LXD certificate trust issues on preseed

wayne · June 20, 2025, 3:16pm

Hi
I am having issues initialising an lxd 5.21 cluster with the preseed. The certificate that is generated on the server sets the SAN to the host name and 127.0.0.1. When I set the cluster_address to the hostname I get the following error.

Error: Failed to join cluster: Failed to setup cluster trust: Failed to connect to target cluster node "containers-network-live-is-1:8443": Get "https://containers-network-live-is-1:8443/1.0": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "root@containers-network-live-is-1"

If I change that the IP address then I get the following output

Error: Failed to join cluster: Failed to setup cluster trust: Failed to connect to target cluster node "10.3.0.42:8443": Get "https://10.3.0.42:8443/1.0": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, ::1, not 10.3.0.42

I really can’t win with this. How am I supposed to setup this cluster with an automated tool? If I so it manually with the wizard it works fine but this is the issue with preseed.

Any ideas how to work around this?

wayne · June 23, 2025, 11:13am

I’m going to see if I can get it to trust the certificate in advance of joining. Maybe that will fix things.

tomp · June 25, 2025, 8:25am

Please can you provide reproducer steps and the contents of the preseed file for our consideration.

Thanks

wayne · June 25, 2025, 12:40pm

Hi Tomp

I’ve manged to integrate the cluster join workflow into my process so I’m sorted for now. The preseed I was working with looked something like this

---
cluster:
  server_name: containers-network-live-is-2
  enabled: true
  cluster_address: containers-network-live-is-1:8443
  server_address: 10.3.0.111:8443
  cluster_password: fie8biz5noogho3jie2Ohcah0ooth5iep6aiY7Ca
  cluster_certificate: |
    -----BEGIN CERTIFICATE-----
    MIICJjCCAaygAwIBAgIRAIiHY6Xxt2HGtEvMED8kQ98wCgYIKoZIzj0EAwMwOjEM
    MAoGA1UEChMDTFhEMSowKAYDVQQDDCFyb290QGNvbnRhaW5lcnMtbmV0d29yay1s
    aXZlLWlzLTEwHhcNMjUwNjIwMTM1NjU3WhcNMzUwNjE4MTM1NjU3WjA6MQwwCgYD
    VQQKEwNMWEQxKjAoBgNVBAMMIXJvb3RAY29udGFpbmVycy1uZXR3b3JrLWxpdmUt
    aXMtMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABGgvt0MN3agXs7rpEI5vyklT3W+0
    nJQxUwMMtRFhxz03PuLZ1y3moqtODW/+vey2Xc6eOptzSAgEI4qRgLHyJQka/3bk
    QddA42sX9Thy8t8eSb4Z5+4Qid38vVWDRqJ2I6N2MHQwDgYDVR0PAQH/BAQDAgWg
    MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwPwYDVR0RBDgwNoIc
    Y29udGFpbmVycy1uZXR3b3JrLWxpdmUtaXMtMYcEfwAAAYcQAAAAAAAAAAAAAAAA
    AAAAATAKBggqhkjOPQQDAwNoADBlAjEAlp9sWYwdTcM61nVRcgmRMa7m7pEElRh1
    7i9k7fozx8vvMGwbNuSnbAi9GozSEO5jAjBTsQnsdCj19NpgGolL1YqgrtAsU3qX
    6+WytxxMMSbzs/VyBUtcZbGu/3k3xucubQ0=
    -----END CERTIFICATE-----

That failed with the certificate not trusted error and swapping it out with the IP address gave the error that the IP address wasn’t in the name list.

tomp · June 25, 2025, 4:46pm

What version of LXD is this, as cluster_password is removed in the 6.x series.

What is the cluster certificate you’re providing there, is that from an existing cluster?