Object Storage: lxd Error: Get remote error: tls: protocol version not supported on

I got the error in the title while trying to import image from a URL, I am using the Linode object Storage, and I think it supports TLS 1.1 or so, is there anyway to make it work. TLS , would setting some kind of insecure flag fix this.

Anyone using S3? Can you import from an s3 URL, wouldn’t want to switch but I can do that as a last resort.

If you set LXD_INSECURE_TLS (see https://linuxcontainers.org/lxd/docs/master/environment/#common), you should be able to go down to TLS 1.2. I did a bit of research and apparently this should be sufficient:

$ echo | openssl s_client -connect us-southeast-1.linodeobjects.com:443 2>&1 | grep -wF Protocol
    Protocol  : TLSv1.2

I found the above DNS name in https://www.linode.com/docs/products/storage/object-storage/guides/urls/#signed-urls

If you are a Linode customer, I think it’s worth asking them to enable TLS 1.3 on their side. Maybe they already have that on their roadmap.

Thanks for the reply, I have reached out to Linode on how I can upgrade the TLS version, here is the reply:

Currently, our Object Storage services is able to utilize TLS 1.0, 1.1 and 1.2 for compatibility with older applications. If you are using the default domain to access your bucket, you it will not use version 1.2.

Please use the following guide to obtain a TLS/SSL cert for your Object Storage bucket. You will need a domain to perform this:

Configure a Custom Domain (with a TLS/SSL Certificate) | Linode Docs

Once this has been configured, your application should access your bucket using TLS 1.2. and resolve the issues you are facing.

So, to get upgraded to TLS 1.2, I need a custom domain and to upload the cert, just for TLS 1.2.

Just tried with Backblaze b2 and it works fine, would be migrating to that.

I am currently experimenting with AWS S3, I would put CloudFront in front, this way, it gets distributed, I am still experimenting, and would report back my findings.

Edit 2:
Testing completed, AWS S3 + CloudFront works too, and super fast, this is really fine for me, so, I rest my case on this one.

Hmm, the explanation/workaround from Linode is weird, why can’t they support TLS 1.2 across the board? Anyway, I’m glad you found a working solution with AWS S3 + CloudFront.

I never tried and have no affiliation but I’ve heard that CloudFlare R2 (S3-compatible) was much cheaper: https://www.cloudflare.com/products/r2/

1 Like

I was baffled too, so weird.

Thank you, this is way cheaper, I can use this as an additional mirror and give it a higher priority, this way when R2 is down, it can use a new mirror, CloudFront in this case, and down the chain, you get. This way, it is durable.

Here is the flow (The higher up the chain, the higher the prioritizing, you get the idea)

Thanks, appreciate your suggestion.

1 Like