LXD UI Not Recognizing Certificates over NGINX Proxy Manager

ArchSK · February 29, 2024, 4:17pm

I am hosting an LXD instance with the UI enabled. I have passed through the UI via NGINX proxy manager and Cloudflare is proxying the connection with DNS from a subdomain.

On my local network, I can successfully generate a client authentication certificate, store it and gain access to my server.

On my NGINX proxy (domain), my browser has the certificate selected however LXD UI does not seem to notice it and I get the error below of “no matching certificate add operation found”

I have generated new certificates, replaced them, executed the command on the LXD host to no avail.

Notably, when I access the UI from the local network I am prompted to select my certificate. On the NGINX domain side, this is not true - I am never asked to present the certificate however my browser reports that I have selected to use the certificate on this domain in the privacy menu.

I have attempted this from two machines on my network, both edge and firefox – same results.

I have set the hostname using hostnamectl set-hostname to the appropriate domain name on the host in case this was the issue

Below is my NGINX proxy manager configuration file.

server {
    listen 443 ssl;
    server_name redacted;

    # SSL configuration
    ssl_certificate /opt/certs/cloudflare/readacted;
    ssl_certificate_key /opt/certs/cloudflare/redacted;

    # Security enhancements for SSL/TLS
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    location / {
        # Proxy settings
        proxy_pass https://redacted:8443;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # SSL proxy settings
        proxy_ssl_certificate /opt/certs/cloudflare/redacted.pem;
        proxy_ssl_certificate_key /opt/certs/cloudflare/redacted.key;
        proxy_ssl_verify off;
    }
}

additionally, here is the output of the command lxc config show

root@lxd:/home/user# lxc config show
config:
  core.https_address: '[::]:8443'
  core.trust_password: true
  user.ui_title: redacted.com
root@edith:/home/user#

Is it possible that NGINX is not allowing the client certificates?
Is there some other configuration that I need to accomplish?

stgraber · February 29, 2024, 4:18pm

Wrong place for LXD support, but HTTP reverse proxies will not let TLS certificates pass through them, so it’s normal that this wouldn’t work.

fengyunhe · April 3, 2024, 11:19pm

Can you make a new client cert for a domian and install in browser ? I want learn how to make a new client cert to a domain with lxc

victoitor · April 4, 2024, 12:48am

I might be wrong, but I think the last release of incus allows you to do what you want. Not sure lxd has this.