LXD remote certificate expired. Add back linuxcontainers.org

LXC / LXD version 0.15

Hi, I built a small LXD/LXC server a few years ago with ubuntu 15.04 and all was great. Alas I awoke one morning to launch a new container and it said the certificate was different… maybe it said expired. I was trying to launch an image form the public repo.

I thought this would be easy, go delete the existing remote cert sitting in the config folder. Remove the remote and re-add it. Note the remote I am trying to add is the public linuxcontainers.org.

When ever I try to add the remote it asks me for a password. From reading the documentation should this not just ask me to approve a fingerprint? and the cert will be installed for the trust?

What is the true syntax and prereq to get this to work? (I did set a core trust password on my local LXD server via the lxc config command.)

Here is the command I am running and a snapshot of the output.

lxc remote add ubuntu https://images.linuxcontainers.org

Note I did cat the cert and it is a cert. When I try to launch I get unknown remote. So even with a cert present maybe the failed op with the password is causing this?

If I use a slightly different URL I get “error not found” from this command :
lxc remote add images us.images.linuxcontainers.org


lxc remote add images https://images.linuxcontainers.org

As we normally use the images: prefix for the images from linuxcontainers.org.

Thanks Thomas, I had tried that one, here was the response:

root@galileo:~# lxc remote add images https://images.linuxcontainers.org
Admin password for images:
error invalid character  < looking for beginning of value

The password they ask for should be my local core trust password correct? set by :

lxc config set core.trust_password SECRET

I don’t think that your LXD server’s password should affect adding external remotes.

@brauner @freeekanayaka @monstermunchkin any ideas?

LXC / LXD version 0.15

I just had a look at the code for v0.15, and it will always ask you for a password (see https://github.com/lxc/lxd/blob/lxd-0.15/lxc/remote.go#L130-L143). However, it’s not asking for the core.trust_password password.

Have you tried using an empty password?

@monstermunchkin same thing with empty password.

Do we know the context of what password it is asking for, and if that one can be set somewhere?

It looks to me that the issue is not the password, but the next step in parsing information from the remote.

As if the old client is using some old URL and gets back an HTML file (error invalid character < looking for beginning of value).

@simos that makes sense

root@galileo:~# curl https://images.linuxcontainers.org
<title>301 Moved Permanently</title>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://us.images.linuxcontainers.org/">here</a>.</p>
<address>Apache/2.4.7 (Ubuntu) Server at images.linuxcontainers.org Port 443</address>

Note that the response is different if I use the redirect of us.images.linuxcontainers.org, in my original post.

Does that mean it works now for you?

@monstermunchkin no :slight_smile:

root@galileo:~# lxc remote add images https://us.images.linuxcontainers.org
Admin password for images:
error not found

If I’m reading the code correctly, it’s trying to do a POST to https://us.images.linuxcontainers.org/certificates which doesn’t exist (and doesn’t need to exist either).

Just out of curiosity: Is there a specific reason as to why you’re still using LXD 0.15?

None in particular, just that LXD has been solid on this machine for all that time.

Am I safe to upgrade it or will it have issues with the underlying LXC of Ubuntu 15.04?

I did try to download an image direct and import it which is a possible work around, however it stated unknown arch… I then modified the metadata of that import (focal 20.04) and the image import worked and had an ARCH.

However on launch it stated , “unknown compression”. This is why I came back to this thread thinking that next problem was for sure version related and supported compression.

Ubuntu 15.94 is not supported anymore, and you cannot apt update. Unless you change the repositories to old-releases, and upgrade to 16.04. By doing so, you can switch to LXD 2.0.11, which is better supported.

Alright - thank-you everyone, looks like I will rebuild that box and get to test the import export :slight_smile: