"Forbidden" error connecting to lxd server

Toroid77 · December 7, 2023, 5:34am

Hello folks,

I have an lxd server I’ve created, and I was able to auth a client to the server and copy a couple of images there. Now, on a second client, I am trying to add the remote so I can pull down images. However, each time I try to add the remote I get
Error: Get "https://10.1.1.1": Forbidden
immediately upon executing.

The network is a flat 10.1.1.0/24, with client-1 on 10.1.1.2 and client-2 on 10.1.1.3

From client-2, nc -v 10.1.1.1 8443 succeeds, and I can see 8443 listening on the server when I run ss -plant. Neither host has the firewall running, ufw status shows Inactive (plus nc is connecting, so I’ve ruled out a network issue).

My current server config is

config:
  core.https_address: 0.0.0.0
  core.trust_password: true

However I have also tried 10.1.1.1, 8443 and :8443 for the core.https_address, making sure I run systemctl reload snap.lxd.daemon.service after each config change.

lxc config trust show shows client-1 in the list, so I know the server was (still is?) working. In fact, I’m able to list images on the remote with lxc image list server:ubuntu as well as lxc copy images across to there.

Client-2, however, gets the “Forbidden” error in each instance. I’ve tried-

lxc remote add https://10.1.1.1
lxc remote add https://10.1.1.1:8443
lxc remote add https://10.1.1.1 --protocol=simplestreams
(3 failed with Error: Failed parsing streams: Get "https://10.1.1.1/streams/v1/index.json": Service Unavailable"
From the server side- lxc config trust add with ubuntu@client-2 for the client name. Then from the client-2 side, I ran lxc remote add server <token-from-server>, which fails with the error All server addresses are unavailable, Please provide an alternate server address (empty to abort):- I’ve tried https://10.1.1.1 and https://10.1.1.1:8443 for this but neither has worked so far.

My understanding of the core.trust_password option was that this would prompt the client for a password configured on the server, and when the password was give the client could input a password and have their client certificate added to the trust store, but at the moment none of my clients are getting even the prompt for a password- aside from client-2 I have client-3 and client-4 that have the same “Forbidden” issue. Is there something I’ve configured incorrectly?

stgraber · December 7, 2023, 5:37am

stgraber · December 7, 2023, 5:37am

That said, you probably want to run with --debug to get a better idea of exactly what’s returning that error.

Toroid77 · December 7, 2023, 5:39am

Thank you @stgraber , I’ll give the --debug option a try, and head over to Canonical forums to repost my query there.

Also, wow that’s a quick response time! Thank you for that