Tls remote connection problem

jph · April 4, 2022, 3:12pm

I have lxd systems running on ubuntu 18.04 and 22.04. So far these two systems could interact with each other. Now however I get the following error:

lxc list astroglia2:
Error: Get https://10.76.25.11:8443/1.0: remote error: tls: protocol version not supported

Or from the other side:

lxc remote add astrocyte2
Error: Get “https://astrocyte2:8443”: tls: server selected unsupported protocol version 303

How can I relax/adjust the lxd tls requirements?

stgraber · April 4, 2022, 3:38pm

You can set LXD_INSECURE_TLS=true in the environment of the LXD 5.0 system.

Easiest way to do this would be systemctl edit snap.lxd.daemon and then add a section like:

[Service]
Environment=LXD_INSECURE_TLS=true

To get it applied, you could try systemctl reload snap.lxd.daemon which may do the trick. If it doesn’t, a full system reboot is likely the easiest alternative.

Michael_Zanetti · April 5, 2022, 9:16pm

Also exporting LXD_INSECURE_TLS=true doesn’t seem to be working for me with 5.0.0 when connecting to an image server running 2.21. Still getting the same error.

stgraber · April 5, 2022, 9:22pm

You’d need to make sure that both your LXD server and your LXD client have it set as copies between images servers involves the client tool itself connecting to the source server.

amartin33 · April 6, 2022, 12:42pm

Can you elaborate on what exactly is required so that LXD_INSECURE_TLS=true is not needed? For example, I have openssl 1.1.1+ on both client and server (and see TLSv1.3 in the output of openssl ciphers -v), yet it still can’t communicate.

tomp · April 6, 2022, 12:43pm

Can you give an example of the command you’re running that’s failing?

CC @sdeziel

amartin33 · April 6, 2022, 12:58pm

With LXD 5.0.0 on both client and server, I run this on the client and cannot get access to the remote:

 $ lxc list example1:
Error: Get https://example1:8443/1.0: remote error: tls: protocol version not supported

The remote is as follows:

+-----------------+------------------------------------------+---------------+-----------+--------+--------+
|      NAME       |                   URL                    |   PROTOCOL    | AUTH TYPE | PUBLIC | STATIC |
+-----------------+------------------------------------------+---------------+-----------+--------+--------+
| example1        | https://example1:8443                    | lxd           | tls       | NO     | NO     |
+-----------------+------------------------------------------+---------------+-----------+--------+--------+

sdeziel · April 6, 2022, 1:25pm

With LXD 5.0 on both sides, I cannot reproduce your issue.

$ snap list lxd
Name  Version        Rev    Tracking       Publisher   Notes
lxd   5.0.0-c5bcb80  22826  latest/stable  canonical✓  -

Could you provide the output of those commands please:

command -v lxc
lxc version
snap list lxd

Thanks!

amartin33 · April 6, 2022, 7:04pm

Thank you, when running command -v lxc I was able to see that the apt package version of LXD was still installed on the client along with the snap; the apt package binary was first on the $PATH, so it was getting called on the client instead of the newer LXD 5.0.0 snap version. After removing the apt package version so only the snap package version is present on the $PATH, it is now working.

sdeziel · April 6, 2022, 7:05pm

Great, thanks for reporting back!