I am hosting an LXD instance with the UI enabled. I have passed through the UI via NGINX proxy manager and Cloudflare is proxying the connection with DNS from a subdomain.
On my local network, I can successfully generate a client authentication certificate, store it and gain access to my server.
On my NGINX proxy (domain), my browser has the certificate selected however LXD UI does not seem to notice it and I get the error below of “no matching certificate add operation found”
I have generated new certificates, replaced them, executed the command on the LXD host to no avail.
Notably, when I access the UI from the local network I am prompted to select my certificate. On the NGINX domain side, this is not true - I am never asked to present the certificate however my browser reports that I have selected to use the certificate on this domain in the privacy menu.
I have attempted this from two machines on my network, both edge and firefox – same results.
I have set the hostname using hostnamectl set-hostname to the appropriate domain name on the host in case this was the issue
Below is my NGINX proxy manager configuration file.
server {
listen 443 ssl;
server_name redacted;
# SSL configuration
ssl_certificate /opt/certs/cloudflare/readacted;
ssl_certificate_key /opt/certs/cloudflare/redacted;
# Security enhancements for SSL/TLS
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
# Proxy settings
proxy_pass https://redacted:8443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# SSL proxy settings
proxy_ssl_certificate /opt/certs/cloudflare/redacted.pem;
proxy_ssl_certificate_key /opt/certs/cloudflare/redacted.key;
proxy_ssl_verify off;
}
}
additionally, here is the output of the command lxc config show
root@lxd:/home/user# lxc config show
config:
core.https_address: '[::]:8443'
core.trust_password: true
user.ui_title: redacted.com
root@edith:/home/user#
Is it possible that NGINX is not allowing the client certificates?
Is there some other configuration that I need to accomplish?