On Thu, Jun 02, 2016 at 11:03:15PM +0900, Tomasz Chmielewski wrote: > On 2016-06-02 22:40, Andrey Repin wrote: > > > > So... what is the correct procedure to update the certificate on LXD > > > server and make sure it's still accepted by LXD clients? > > > > I would go a long route and set up my own CA. > > Though, I actually did that already... > > > > Alternative is to make yourself a certificate though third-party CA, > > like > > Let's Encrypt. > > Well, it seems that LXD is fine with self-signed certificates as well. Which > is OK with me. > > However, changing a cert with LXD is painful: > > - needs new server.crt/server.key in /var/lib/lxd, and lxd restart? > force-reload?
Removing them and restarting LXD will generate new ones. > - if any client connected to IP address (and not to domain name), > certificate needs to have them as SAN (subject alternative names) Letting LXD re-generate the certificate will make sure all IPs are included. > - there is no "lxd remote" command to accept a new certificate from the > server - so LXD clients have to go through the painful "set up a different > default remote (or, set it to local), remove the remote with expired > certificate, add the remote with the new certificate, set it as a new > default etc. Yeah. We didn't want to make it too easy to do that (too easy to shoot yourself in the foot), but a "lxc remote" command to re-do the initial handshake would be fine with me. > - LXD / lxc command does not alert that the cert is about to expire, so the > user finds out when it's too late and the system stops working correctly > (think automated starting / removal of containers etc.) Yeah, we didn't expect anyone to run into such issues just yet as our certificates have a 10 years expiry. We did have old versions of LXD issue 1 year certificates very much at the beginning of the project but this was fixed over a year ago, so most installations will have a 10 years certificate. > - could not find anything about changing the cert in LXD docs, so it was a > bit of a problem working out why it doesn't work anymore and how to fix it > > > The whole process could be designed a bit better :) Yeah, I guess we didn't expect anyone would have been upgraded systems from a pre-0.10 version of LXD all the way to current :) We figured we had 10 years to take care of the certificate rotation logic. Anyway, for anyone affected by this, remove any affected .crt and its matching .key (~/.config/lxc/client.crt and ~/.config/lxc/client.key for a client certificate or /var/lib/lxd/server.crt and /var/lib/lxd/server.key for a server certificate). Then if re-generating a server certificate, restart the daemon. If re-generating a client certificate, just do any lxc command. You'll then have to remove and re-add any affected remote. And you'll be good for another decade. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: PGP signature
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
