Tls: failed to verify certificate on remote add

LXD Support
1

I try to add a remote lxd but get a tls error:

root@lxd01:/var/snap/lxd/common/lxd$ lxc remote add test https://test.mycompany.com:8443 --debug
DEBUG  [2023-07-06T12:12:55Z] Connecting to a remote LXD over HTTPS         url="https://test.mycompany.com:8443"
DEBUG  [2023-07-06T12:12:55Z] Sending request to LXD                        etag= method=GET url="https://test.mycompany.com:8443/1.0"
Certificate fingerprint: d58cb2b8b2bfe84824bc9092e80413300ec26437718703e6da6dffe9478af996
ok (y/n/[fingerprint])? yes
DEBUG  [2023-07-06T12:13:07Z] Connecting to a remote LXD over HTTPS         url="https://test.mycompany.com:8443"
DEBUG  [2023-07-06T12:13:07Z] Sending request to LXD                        etag= method=GET url="https://test.mycompany.com:8443/1.0"
Error: Get "https://test.mycompany.com:8443/1.0": tls: failed to verify certificate: x509: certificate is valid for lxd07, not test.mycompany.com

On both sides lxd 5.15.

From another system also running lxd 5.15 I can add the same remote url without any problems.

Does anyone have an idea how to work around the problem?

s. also https://discuss.linuxcontainers.org/t/additional-host-names-for-lxd-server-certificate/

2

Please can you check the system times on both hosts, as I’ve seen that sort of error in the past and it can be caused by out of sync clocks.

3

Please note that this discourse forum is explicitly not for community support questions (a bot message when you joined here should have been delivered to you stating the policies for this discourse page), you can find support via the facilities linked from:

1 Like
4

Hi @tomp,
thanks for your prompt reaction! Unfortunately both system’s times are in sync.

@ogra: I didn’t realize this. This means there no longer an active community forum which could be reseached by search engines? Strange decision. Then the damage of this move is greater than expected. Sorry for my question here and I will leave this forum … :thinking::worried:

5

OK thanks for confirming.

How did you configure the remote server, is it using an automatic LXD generated certificate?

6

yes, it’s a new vanilla lxd instance based on ubuntu 22 and initiated by lxd init.
I just forwarded port 8443 to the outer world. Should I replace the server cert in /var/snap/lxd/common/lxd?

7

Is that a straight TCP forward?

8

yes, but on the client side there is a sophos in between and I’m not sure if this could be an issue.

9

Can you use lxc remote add when talking to the LXD server directly?

10

Could well be if its messing about with the TLS layer.

11

I can do an add from another network using the exact same url but not from one specific systemc and I don’t understand how this error is related since the cert content is always the same.
Is there a way to disable the cert validation?

12

For testing I now replaced the server.crt by a letsencrypt one so the new one contains the external dns name. Now it’s possible to add the remote. I don’t understand why this a problem for one system but not for the other. I will now check again using a self signed cert having alternative names.

13

@tomp somehow solved for me by replacing the generated lxd cert /var/snap/lxd/common/lxd/server.crt by one having the external name as alternative dns name. What is still a mystery to me is why the problem occurs on one system but not on another. So there must be a configuration somewhere that enables/disables name validation.
Thanks for your help & input!

P.S.: I’m still wondering where and how to discuss these kind of questions in future not to get lost between tons of generic ubuntu questions.

1 Like
14

We have added a Support section for these types of questions, see Supporting the LXD Community

Thanks

2 Likes