So I want to import an image like this: lxc image import https://lxd-images.local:8080/ --alias some-name
I copied the servers self-signed certificate to to /etc/ca-certificates/trust-source/anchors/lxdocker.crt, ran update-ca-trust and curl is happy.
But lxc still doesn’t like it:
Error: Head "https://lxd-images.local:8080/": x509: certificate signed by unknown authority
The same happens if I add a simplestreams remote like this: lxc remote add my-remote https://lxd-images.local:8080 --protocol=simplestreams
The command succeeds but lxc launch doesn’t like the certificate.
What DOES work is copying the cert to /root/.config/lxc/servercerts/lxdocker.crt
Unfortunately that doesn’t work when using URLs with lxc import though.
So how can I find out why GOs http client doesn’t trust my certificate when relying on the system certificate store?
No I tried this natively on arch. I just tried it and a restart of LXD actually worked
While this solves the issue for me, is it supposed to be cached like that? do go standard libraries do that or lxd?
The other catch is that this is OS dependent, the way the system trust store works on different distributions and OS varies quite a bit. Some use X509 PEM aggregate like your system, some use a DER base system trust store (which could be accessed live), so what’s needed may vary between users.