Re: [lxc-users] lxc exec / list: x509: certificate has expired or is not yet valid
Greetings, Tomasz Chmielewski! >>> So... what is the correct procedure to update the certificate on LXD >>> server and make sure it's still accepted by LXD clients? >> >> I would go a long route and set up my own CA. >> Though, I actually did that already... >> >> Alternative is to make yourself a certificate though third-party CA, >> like >> Let's Encrypt. > Well, it seems that LXD is fine with self-signed certificates as well. > Which is OK with me. LXD itself, may be. But your clients? You'd need to tell them somehow, that your self-signed certificate has changed. I've found that properly issued certificates are way easier to manage. > The whole process could be designed a bit better :) Well, LXD is relatively new, and your report will surely count towards its improvement! -- With best regards, Andrey Repin Thursday, June 2, 2016 18:26:04 Sorry for my terrible english... ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc exec / list: x509: certificate has expired or is not yet valid
On Thu, Jun 02, 2016 at 11:03:15PM +0900, Tomasz Chmielewski wrote: > On 2016-06-02 22:40, Andrey Repin wrote: > > > > So... what is the correct procedure to update the certificate on LXD > > > server and make sure it's still accepted by LXD clients? > > > > I would go a long route and set up my own CA. > > Though, I actually did that already... > > > > Alternative is to make yourself a certificate though third-party CA, > > like > > Let's Encrypt. > > Well, it seems that LXD is fine with self-signed certificates as well. Which > is OK with me. > > However, changing a cert with LXD is painful: > > - needs new server.crt/server.key in /var/lib/lxd, and lxd restart? > force-reload? Removing them and restarting LXD will generate new ones. > - if any client connected to IP address (and not to domain name), > certificate needs to have them as SAN (subject alternative names) Letting LXD re-generate the certificate will make sure all IPs are included. > - there is no "lxd remote" command to accept a new certificate from the > server - so LXD clients have to go through the painful "set up a different > default remote (or, set it to local), remove the remote with expired > certificate, add the remote with the new certificate, set it as a new > default etc. Yeah. We didn't want to make it too easy to do that (too easy to shoot yourself in the foot), but a "lxc remote" command to re-do the initial handshake would be fine with me. > - LXD / lxc command does not alert that the cert is about to expire, so the > user finds out when it's too late and the system stops working correctly > (think automated starting / removal of containers etc.) Yeah, we didn't expect anyone to run into such issues just yet as our certificates have a 10 years expiry. We did have old versions of LXD issue 1 year certificates very much at the beginning of the project but this was fixed over a year ago, so most installations will have a 10 years certificate. > - could not find anything about changing the cert in LXD docs, so it was a > bit of a problem working out why it doesn't work anymore and how to fix it > > > The whole process could be designed a bit better :) Yeah, I guess we didn't expect anyone would have been upgraded systems from a pre-0.10 version of LXD all the way to current :) We figured we had 10 years to take care of the certificate rotation logic. Anyway, for anyone affected by this, remove any affected .crt and its matching .key (~/.config/lxc/client.crt and ~/.config/lxc/client.key for a client certificate or /var/lib/lxd/server.crt and /var/lib/lxd/server.key for a server certificate). Then if re-generating a server certificate, restart the daemon. If re-generating a client certificate, just do any lxc command. You'll then have to remove and re-add any affected remote. And you'll be good for another decade. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: PGP signature ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc exec / list: x509: certificate has expired or is not yet valid
On 2016-06-02 22:40, Andrey Repin wrote: So... what is the correct procedure to update the certificate on LXD server and make sure it's still accepted by LXD clients? I would go a long route and set up my own CA. Though, I actually did that already... Alternative is to make yourself a certificate though third-party CA, like Let's Encrypt. Well, it seems that LXD is fine with self-signed certificates as well. Which is OK with me. However, changing a cert with LXD is painful: - needs new server.crt/server.key in /var/lib/lxd, and lxd restart? force-reload? - if any client connected to IP address (and not to domain name), certificate needs to have them as SAN (subject alternative names) - there is no "lxd remote" command to accept a new certificate from the server - so LXD clients have to go through the painful "set up a different default remote (or, set it to local), remove the remote with expired certificate, add the remote with the new certificate, set it as a new default etc. - LXD / lxc command does not alert that the cert is about to expire, so the user finds out when it's too late and the system stops working correctly (think automated starting / removal of containers etc.) - could not find anything about changing the cert in LXD docs, so it was a bit of a problem working out why it doesn't work anymore and how to fix it The whole process could be designed a bit better :) Tomasz Chmielewski http://wpkg.org ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc exec / list: x509: certificate has expired or is not yet valid
Greetings, Tomasz Chmielewski! > On 2016-06-02 21:09, Tomasz Chmielewski wrote: >> Not sure what's the procedure for this one: >> >> # lxc list >> error: Get https://10.0.0.1:8443/1.0/containers?recursion=1: x509: >> certificate has expired or is not yet valid > Apparently LXD sets up a certificate with 1 year validity when > installed, but provides no mechanism to automatically update it. And can > be a big surprise after a year :| > Also, don't see the CSR file there? > So... what is the correct procedure to update the certificate on LXD > server and make sure it's still accepted by LXD clients? I would go a long route and set up my own CA. Though, I actually did that already... Alternative is to make yourself a certificate though third-party CA, like Let's Encrypt. -- With best regards, Andrey Repin Thursday, June 2, 2016 16:39:01 Sorry for my terrible english... ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] lxc exec / list: x509: certificate has expired or is not yet valid
On 2016-06-02 21:09, Tomasz Chmielewski wrote: Not sure what's the procedure for this one: # lxc list error: Get https://10.0.0.1:8443/1.0/containers?recursion=1: x509: certificate has expired or is not yet valid Apparently LXD sets up a certificate with 1 year validity when installed, but provides no mechanism to automatically update it. And can be a big surprise after a year :| Also, don't see the CSR file there? So... what is the correct procedure to update the certificate on LXD server and make sure it's still accepted by LXD clients? # ls /var/lib/lxd/server.* -l -rw-r--r-- 1 root root 1834 Jun 3 2015 /var/lib/lxd/server.crt -rw--- 1 root root 3247 Jun 3 2015 /var/lib/lxd/server.key # openssl x509 -text -noout -in server.crt Certificate: Data: Version: 3 (0x2) Serial Number: 34:f0:eb:8c:3f:76:f0:db:21:01:5d:34:1c:cd:f0:5c Signature Algorithm: sha256WithRSAEncryption Issuer: O=linuxcontainer.org Validity Not Before: Jun 3 06:33:15 2015 GMT Not After : Jun 2 06:33:15 2016 GMT Subject: O=linuxcontainer.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) (...) Tomasz Chmielewski http://wpkg.org ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] lxc exec / list: x509: certificate has expired or is not yet valid
Not sure what's the procedure for this one: # lxc list error: Get https://10.0.0.1:8443/1.0/containers?recursion=1: x509: certificate has expired or is not yet valid ? Tomasz Chmielewski http://wpkg.org ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users