IncusOS cannot add remote due to trust token

aPatchyDev · December 31, 2025, 10:21am

I’m trying to install IncusOS bare-metal on a N100 mini PC. I’m using the flasher tool to build the installer because the min PC doesn’t have TPM and the web image builder won’t make an image with swtpm (even with modified http request). I have successfully installed the OS, but connecting to it via incus remote add <name> <ip> keeps asking for trust token.

Based on other similar posts, this seems to occur when the client cert is not properly added to the image, but I can’t figure out where the problem is.

I’m using this bash script to build the image on fedora 42, and using dd to write the img file to USB. I tried stripping out newlines from the cert with tr -d ‘\n’ | jq <...> as well as trimming only trailing newlines with jq -Rs ‘sub(“\n+$”; “”)’ but neither fixed the trust token problem.

I’ve checked the installer USB partition 2 to make sure the seed is properly populated by my script, so if there’s an error, it should be in the json seed format, but what am I missing?

# buildimg.sh
CACHE_DIR='./cache'
FLASHER="${CACHE_DIR}/bin/flasher-tool"
# Get flasher tool
if [[ ! -d $CACHE_DIR || ! -x $FLASHER ]]; then
    if ! command -v go >/dev/null 2>&1; then
        >&2 echo 'go unavailable. Aborting...'
        exit 1
    fi
    export GOPATH="$(realpath ./$CACHE_DIR)"
    go install github.com/lxc/incus-os/incus-osd/cmd/flasher-tool@latest
fi

if ! command -v jq >/dev/null 2>&1; then
    >&2 echo 'jq unavailable. Aborting...'
    exit 1
fi

# Get certificate
AUTH_DIR='./auth'
mkdir -p $AUTH_DIR
CLIENT_CERT="${AUTH_DIR}/client.crt"
if [ -f $CLIENT_CERT ]; then
    CERT=$(jq -Rs . $CLIENT_CERT)
else
    if ! command -v incus >/dev/null 2>&1; then
        >&2 echo 'Incus CLI unavailable. Aborting...'
            exit 1
    fi
    CERT=$(incus remote get-client-certificate | tee $CLIENT_CERT | jq -Rs .)
fi

# Generate install seed tarball
TAR_FILE="${CACHE_DIR}/seed.tar"
jq -c ".preseed.certificates[].certificate=${CERT}" ./incus.json > ${CACHE_DIR}/incus.json
tar -cf $TAR_FILE install.json -C $CACHE_DIR incus.json

cd $CACHE_DIR
if [ -f *.img ]; then
    ${FLASHER/#$CACHE_DIR/.} -s ${TAR_FILE/#$CACHE_DIR/.} -f img -i *.img
else
    ${FLASHER/#$CACHE_DIR/.} -s ${TAR_FILE/#$CACHE_DIR/.} -f img
fi

// incus.json
{
    "apply_defaults": true,
    "preseed": {
        "certificates": [
            {
                "name": "admin",
                "type": "client",
                "description": "Initial admin client",
                "certificate": ""
            }
        ]
    }
}

// install.json
{
    "force_install": true,
    "security": {
        "missing_tpm": true
    }
}

stgraber · December 31, 2025, 2:45pm

It may be a formatting issue with the certificate field?

stgraber · December 31, 2025, 5:30pm

I’ve added the degraded boot security options to the download site now, so you could use it to get a clean image too.

aPatchyDev · January 1, 2026, 7:34am

Thank you. I got it working with the web image builder.

I think the json parser is bugged, because I tried extracting the install seed from the web builder and converted that into json using a converter but that still prompted for a trust token. Once I swapped to yaml, I was able to get a working image with the flasher tool as well.