Connecting to legacy LXD server via remote

Hello, I am using Incus 0.6 and have a legacy LXD 4.0.9 host. When I am trying to connect from the incus to the LXD server, I’m getting Error: not authorized.

I made sure that I set the token on the LXD side via lxc config set core.trust_password=XXXXXX. Both machines have port 8443 opened up in the firewall. But still incus remote add lxc lxc-host-r2 --accept-certificate -v cannot complete, and I don’t know where I could look up a log that might give me more information.

Is there a way to debug this failing connection?

Incus does not support trust passwords as they are extremely unsafe and so were removed before Incus 0.1.

To connect to LXD 4.0.x, your best bet is to transfer over your client’s client.crt (~/.config/incus/client.crt) and then trust that on the server with lxc config trust add client.crt.

At that point the incus remote add should just work.

1 Like

Thank you Stéphane, I wasn’t aware this feature was removed, but it makes sense. It is confusing though that when trying to add the remote on the incus side, it still asks to input a token.

Now I have looked in /root/.config/incus but am unable to find the client.crt. There is only an empty directory oidctokens and the file config.yml. However, when I tried to connect a remote for the first time, incus mentioned that a certificate was generated.

Am I even looking in the right place?

Edit: I found the client.crt in /home/ubuntu/.config/incus — does this mean every system user that is a member of the incus-admin group has their own certificate?

Yep, the certificate is per user, the whole concept of remotes is a CLI-specific thing and so the remote list, their certificates and your own certificate are all tracked per user.

1 Like

OK I was able to copy the incus client.crt over to the legacy LXD host and import it using lxc config trust add incus.crt.

There is now another error happening when trying to connect to the remote that leaves me puzzled:

$ incus remote add lxc lxc-host-r2 -v
Certificate fingerprint: XXXXXXXXXXXXXXXXXXX
ok (y/n/[fingerprint])? y
Error: json: cannot unmarshal bool into Go struct field Server.config of type string

Where is this error occurring?

Unset your core.trust_password on the LXD side, that’s likely what’s causing the API error.

1 Like

Thank you Stéphane, this was the final missing hint. These are all the steps I needed to do:

  1. Try to connect to the remote LXC host from the incus host one time. It will fail, but will generate a client certificate:
    incus remote add <remote_name> <remote_addr>

  2. Copy the file ~/.config/incus/client.crt to the LXC host. It is always in the home directory of the user you’re establishing the remote connection with.

  3. On the LXC host, import the client certificate:
    lxc config trust add client.crt

  4. On the LXC host, unset any token identification that might have been set up:
    lxc config unset core.trust_password

  5. Repeat the connection attempt on the incus host:
    incus remote add <remote_name> <remote_addr>

Et voilá! :wink:


My final question would be: how can I generate a client certificate without initiating a connection attempt to a remote? The solution works but doesn’t seem like the clean way. I wasn’t able to find the right information in the documentation, it seems to assume that the cert already exists.

1 Like