Let's encrypt lxd.daemon: error: tls: private key does not match public key

Eric_Keller · March 16, 2018, 4:44pm

with the latest stable snap version of lxd (2.21) I wanted to use a let’s encrypt generated certificates on my lxd server.

Let’s encrypt provides me with:

cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem

I replaced the server.crt (chain1.pem) and the server.key (privkey1.pem) with the one I got from the let’s encrypt service certbot.

Now it seems that LXD deamon complains about this since there is a missmatch with the public key…
Where is this match occuring, where is the pubkey located?

I think I can overwrite this as well:
openssl rsa -in privkey1.pem -pubout -out pubkey.pem

Dnegreira · March 16, 2018, 4:53pm

I think this has to do with the certificate that it is saved on your directory which is checked against the one in the LXD server. Maybe you can cleanup the certificates at ~/.config/lxc/servercerts and try to use the lxc command again

Eric_Keller · March 16, 2018, 5:00pm

There is no such servercerts in the snap directory.

ubuntu@ubuntu:~/snap/lxd/current/.config/lxc$ ls -la
total 16
drwxr-x--- 2 ubuntu ubuntu 4096 Mar 16 17:58 .
drwxr-x--- 3 ubuntu ubuntu 4096 Mar  9 14:56 ..
-rw-rw-r-- 1 ubuntu ubuntu  484 Mar  9 14:59 config.yml
-rw------- 1 ubuntu ubuntu    5 Mar 16 17:58 cookies

Dnegreira · March 16, 2018, 5:01pm

Check on the directory that I pointed, on your home directory, not on snap.

Eric_Keller · March 16, 2018, 5:05pm

no luck either:

ubuntu@ubuntu:~$ ls -la
total 56
drwxr-xr-x 7 ubuntu ubuntu 4096 Mar 16 17:38 .
drwxr-xr-x 3 root   root   4096 Mar  9 14:53 ..
-rw------- 1 ubuntu ubuntu 5437 Mar 16 17:38 .bash_history
-rw-r--r-- 1 ubuntu ubuntu  220 Mar  9 14:53 .bash_logout
-rw-r--r-- 1 ubuntu ubuntu 3771 Mar  9 14:53 .bashrc
drwx------ 2 ubuntu ubuntu 4096 Mar  9 14:54 .cache
-rw------- 1 ubuntu ubuntu   42 Mar 13 21:42 .lesshst
drwxrwxr-x 4 ubuntu ubuntu 4096 Mar 15 22:13 letsencrypt
-rw-r--r-- 1 ubuntu ubuntu  655 Mar  9 14:53 .profile
drwxr-xr-x 3 ubuntu ubuntu 4096 Mar  9 14:56 snap
-rw-r--r-- 1 ubuntu ubuntu    0 Mar  9 14:55 .sudo_as_admin_successful
drwxr-xr-x 2 ubuntu ubuntu 4096 Mar  9 18:28 .vim
-rw------- 1 root   root   3066 Mar 16 17:38 .viminfo

but the lxc image list command will work perfectly right when using the default generated server key and certs.

stgraber · March 16, 2018, 5:23pm

server.crt should be cert1.pem

Eric_Keller · March 16, 2018, 5:38pm

this was the trick thanks

Eric_Keller · March 19, 2018, 8:05pm

I tried to add this newly secured server as a remote and get the following error:

lxc remote add my-img images.my.server --public --accept-certificate
x509: certificate signed by unknown authority

According to certbot / letsencrypt this is because I just use the cert1.pem instead of the fullchain1 or chain1 pem.

stgraber · March 19, 2018, 8:13pm

Try appending chain1.pem to your server.crt

Eric_Keller · March 19, 2018, 8:17pm

using the fullchain1.pem solved this last issue.

stgraber · March 19, 2018, 8:18pm

Ah, I guess that’s exactly what fullchain1.pem is, it must be the cert + the chain in one file.