Let's encrypt lxd.daemon: error: tls: private key does not match public key

with the latest stable snap version of lxd (2.21) I wanted to use a let’s encrypt generated certificates on my lxd server.

Let’s encrypt provides me with:

  • cert1.pem
  • chain1.pem
  • fullchain1.pem
  • privkey1.pem

I replaced the server.crt (chain1.pem) and the server.key (privkey1.pem) with the one I got from the let’s encrypt service certbot.

Now it seems that LXD deamon complains about this since there is a missmatch with the public key…
Where is this match occuring, where is the pubkey located?

I think I can overwrite this as well:
openssl rsa -in privkey1.pem -pubout -out pubkey.pem

I think this has to do with the certificate that it is saved on your directory which is checked against the one in the LXD server. Maybe you can cleanup the certificates at ~/.config/lxc/servercerts and try to use the lxc command again

There is no such servercerts in the snap directory.

ubuntu@ubuntu:~/snap/lxd/current/.config/lxc$ ls -la
total 16
drwxr-x--- 2 ubuntu ubuntu 4096 Mar 16 17:58 .
drwxr-x--- 3 ubuntu ubuntu 4096 Mar  9 14:56 ..
-rw-rw-r-- 1 ubuntu ubuntu  484 Mar  9 14:59 config.yml
-rw------- 1 ubuntu ubuntu    5 Mar 16 17:58 cookies

Check on the directory that I pointed, on your home directory, not on snap.

no luck either:

ubuntu@ubuntu:~$ ls -la
total 56
drwxr-xr-x 7 ubuntu ubuntu 4096 Mar 16 17:38 .
drwxr-xr-x 3 root   root   4096 Mar  9 14:53 ..
-rw------- 1 ubuntu ubuntu 5437 Mar 16 17:38 .bash_history
-rw-r--r-- 1 ubuntu ubuntu  220 Mar  9 14:53 .bash_logout
-rw-r--r-- 1 ubuntu ubuntu 3771 Mar  9 14:53 .bashrc
drwx------ 2 ubuntu ubuntu 4096 Mar  9 14:54 .cache
-rw------- 1 ubuntu ubuntu   42 Mar 13 21:42 .lesshst
drwxrwxr-x 4 ubuntu ubuntu 4096 Mar 15 22:13 letsencrypt
-rw-r--r-- 1 ubuntu ubuntu  655 Mar  9 14:53 .profile
drwxr-xr-x 3 ubuntu ubuntu 4096 Mar  9 14:56 snap
-rw-r--r-- 1 ubuntu ubuntu    0 Mar  9 14:55 .sudo_as_admin_successful
drwxr-xr-x 2 ubuntu ubuntu 4096 Mar  9 18:28 .vim
-rw------- 1 root   root   3066 Mar 16 17:38 .viminfo

but the lxc image list command will work perfectly right when using the default generated server key and certs.

server.crt should be cert1.pem


this was the trick :slight_smile: thanks

I tried to add this newly secured server as a remote and get the following error:

lxc remote add my-img images.my.server --public --accept-certificate
x509: certificate signed by unknown authority

According to certbot / letsencrypt this is because I just use the cert1.pem instead of the fullchain1 or chain1 pem.

Try appending chain1.pem to your server.crt

using the fullchain1.pem solved this last issue.

Ah, I guess that’s exactly what fullchain1.pem is, it must be the cert + the chain in one file.

1 Like