I’m having trouble adding a new browser cert to incus.
The target host has these packages:
root@nuc3:~# dpkg-query -l | grep incus
ii incus 1:6.0.4-ubuntu22.04-202504072335 amd64 Incus - Container and virtualization daemon
ii incus-base 1:6.0.4-ubuntu22.04-202504072335 amd64 Incus - Container and virtualization daemon (container-only)
ii incus-client 1:6.0.4-ubuntu22.04-202504072335 amd64 Incus - Command line client
ii incus-extra 1:6.0.4-ubuntu22.04-202504072335 amd64 Incus - Extra tools
ii incus-ui-canonical 1:6.0.4-ubuntu22.04-202504072335 amd64 Incus - Web interface (canonical)
If I use my browser to connect directly to the incus host, nuc3.example.com:8443, the browser prompts me to choose between two certificates:
That in itself is OK - I’ve migrated from lxd to incus in the past. And if I choose the lxd one the incus UI works.
If instead I choose the incus one, then the incus UI prompts me to login and either create a new certificate “Or use an existing certificate already added to your browser”. I select the latter, and it asks me to run incus config trust add incus-ui and paste in the token generated, which I do. But the API responds with not authorized.
Using the browser developer console, I see the request is a POST to /1.0/certificates, with no query params, and body
{"type":"client","password":"<< trust token was here >>"}
The response is status code 403 with body
{"type":"error","status":"","status_code":0,"operation":"","error_code":403,"error":"not authorized","metadata":null}
The request JSON looks odd to me, since I see no reference to “password” in cmd/incusd/certificates.go, in either stable-6.0 or main branches, nor in the REST API documentation for certificates_post.
On the target host, /var/log/incus/incusd.log is empty, and journalctl -eu incus.service shows nothing after “Started Incus - Daemon.” from 5 days ago.
I can see the token in incus config trust list-tokens. But incus config trust list doesn’t show it (it shows the older lxd-ui certificate though)
Any idea what’s going on here?