So I want to import an image like this:
lxc image import https://lxd-images.local:8080/ --alias some-name
I copied the servers self-signed certificate to to
curl is happy.
But lxc still doesn’t like it:
Error: Head "https://lxd-images.local:8080/": x509: certificate signed by unknown authority
The same happens if I add a simplestreams remote like this:
lxc remote add my-remote https://lxd-images.local:8080 --protocol=simplestreams
The command succeeds but
lxc launch doesn’t like the certificate.
What DOES work is copying the cert to
Unfortunately that doesn’t work when using URLs with
lxc import though.
So how can I find out why GOs http client doesn’t trust my certificate when relying on the system certificate store?
So looks like this isn’t a snap environment?
If it was the snap, I’d have said to do a systemctl reload so that Go has a chance to reload the trust store. Did you try to restart LXD in your case?
No I tried this natively on arch. I just tried it and a restart of LXD actually worked
While this solves the issue for me, is it supposed to be cached like that? do go standard libraries do that or lxd?
That’s most likely go-tls loading up the massive certificates.crt as internal structs rather than reading it back on every connection.
It makes sense and is an approach seen in a bunch of other languages.
Would it make sense it add a note about that to the documentation? I can make a pull-request if you agree.
Hmm, I don’t think it’d make sense on that page, maybe it would make sense on Image handling - LXD documentation
The other catch is that this is OS dependent, the way the system trust store works on different distributions and OS varies quite a bit. Some use X509 PEM aggregate like your system, some use a DER base system trust store (which could be accessed live), so what’s needed may vary between users.