[lxc-users] lxc exec / list: x509: certificate has expired or is not yet valid
Tomasz Chmielewski
mangoo at wpkg.org
Thu Jun 2 14:03:15 UTC 2016
On 2016-06-02 22:40, Andrey Repin wrote:
>> So... what is the correct procedure to update the certificate on LXD
>> server and make sure it's still accepted by LXD clients?
>
> I would go a long route and set up my own CA.
> Though, I actually did that already...
>
> Alternative is to make yourself a certificate though third-party CA,
> like
> Let's Encrypt.
Well, it seems that LXD is fine with self-signed certificates as well.
Which is OK with me.
However, changing a cert with LXD is painful:
- needs new server.crt/server.key in /var/lib/lxd, and lxd restart?
force-reload?
- if any client connected to IP address (and not to domain name),
certificate needs to have them as SAN (subject alternative names)
- there is no "lxd remote" command to accept a new certificate from the
server - so LXD clients have to go through the painful "set up a
different default remote (or, set it to local), remove the remote with
expired certificate, add the remote with the new certificate, set it as
a new default etc.
- LXD / lxc command does not alert that the cert is about to expire, so
the user finds out when it's too late and the system stops working
correctly (think automated starting / removal of containers etc.)
- could not find anything about changing the cert in LXD docs, so it was
a bit of a problem working out why it doesn't work anymore and how to
fix it
The whole process could be designed a bit better :)
Tomasz Chmielewski
http://wpkg.org
More information about the lxc-users
mailing list