Add support for LXD to automatically issue/renew its certificate through Let’s Encrypt or similar services (ACME).
LXD doesn’t currently support ACME. If users wish to use certificates from Let’s Encrypt or other ACME services, this would involve creating or renewing the certificate, and manually replacing LXD server’s
Adding ACME support to LXD will make this easier as the user will only need to set some config options, and LXD will take care of the rest.
ACME support can be enabled by providing
acme.ca_url is unset, it defaults to the URL used by Let’s Encrypt.
LXD will issue a new certificate if necessary. It will check the certificate’s expiration date daily, and on startup. Should the certificate only be valid for less than 30 days, it will be renewed. Should
acme.domain change, LXD will issue a new certificate immediately.
For clusters, only the leader should create/renew certificates, and the new certificate should then be distributed using the API we put in place for cluster certificate update.
For the validation process, LXD will use the HTTP-01 challenge. This challenge requires the
/.well-known/acme-challenge/<TOKEN> endpoint which will be provided by LXD. ACME also requires this endpoint to be available at port 80. However, LXD will not be listening on this port. Instead, the admin will be responsible for setting up a reverse proxy which listens on port 80 and passes the request on to LXD.
The following new endpoint will be added:
No CLI changes.
No database changes.
No upgrade handling.
- Initially, only a single domain will be supported
- Old certificates will be replaced
- LXD will not store account information, i.e. it’ll basically register every time a certificate is issued/renewed.