[lxc-users] lxc exec / list: x509: certificate has expired or is not yet valid

Thu Jun 2 14:15:38 UTC 2016

On Thu, Jun 02, 2016 at 11:03:15PM +0900, Tomasz Chmielewski wrote:
> On 2016-06-02 22:40, Andrey Repin wrote:
> 
> > > So... what is the correct procedure to update the certificate on LXD
> > > server and make sure it's still accepted by LXD clients?
> > 
> > I would go a long route and set up my own CA.
> > Though, I actually did that already...
> > 
> > Alternative is to make yourself a certificate though third-party CA,
> > like
> > Let's Encrypt.
> 
> Well, it seems that LXD is fine with self-signed certificates as well. Which
> is OK with me.
> 
> However, changing a cert with LXD is painful:
> 
> - needs new server.crt/server.key in /var/lib/lxd, and lxd restart?
> force-reload?

Removing them and restarting LXD will generate new ones.

> - if any client connected to IP address (and not to domain name),
> certificate needs to have them as SAN (subject alternative names)

Letting LXD re-generate the certificate will make sure all IPs are included.

> - there is no "lxd remote" command to accept a new certificate from the
> server - so LXD clients have to go through the painful "set up a different
> default remote (or, set it to local), remove the remote with expired
> certificate, add the remote with the new certificate, set it as a new
> default etc.

Yeah. We didn't want to make it too easy to do that (too easy to shoot
yourself in the foot), but a "lxc remote" command to re-do the initial
handshake would be fine with me.

> - LXD / lxc command does not alert that the cert is about to expire, so the
> user finds out when it's too late and the system stops working correctly
> (think automated starting / removal of containers etc.)

Yeah, we didn't expect anyone to run into such issues just yet as our
certificates have a 10 years expiry.

We did have old versions of LXD issue 1 year certificates very much at
the beginning of the project but this was fixed over a year ago, so most
installations will have a 10 years certificate.

> - could not find anything about changing the cert in LXD docs, so it was a
> bit of a problem working out why it doesn't work anymore and how to fix it
> 
> 
> The whole process could be designed a bit better :)

Yeah, I guess we didn't expect anyone would have been upgraded systems
from a pre-0.10 version of LXD all the way to current :)

We figured we had 10 years to take care of the certificate rotation logic.

Anyway, for anyone affected by this, remove any affected .crt and its
matching .key (~/.config/lxc/client.crt and ~/.config/lxc/client.key for
a client certificate or /var/lib/lxd/server.crt and
/var/lib/lxd/server.key for a server certificate). Then if re-generating
a server certificate, restart the daemon. If re-generating a client
certificate, just do any lxc command.

You'll then have to remove and re-add any affected remote.

And you'll be good for another decade.

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160602/536f3206/attachment.sig>