root@lxd01:/var/snap/lxd/common/lxd$ lxc remote add test https://test.mycompany.com:8443 --debug
DEBUG [2023-07-06T12:12:55Z] Connecting to a remote LXD over HTTPS url="https://test.mycompany.com:8443"
DEBUG [2023-07-06T12:12:55Z] Sending request to LXD etag= method=GET url="https://test.mycompany.com:8443/1.0"
Certificate fingerprint: d58cb2b8b2bfe84824bc9092e80413300ec26437718703e6da6dffe9478af996
ok (y/n/[fingerprint])? yes
DEBUG [2023-07-06T12:13:07Z] Connecting to a remote LXD over HTTPS url="https://test.mycompany.com:8443"
DEBUG [2023-07-06T12:13:07Z] Sending request to LXD etag= method=GET url="https://test.mycompany.com:8443/1.0"
Error: Get "https://test.mycompany.com:8443/1.0": tls: failed to verify certificate: x509: certificate is valid for lxd07, not test.mycompany.com
On both sides lxd 5.15.
From another system also running lxd 5.15 I can add the same remote url without any problems.
Does anyone have an idea how to work around the problem?
Please note that this discourse forum is explicitly not for community support questions (a bot message when you joined here should have been delivered to you stating the policies for this discourse page), you can find support via the facilities linked from:
Hi @tomp,
thanks for your prompt reaction! Unfortunately both system’s times are in sync.
@ogra: I didn’t realize this. This means there no longer an active community forum which could be reseached by search engines? Strange decision. Then the damage of this move is greater than expected. Sorry for my question here and I will leave this forum …
yes, it’s a new vanilla lxd instance based on ubuntu 22 and initiated by lxd init.
I just forwarded port 8443 to the outer world. Should I replace the server cert in /var/snap/lxd/common/lxd?
I can do an add from another network using the exact same url but not from one specific systemc and I don’t understand how this error is related since the cert content is always the same.
Is there a way to disable the cert validation?
For testing I now replaced the server.crt by a letsencrypt one so the new one contains the external dns name. Now it’s possible to add the remote. I don’t understand why this a problem for one system but not for the other. I will now check again using a self signed cert having alternative names.
@tomp somehow solved for me by replacing the generated lxd cert /var/snap/lxd/common/lxd/server.crt by one having the external name as alternative dns name. What is still a mystery to me is why the problem occurs on one system but not on another. So there must be a configuration somewhere that enables/disables name validation.
Thanks for your help & input!
P.S.: I’m still wondering where and how to discuss these kind of questions in future not to get lost between tons of generic ubuntu questions.