TLS server certificate not working

Tetrov · December 9, 2024, 6:07pm

I followed this guide Remote API authentication - Incus documentation

But my domain hasn’t been issued Let’s Encrypt certificate. The service is accessible HTTP and HTTPS but without valid certificate.

Do I have to restart a daemon or reload the configs?

This is my config:

config:
  acme.agree_tos: "true"
  acme.domain: sub.domain.tld
  acme.email: email@gmail.com
  core.https_address: '[::]:8443'

Incus
Client version: 6.7
Server version: 6.7

stgraber · December 9, 2024, 6:18pm

Nope, it would normally issue it immediately, no need for restart.

Maybe try clearing the config, then run incus monitor --pretty in a terminal while putting the config back in place from another. That may show you some useful error messages.

Tetrov · December 9, 2024, 6:52pm

@stgraber you are right, I’m getting the errors:

INFO   [2024-12-09T18:47:12Z] Issuing certificate                           caURL= domain=sub.domain.tld
INFO   [2024-12-09T18:47:13Z] http: TLS handshake error from 127.0.0.1:52208: client sent an HTTP request to an HTTPS server 
WARNING[2024-12-09T18:47:16Z] Failed to obtain certificate, retrying in 10 seconds  caURL= domain=sub.domain.tld err="error: one or more domains had a problem:\n[sub.domain.tld] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 188.188.188.188: Invalid response from http://sub.domain.tld/.well-known/acme-challenge/JuXEKjOwraE01Cr2wON6EmmeP74xZg2F74chGQdwLjw: 400\n"

When I open the “.well-known/acme-challenge” URL in the browser I get
“Client sent an HTTP request to an HTTPS server.” but it should accept HTTP connection, right?

stgraber · December 10, 2024, 1:44am

Incus only does HTTPS, to have ACME domain validation work properly, you need to have a reverse proxy of some kind handle HTTP traffic and at minimum send a 302 type redirect to the HTTPS address.

Remote API authentication - Incus documentation has an example of how to do this with haproxy.

Tetrov · December 10, 2024, 7:51am

Yes, I had to change my reverse proxy config a bit. Thanks for the pointers.

I use GitHub - fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet. and this is what works:

serverAddr = "xxx.xxx.xxx.xxx"
serverPort = 7000

[[proxies]]
name = "plugin_http2https"
type = "http"
customDomains = ["incus.domain.tld"]
[proxies.plugin]
type = "http2https"
localAddr = "127.0.0.1:8443"

[[proxies]]
name = "incus_https"
type = "https"
localPort = 8443
customDomains = ["incus.domain.tld"]

jarrodu · December 10, 2024, 8:38am

Interesting. I have not heard of frp before. I usually use caddy. Do you recommend it?

Tetrov · December 10, 2024, 11:42am

Yes, I use it for our internal tooling and for my homelab setup.