Adding browser certificate trust - 403 error

I’m having trouble adding a new browser cert to incus.

The target host has these packages:

root@nuc3:~# dpkg-query -l | grep incus
ii  incus                                1:6.0.4-ubuntu22.04-202504072335        amd64        Incus - Container and virtualization daemon
ii  incus-base                           1:6.0.4-ubuntu22.04-202504072335        amd64        Incus - Container and virtualization daemon (container-only)
ii  incus-client                         1:6.0.4-ubuntu22.04-202504072335        amd64        Incus - Command line client
ii  incus-extra                          1:6.0.4-ubuntu22.04-202504072335        amd64        Incus - Extra tools
ii  incus-ui-canonical                   1:6.0.4-ubuntu22.04-202504072335        amd64        Incus - Web interface (canonical)

If I use my browser to connect directly to the incus host, nuc3.example.com:8443, the browser prompts me to choose between two certificates:

That in itself is OK - I’ve migrated from lxd to incus in the past. And if I choose the lxd one the incus UI works.

If instead I choose the incus one, then the incus UI prompts me to login and either create a new certificate “Or use an existing certificate already added to your browser”. I select the latter, and it asks me to run incus config trust add incus-ui and paste in the token generated, which I do. But the API responds with not authorized.

Using the browser developer console, I see the request is a POST to /1.0/certificates, with no query params, and body

{"type":"client","password":"<< trust token was here >>"}

The response is status code 403 with body

{"type":"error","status":"","status_code":0,"operation":"","error_code":403,"error":"not authorized","metadata":null}

The request JSON looks odd to me, since I see no reference to “password” in cmd/incusd/certificates.go, in either stable-6.0 or main branches, nor in the REST API documentation for certificates_post.

On the target host, /var/log/incus/incusd.log is empty, and journalctl -eu incus.service shows nothing after “Started Incus - Daemon.” from 5 days ago.

I can see the token in incus config trust list-tokens. But incus config trust list doesn’t show it (it shows the older lxd-ui certificate though)

Any idea what’s going on here?

If https://github.com/osamuaoki/incus-ui-canonical is the source, then that’s where “password” is coming from, in src/api/certificates.tsx:

export const addCertificate = (token: string) => {
  return new Promise((resolve, reject) => {
    fetch(`/1.0/certificates`, {
      method: "POST",
      body: JSON.stringify({
        type: "client",
        password: token,
      }),
    })
      .then(handleResponse)
      .then(resolve)
      .catch(reject);
  });
};

Is this out of sync with the incus API?

@presztak can you look into this one? ^

Sure! I’ll take a look.