuxcontainers.org

And it did not load at the the initial call set up time.




> 
> Now, if you don't have these files, use can get them by doing the following:
> # lxc remote add lxc-org images.linuxcontainers.org



I did just re call this "remote add" call 

And this time it added all the files and not only some of them.



> 
> This should also initialise the local client certificate if it does not exist.
> 
> Then:
> # lxc config trust add client.crt
> # lxc config trust list
> This should list the fingerprint.
> 
> And it should work:
> # curl --key client.key --cert client.crt -v -k https://localhost:8443/1.0/images
> 
> (do not use the -s option as it will suppress the output)



/usr/local/Cellar/curl/7.42.1/bin/curl --cert server.crt --key server.key -v -k https://192.168.0.50:8443/

*   Trying 192.168.0.50...
* Connected to 192.168.0.50 (192.168.0.50) port 8443 (#0)
* WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure Transport. The private key must be in the Keychain.
* WARNING: SSL: Certificate type not set, assuming PKCS#12 format.
* SSL: Can't load the certificate "server.crt" and its private key: OSStatus -50
* Closing connection 0
curl: (58) SSL: Can't load the certificate "server.crt" and its private key: OSStatus -50



Well it's closer to working now.

I still need to resolve how to get the private cert into to OS X's keychain.


Hopefully if any other OS X users come along and find these notes it will help them get it working or closer to finding out how to get it all going on Macs connecting to Ubuntu 15.04 Vivid.



-Kevin








> 
> 
> 2015-05-23 7:53 GMT+02:00 Kevin LaTona <lists at studiosola.com>:
> 
> On May 22, 2015, at 10:33 PM, Kevin LaTona <lists at studiosola.com> wrote:
> 
>>> Ok, but you are testing with a curl that does not support TLS. That is why you cannot connect to that particular LXD instance. Depending on the OS and distribution, other LXD instances may still support SSL.
>>> 
>>> 
> 
> 
> 
> 
> I did a quick upgrade of curl to 7.42.1
> 
> Now when I try it 
> 
> /usr/local/Cellar/curl/7.42.1/bin/curl -s --cert server.crt --key server.key -k https://192.168.0.50:8443/1.0/images
> 
> I know I don't want to mess with Apple's install of Curl for now.
> 
> 
> I get ………… curl: (35) SSL peer handshake failed, the server most likely requires a client certificate to connect
> 
> So maybe I am getting closer and some thing is off with the cert I just made.
> 
> 
> Would be nice to know what version of LDX is running at linuxcontainers.org 
> 
> It sure might help saving lots of time chasing after another avenue that in the end may or may not solve problem.
> 
> -Kevin
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150523/dcb2596b/attachment.html>

More information about the lxc-users mailing list