Good day all.
Does anyone know if the following file locations are configurable at all?
/var/lib/lxd/server.crt
/var/lib/lxd/server.key
/var/lib/lxd/server.ca
If I can avoid using symlinks that would be great.
FYI, I’ve gone over the settings here Server configuration - LXD documentation and can’t seem to see any reference that would suggest I can change the location.
No they are always stored there I’m afraid.
Thanks Tom
If I raised a feature request, any chance that would be addressed?
No, pretty sure we won’t want to have them anywhere else.
It’s particularly important that we are in control of them these days as we have APIs to update them both for clustering purposes and to support things like the Let’s Encrypt integration.
Morning @stgraber
I can understand wanting to keep tight control when you are managing the certificates. However this is for the condition where we are not using self-signed certs, nor are we using LXD’s framework to manage the certificates.
With the most recent versions, I thought the cluster certs are now entirely separate from server.crt/server.key/server.ca
Thank you for the consideration though.
Doug
Clusters do use cluster.crt and cluster.key for the global certificate used on the API endpoints.
However as mentioned, LXD does support self-updating its own certificate files and so expects to own the files and be able to write to them.
It’s fine for you to use your own certificates, but the expectation from LXD is that the files are still in the same spot and are real files (not symlinks). Most LXD installs use the snap package which comes with strong separation between the snap’s filesystem and the host system, so LXD in general isn’t supposed to access data outside of its data directory and cannot follow symlinks outside of it.
For those cases where I want server.crt/server.key managed externally, I’ve just had my deployment tool (Ansible book usually) directly update server.crt and server.key in place with a trigger of systemctl reload snap.lxd.daemon when either file gets updated.