As the title states, is there any way to provide a ‘valid’ server certificate for the LXD HTTPS API, without resorting to SSL termination via a reverse proxy? Note that I’m not referring to client certificates used for authentication, but the actual server certificate used to encrypt the HTTPS tunnel for the LXD API.
For standalone deployments, you can just replace the server.crt and server.key files and restart LXD.
For cluster deployments, you can use lxc cluster update-certificate to replace the cluster certificate on the entire cluster (you should never directly touch server.crt and server.key in a clustered deployment).
2 Likes
Thank you, that’s exactly what I was after!
On my Debian box with LXD installed via snap, this is /var/snap/lxd/common/lxd/server.crt and /var/snap/lxd/common/lxd/server.key.