Is it safe to use curl -k to send requests through the Rest API to LXD?

ops · May 12, 2024, 7:12pm

After setting up certificates to access LXD via the REST API, I was able to send requests to the LXD daemon via curl. The command looks like this:

curl -k https://<ip>:<port>/1.0/instances --cert <path>\client.crt --key <path>\client.key

If this command is executed without the -k parameter, an error will be received:

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the credibility of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

As far as I know, using -k makes the connection unsecured and leads to vulnerabilities, although both the official website and third-party sources provide an example of using curl with the -k parameter.

Does this really lead to a vulnerability or is this a feature of working with the LXD REST API, and if this is a feature of LXD, where can I read about it?

Thank you in advance.

candlerb · May 12, 2024, 8:48pm

Instead of -k, use --cacert <cacert.pem> where this is the server certificate of your lxd or incus server.

With incus, you can find the server certificate at /var/lib/incus/server.crt. With lxd, I don’t know - it’ll be buried somewhere in snapd directories I guess.

Or you can capture it using openssl s_client -connect x.x.x.x:8443

system · June 11, 2024, 8:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.