I am a total newbie in the world of LXC/LXD and I find it so hard to understand how I can interact with lxd REST API which is installed on a remote server
From what I understood, I installed lxd on both client and remote server
I copied the client.crt file from the client and I paste it in the server
then I run a command in the server to trust that certificate I just pasted (lxd config trust add the_client_certificate.crt)
Now, in the client I added the remote server using: lxc remote add … which works fine
Hopefully I did things correctly so far, the challenging part is how to start making requests from the client to the server
I can find very few examples that shows a curl request that involve sending the client.crt and client.key within the request like this:
curl -k -s --cert ~/.config/lxc/client.crt --key ~/.config/lxc/client.key https://{SOME_REMOTE_IP}:8443
and somewhere I found this https://github.com/lxc/lxd/issues/2119#issuecomment-226321939 which tells to send only the client certificate not the key (which makes me confused), here is the quote:
You should only pass the certificate, not the private key.
Also, your private key is now on the internet so you probably should have it re-generated…
-
should I send both the client certificate + client key (of the client machine) within each request to the remote server API ? or just the client certificate ?
-
is it sufficient to rely on those certificates generated by lxd on the server and the client to make secure requests? or should I add somehow an ssl certificate to the server?
-
here is an example of what I tried to make a request with ruby
require 'rest-client'
client_key = OpenSSL::PKey.read(File.read('/root/snap/lxd/common/config/client.key'))
client_cert = OpenSSL::X509::Certificate.new(File.read('/root/snap/lxd/common/config/client.crt'))
response = RestClient::Request.execute(
method: :get,
url: "https://181.142.34.205:8443",
ssl_client_cert: client_cert,
ssl_client_key: client_key
)
which gives me an error:
/usr/lib/ruby/3.0.0/net/protocol.rb:46:in `connect_nonblock’: SSL_connect returned=1 errno=0 peeraddr=185.142.34.205:8443 state=error: certificate verify failed (self-signed certificate) (OpenSSL::SSL::SSLError)
maybe someone can see what I am doing wrong?!