'Loading storage pools failed' on a restricted project confined to TLS client

slt · January 15, 2026, 4:22pm

Hello,

First of all, note that I’m new to incusOS and incus in general, so I may miss something obvious.

I’ve setup incusOS and wanted to give web access to it without giving admin access. As I understand it from the documentation ( How to confine projects to specific users - Incus documentation ), the way to do that is to:

Create a restricted ‘pentest’ project with: incus project create pentest and incus project set pentest restricted=true
Create a new TLS certificate by going on https://incusos:8443
Add the TLS client to the incus daemon and restrict its use to the ‘pentest’ project with incus config trust add-certificate ~/Downloads/incus-ui-restricted.crt --projects pentest --restricted

I thought I was good, but when trying to create a new instance from the webui with the TLS certiticate, I get this error:

I tried looking at the storage documentation, but I don’t really known what I am looking for

Any pointer?

Many thanks in advance!

stgraber · January 15, 2026, 7:42pm

I think that’s just a UI bug, basically the UI trying to hit an API which is restricted in this case.

Any chance you could use the web browser’s developer mode and look at the network tab for exactly what API calls it’s making and what’s failing?

Then we can tell if it’s something we should fix in Incus itself or in the UI.

slt · January 15, 2026, 9:47pm

There are several errors when loading the page, but the following ones may be the ones we’re looking for:

HTTP 403 on /10/projects/default?
image1218×394 73.1 KB
HTTP 500 on /1.0/storage-pools?recursion=1

image1218×378 75.9 KB

Any idea?

stgraber · January 16, 2026, 12:23am

Okay, the GET /1.0/storage-pools?recursion=1 feels like a bug to me.
Normally restricted users can still list storage pools, they just can’t see stuff from other projects.

Can you file a bug at Sign in to GitHub · GitHub?

slt · January 16, 2026, 9:16am

→ bug 2824 submitted!

I read in the chat that it was possible to have several certificates for the same remote, but I cannot find how: for the time being I would like to use the restricted TLS client certiticate with incus-client (while still keeping the admin access):

Can someone point me to where this is documented/explained?
I guess I will hit the same bug though, is that correct?

stgraber · January 16, 2026, 7:31pm

It’s likely to give you the same issue, yeah.

The way you use the per-remote certificates is by creating a folder at ~/.config/incus/clientcerts/ and then write REMOTE-NAME.crt and REMOTE-NAME.key in there. That will be used over the default client.crt and client.key.

slt · January 27, 2026, 7:59pm

bug reported and fixed => closing the thread!
Thank you!