Cluster configuration issues

Irtaza_Hussain · May 12, 2025, 2:20pm

I myself removed all the certificates from trust store cause back then I do not know about them. But I want to know how to put them back so my tls work should work again. In production we do not want to do any mistake that’s why we are testing everything which we can fix immediately.

This ui-cert.crt is different, trust store does not have other server certificates which are in the cluster and I am manually changing the certs in the /var/snap/lxd/common/lxd/ Can you please guide me how to add server certificate again in the store?

root@lx-stg1:/var/snap/lxd/common/lxd# lxc config trust ls
+--------+-------------+-------------+--------------+------------------------------+------------------------------+
|  TYPE  |    NAME     | COMMON NAME | FINGERPRINT  |          ISSUE DATE          |         EXPIRY DATE          |
+--------+-------------+-------------+--------------+------------------------------+------------------------------+
| client | ui-cert.crt |             | 0754cb5e33b4 | Mar 17, 2025 at 5:57am (UTC) | Dec 12, 2027 at 5:57am (UTC) |
+--------+-------------+-------------+--------------+------------------------------+------------------------------+

Like this, this is my other lxc cluster - just for ref

root@lxc-test-1:~# lxc config trust ls
+--------+------------+-----------------+--------------+------------------------------+-----------------------------+
|  TYPE  |    NAME    |   COMMON NAME   | FINGERPRINT  |          ISSUE DATE          |         EXPIRY DATE         |
+--------+------------+-----------------+--------------+------------------------------+-----------------------------+
| server | lxc-test-1 | root@lxc-test-1 | bb11e7e11157 | May 11, 2025 at 1:37pm (UTC) | May 9, 2035 at 1:37pm (UTC) |
+--------+------------+-----------------+--------------+------------------------------+-----------------------------+
| server | lxc-test-2 | root@lxc-test-2 | 890b4da409a1 | May 11, 2025 at 1:41pm (UTC) | May 9, 2035 at 1:41pm (UTC) |
+--------+------------+-----------------+--------------+------------------------------+-----------------------------+

I’m facing this both on incus and lxd, I just shared the lxd data.

stgraber · May 13, 2025, 3:10am

Server certs are only relevant to clusters, if the first system is a standalone system, then the output here is perfectly fine.

When dealing with a clusters, you should NEVER mess with server.crt and server.key as this will prevent internal cluster communication.

Irtaza_Hussain · May 13, 2025, 3:16am

No first one is a cluster of 3 and i deleted all the 3 server type certificates from the trust store and after that my cluster never went accessable. Now I want to add all the members back to normal but don’t know how to do this.

Irtaza_Hussain · May 13, 2025, 3:18am

I manually changed the files in var/snap/lxd/common/lxd server.{crt,key}, cluster.{crt,key} but still not working.

Irtaza_Hussain · May 13, 2025, 3:33am

When we add a new member this function handles the certs. As per my debugging lxd generated certs are valid for 10 year what happened afterwards? like How one can update the certs?

// GetRemoteCertificate returns the unverified peer certificate found at a remote address.
func GetRemoteCertificate(address string, useragent string) (*x509.Certificate, error) {
	// Setup a permissive TLS config
	tlsConfig, err := GetTLSConfig(nil)
	if err != nil {
		return nil, err
	}

	tlsConfig.InsecureSkipVerify = true

	tr := &http.Transport{
		TLSClientConfig:       tlsConfig,
		DialContext:           RFC3493Dialer,
		Proxy:                 ProxyFromEnvironment,
		ExpectContinueTimeout: time.Second * 30,
		ResponseHeaderTimeout: time.Second * 3600,
		TLSHandshakeTimeout:   time.Second * 5,
	}

	// Connect
	req, err := http.NewRequest(http.MethodGet, address, nil)
	if err != nil {
		return nil, err
	}

	if useragent != "" {
		req.Header.Set("User-Agent", useragent)
	}

	client := &http.Client{Transport: tr}
	resp, err := client.Do(req)
	if err != nil {
		return nil, err
	}

	// Retrieve the certificate
	if resp.TLS == nil || len(resp.TLS.PeerCertificates) == 0 {
		return nil, errors.New("Unable to read remote TLS certificate")
	}

	return resp.TLS.PeerCertificates[0], nil
}

This fun returns the server cert and then which func will be called to store this returned cert in the lxd store?

Irtaza_Hussain · May 14, 2025, 1:37pm

Any input will help us to solve and save time.

jarrodu · May 15, 2025, 6:48am

I am sorry. We don’t provide support for LXD in this forum.

Irtaza_Hussain · May 15, 2025, 7:28am

As stated above, I’m facing this in incus too.

system · June 14, 2025, 7:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.