On 2016-06-02 22:40, Andrey Repin wrote:
So... what is the correct procedure to update the certificate on LXD
server and make sure it's still accepted by LXD clients?
I would go a long route and set up my own CA.
Though, I actually did that already...
Alternative is to make yourself a certificate though third-party CA,
like
Let's Encrypt.
Well, it seems that LXD is fine with self-signed certificates as well.
Which is OK with me.
However, changing a cert with LXD is painful:
- needs new server.crt/server.key in /var/lib/lxd, and lxd restart?
force-reload?
- if any client connected to IP address (and not to domain name),
certificate needs to have them as SAN (subject alternative names)
- there is no "lxd remote" command to accept a new certificate from the
server - so LXD clients have to go through the painful "set up a
different default remote (or, set it to local), remove the remote with
expired certificate, add the remote with the new certificate, set it as
a new default etc.
- LXD / lxc command does not alert that the cert is about to expire, so
the user finds out when it's too late and the system stops working
correctly (think automated starting / removal of containers etc.)
- could not find anything about changing the cert in LXD docs, so it was
a bit of a problem working out why it doesn't work anymore and how to
fix it
The whole process could be designed a bit better :)
Tomasz Chmielewski
http://wpkg.org
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users