On 2016-06-02 22:40, Andrey Repin wrote:

So... what is the correct procedure to update the certificate on LXD
server and make sure it's still accepted by LXD clients?

I would go a long route and set up my own CA.
Though, I actually did that already...

Alternative is to make yourself a certificate though third-party CA, like
Let's Encrypt.

Well, it seems that LXD is fine with self-signed certificates as well. Which is OK with me.

However, changing a cert with LXD is painful:

- needs new server.crt/server.key in /var/lib/lxd, and lxd restart? force-reload?

- if any client connected to IP address (and not to domain name), certificate needs to have them as SAN (subject alternative names)

- there is no "lxd remote" command to accept a new certificate from the server - so LXD clients have to go through the painful "set up a different default remote (or, set it to local), remove the remote with expired certificate, add the remote with the new certificate, set it as a new default etc.

- LXD / lxc command does not alert that the cert is about to expire, so the user finds out when it's too late and the system stops working correctly (think automated starting / removal of containers etc.)

- could not find anything about changing the cert in LXD docs, so it was a bit of a problem working out why it doesn't work anymore and how to fix it


The whole process could be designed a bit better :)


Tomasz Chmielewski
http://wpkg.org
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Reply via email to