Remote error: tls: handshake failure

ush · October 11, 2024, 1:20pm

Hi,

I’m trying to migrate from LXD to Incus 6.0.0 bundled with Ubuntu 24.04. Accessing a remote fails

$ incus image ls images:
Error: Failed parsing stream: Get "https://images.linuxcontainers.org/streams/v1/index.json": remote error: tls: handshake failure

$ incus launch images:ubuntu/focal
Launching the instance
Error: Failed instance creation: Failed getting remote image info: Failed getting image: Failed parsing stream: Get "https://images.linuxcontainers.org/streams/v1/index.json": remote error: tls: handshake failure

Incus monitor does not provide any additional information, the relevant entry looks like

location: none
metadata:
  class: task
  created_at: "2024-10-11T16:05:57.068650024+03:00"
  description: Creating instance
  err: 'Failed getting remote image info: Failed getting image: Failed parsing stream:
    Get "https://images.linuxcontainers.org/streams/v1/index.json": remote error:
    tls: handshake failure'
  id: 9eb7d02a-3748-4b53-bf3a-9941c8c4dbf2
  location: none
  may_cancel: false
  metadata: null
  resources:
    containers:
    - /1.0/instances/national-gnat
    instances:
    - /1.0/instances/national-gnat
  status: Failure
  status_code: 400
  updated_at: "2024-10-11T16:05:57.068650024+03:00"
project: default
timestamp: "2024-10-11T16:05:57.700527465+03:00"
type: operation

I am behind a corporate proxy, however LXD works here out of the box. I tried setting core.proxy_http/proxy_https with the same result.

candlerb · October 11, 2024, 6:43pm

Does curl https://images.linuxcontainers.org/streams/v1/index.json work? (With or without proxy variables set?)

ush · October 12, 2024, 6:17am

Yes. Curl, wget, browser. All work.

stgraber · October 14, 2024, 6:01pm

Try setting core.http_proxy and core.https_proxy with incus config set.

Note however that Incus is picky about TLS, we don’t allow TLS connections with versions less than 1.3. If your corporate proxy is old and forces everything on TLS 1.1 or 1.2, then that’d be the problem.

We do have an environment variable that can be set for the client and server to bypass that requirement. Environment variables - Incus documentation

ush · October 14, 2024, 8:52pm

Setting INCUS_INSECURE_TLS=true for the server in /etc/default/incus and for the client in /etc/profile.d did the trick.

A more suggesting diagnostics would be great, but thanks!