LXD json api cannot find auth

FireLXC · May 5, 2020, 1:53pm

Hey,

I recently wanted to switch my stuff to LXD to make deploy easier.
But I could not find a way to auth my json requests.

I got to the point, that I generated a cert, added that cert to the LXD node, I did already send the cert into the API but still it does not authenticate.

Can someone explain me, how do I auth on the web API?
I checked multiple documentations I could not figure out how.

From proxmox I am used, to send the credentials, I get tokens and I use them for further requests.
But here the API even refuses my generated cert.

Thanks.

stgraber · May 5, 2020, 2:02pm

Generating a RSA private key
................................++++
..........................................................................++++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Quebec
Locality Name (eg, city) []:Montreal
Organization Name (eg, company) [Internet Widgits Pty Ltd]:stgraber.net
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:my client
Email Address []:
stgraber@castiana:~/api$ lxc config trust add client.crt 
stgraber@castiana:~/api$ lxc config trust list 
+--------------+-------------+-----------------------------+-----------------------------+
| FINGERPRINT  | COMMON NAME |         ISSUE DATE          |         EXPIRY DATE         |
+--------------+-------------+-----------------------------+-----------------------------+
| 005e0a1c713f | my client   | May 5, 2020 at 2:00pm (UTC) | May 5, 2021 at 2:00pm (UTC) |
+--------------+-------------+-----------------------------+-----------------------------+
stgraber@castiana:~/api$ curl -s -k https://localhost:8443/1.0 --cert client.crt --key client.key | jq .metadata.auth
"trusted"
stgraber@castiana:~/api$

FireLXC · May 5, 2020, 2:19pm

That’s what I did, I send the cert + key json encoded to the API and all I get is not authorized.
No error message nothing.

“{“error”:“not authorized”,“error_code”:403,“type”:“error”}”

My Code: https://pastebin.com/RPDw6vMq
The documentation said, json and so I did post that.

turtle0x1 · May 5, 2020, 2:55pm

Lemme make your life easier, heres “my” (forked and updated) composer lib for PHP https://github.com/turtle0x1/php-lxd

Heres how to create certs https://github.com/turtle0x1/php-lxd/blob/master/docs/configuration.md

The docs are out of date, you should use the agnostic “instances” URL by default for example

// Dont do this
$containers = $client->containers->all();
// Do this
$instances = $client->instances->all();

FireLXC · May 5, 2020, 3:08pm

Well I do not want to use a 3rd party lib, that’s why I asked.
I do not want learn your 3rd party lib, I want to understand the LXC api.

Why does my code above not work?

FireLXC · May 5, 2020, 7:05pm

I did implemented it the wrong way, everything works now.
Sorry @stgraber and thanks for the hint.