How To Add a Certificate To Incus Remotely

devsrealm · April 1, 2024, 1:52pm

I recently discovered the lxd license issue few weeks ago and I have been trying to migrate to incus, unfortunately, some of what works in lxd doesn’t work in incus, for example, adding certificate by using the trust password doesn’t work no more.

I use that functionality to add certificate remotely from my app as everything has to be done that way, here is the previous way I was doing it and I even had a topic about it:

For example, here is how I was doing it with lxd:

{
  "certificate": "X509 PEM certificate",
  "name": "castiana",
  "password": "blah",
  "type": "client"
}

replacing it with the following so it can adhere to incus is not working:

{
  "certificate": "X509 PEM certificate",
  "name": "castiana",
  "trust_token": "blah",
  "type": "client"
}

What is a sensible alternative to get this working for me remotely for incus, help please?

stgraber · April 1, 2024, 2:05pm

Incus doesn’t have persistent trust passwords (core.trust_password) as that was quite an unsafe mechanism, the password often being unchanged for long periods of time and susceptible to brute force attacks.

Instead you can generate one-time trust tokens through incus config trust add.

The other option is to directly have the client’s certificate be added to the server either locally through incus config trust add-certificate or by an existing trusted client.

devsrealm · April 1, 2024, 4:20pm

Ouch, that is bad as there is a very good use case for it.

The idea here is that once the server is deployed, I can’t access it no more, so the only way to communicate it would be through incus remotely, currently investigating: incus config trust add-certificate and see how I can adjust it to support that.

I would update if it works as expected, thank you

devsrealm · April 1, 2024, 11:08pm

Went with the incus config trust add-certificate option, I added the certificate immeditely the instance is deployed and that seems to work fine, thanks once again.

For future readers and future self:

The reason I asked this question was because I wanted to do everything remotely, my VPS provider have a way I can run a script on server deployement, so, I was able to use input variables to pass the client cert with the API of my VPS Provider, in Linode, it is called StackScript and AWS, it is called user data I think, good luck!

stgraber · April 2, 2024, 3:59pm

Yeah, for a VPS with something like cloud-init, you can easily enough embed the public part of the keypair (.crt) and then have that be added through incus config trust add-certificate during deployment.

This is better from a security standpoint as if your cloud config data gets leaked somehow, nobody can really do anything about it, all they see is that your certificate is trusted, but without the private key, they can’t do anything about it.

With your previous approach, the trust password being potentially leaked would have allowed anyone seeing it to get full admin access on the server.

devsrealm · April 10, 2024, 7:45am

I agree 100%, thinking about it now, the trust password is a disaster waiting to happen, to be honest. Sometimes you never know until you try, thanks for your hard work and answering the community questions, you are goated!