Import image from url using self-signed certificate

LXD
#1

So I want to import an image like this:
lxc image import https://lxd-images.local:8080/ --alias some-name

I copied the servers self-signed certificate to to /etc/ca-certificates/trust-source/anchors/lxdocker.crt, ran update-ca-trust and curl is happy.

But lxc still doesn’t like it:

Error: Head "https://lxd-images.local:8080/": x509: certificate signed by unknown authority

The same happens if I add a simplestreams remote like this:
lxc remote add my-remote https://lxd-images.local:8080 --protocol=simplestreams
The command succeeds but lxc launch doesn’t like the certificate.

What DOES work is copying the cert to /root/.config/lxc/servercerts/lxdocker.crt
Unfortunately that doesn’t work when using URLs with lxc import though.

So how can I find out why GOs http client doesn’t trust my certificate when relying on the system certificate store?

#2

Any ideas @stgraber ?

#3

So looks like this isn’t a snap environment?

If it was the snap, I’d have said to do a systemctl reload so that Go has a chance to reload the trust store. Did you try to restart LXD in your case?

2 Likes
#4

No I tried this natively on arch. I just tried it and a restart of LXD actually worked :astonished:
While this solves the issue for me, is it supposed to be cached like that? do go standard libraries do that or lxd?

1 Like
#5

That’s most likely go-tls loading up the massive certificates.crt as internal structs rather than reading it back on every connection.

It makes sense and is an approach seen in a bunch of other languages.

#6

Would it make sense it add a note about that to the documentation? I can make a pull-request if you agree.

#7

Hmm, I don’t think it’d make sense on that page, maybe it would make sense on Image handling - LXD documentation

The other catch is that this is OS dependent, the way the system trust store works on different distributions and OS varies quite a bit. Some use X509 PEM aggregate like your system, some use a DER base system trust store (which could be accessed live), so what’s needed may vary between users.