Unable to authorize the client and cannot set a passphrase workaround

Hey All,

We recently updated Multipass to version 1.9 and with it, there is now a way to authorize clients to connect to the Multipass service for better security and allow users not part of an admin group to use the multipass client.

We tried to put in logic to make it seamless for previous installs that upgrade to 1.9 without needing any intervention, but this seems to not be the case as evidence by this, this, and this.

If you stumble here trying to find a solution, first, apologies for your troubles, and second, this post should hopefully help you fix the issue and be able to continue to use Multipass. I’ve been looking at the code over and over and have yet to figure out what is triggering this issue…

How to recover on Linux

$ sudo snap stop multipass
$ sudo killall multipass.gui
$ sudo rm /var/snap/multipass/common/data/multipassd/authenticated-certs/multipass_client_certs.pem
$ sudo cp ~/snap/multipass/current/data/multipass-client-certificate/multipass_cert.pem /var/snap/multipass/common/data/multipassd/authenticated-certs/multipass_client_certs.pem
$ sudo snap start multipass

How to recover on macOS

$ sudo launchctl unload /Library/LaunchDaemons/com.canonical.multipassd.plist
$ sudo killall Multipass
$ sudo rm /var/root/Library/Application\ Support/multipassd/authenticated-certs/multipass_client_certs.pem
$ sudo cp ~/Library/Application\ Support/multipass-client-certificate/multipass_cert.pem /var/root/Library/Application\ Support/multipassd/authenticated-certs/multipass_client_certs.pem
$ sudo launchctl load /Library/LaunchDaemons/com.canonical.multipassd.plist

After the above steps for either platform, the multipass client running under your current user should connect without and authorization errors.

Again, apologies for the troubles and hopefully Multipass is working for you again! Thanks for using Multipass!

3 Likes

I have implemented the recommendation on my Mac but I the solution doesn’t work for me:

user@iMac ~ % multipass list
list failed: The client is not authenticated with the Multipass service.
Please use 'multipass authenticate' before proceeding.

I attempted this on macOS Monterey a few times, and after about the 3rd try, and restarting the mac each time, it eventually worked.

There’s also an error on the second command, there is a . at the end of the pem file.

1 Like

Hey @jonathanbossenger,

Thanks for pointing out the typo. I just fixed it :slightly_smiling_face:

2 Likes

No problem @townsend, glad I could help in some small way.

Hello,

the workaround is not working for me on ubuntu 22.04. still the same error.

Best regards,
Daniel

Hello @daniellenz,

Sorry for your troubles. Is the Multipass tray icon client still running when you do the steps outlined above? If so, quit that and then do those steps and see if that helps.

Thanks!

@townsend I hope you don’t mind me asking this here.

I am on macOS, I have a shell script that I run with sudo, which provisions a local working directory, and some other OS-level things (hence requiring sudo) and then runs multipass exec to do further provisioning/setup on the multipass instance.

At the point of running multipass exec I get the “client is not authenticated with the Multipass service” error. However, I can run the command as a normal use from the macOS terminal. This seems to be related to the upgrade, as I didn’t have this problem before.

This makes me think I need to also allow the root user on the mac to also be authorized to connect to the multipass service.

Do you know if there is an additional place on a Mac that the multipass_client_certs.pem needs to be copied to, in order to fix this for the root user?

Thanks in advance.

Hi @jonathanbossenger!

What you need to do is with your normal user that is authenticated, run:
$ multipass set local.passphrase
and set the passphrase.

Then with the sudo user, run:
$ multipass authenticate
and enter the passphrase you just set.

I know, it seems counterintuitive that the sudo user needs to authenticate, but the Multipass daemon has no concept of user privileges, so it only trusts the first client that had permission to connect to the Multipass socket and after that, all other users’ clients need to authenticate regardless of privileges.

Thanks!

1 Like