Error: Server doesn't trust us after authentication or Error: Failed to find project: not authorized when adding remote via token

[aivanise]

Required information

• Distribution: RHEL
• Distribution version: 8.5
• The output of "lxc info" or if that fails:

config: cluster.https_address: eul6800573:8443 core.https_address: eul6800573:8443 api_extensions:

• storage_zfs_remove_snapshots
• container_host_shutdown_timeout
• container_stop_priority
• container_syscall_filtering
• auth_pki
• container_last_used_at
• etag
• patch
• usb_devices
• https_allowed_credentials
• image_compression_algorithm
• directory_manipulation
• container_cpu_time
• storage_zfs_use_refquota
• storage_lvm_mount_options
• network
• profile_usedby
• container_push
• container_exec_recording
• certificate_update
• container_exec_signal_handling
• gpu_devices
• container_image_properties
• migration_progress
• id_map
• network_firewall_filtering
• network_routes
• storage
• file_delete
• file_append
• network_dhcp_expiry
• storage_lvm_vg_rename
• storage_lvm_thinpool_rename
• network_vlan
• image_create_aliases
• container_stateless_copy
• container_only_migration
• storage_zfs_clone_copy
• unix_device_rename
• storage_lvm_use_thinpool
• storage_rsync_bwlimit
• network_vxlan_interface
• storage_btrfs_mount_options
• entity_description
• image_force_refresh
• storage_lvm_lv_resizing
• id_map_base
• file_symlinks
• container_push_target
• network_vlan_physical
• storage_images_delete
• container_edit_metadata
• container_snapshot_stateful_migration [268/330]
• storage_driver_ceph
• storage_ceph_user_name
• resource_limits
• storage_volatile_initial_source
• storage_ceph_force_osd_reuse
• storage_block_filesystem_btrfs
• resources
• kernel_limits
• storage_api_volume_rename
• macaroon_authentication
• network_sriov
• console
• restrict_devlxd
• migration_pre_copy
• infiniband
• maas_network
• devlxd_events
• proxy
• network_dhcp_gateway
• file_get_symlink
• network_leases
• unix_device_hotplug
• storage_api_local_volume_handling
• operation_description
• clustering
• event_lifecycle
• storage_api_remote_volume_handling
• nvidia_runtime
• container_mount_propagation
• container_backup
• devlxd_images
• container_local_cross_pool_handling
• proxy_unix
• proxy_udp
• clustering_join
• proxy_tcp_udp_multi_port_handling
• network_state
• proxy_unix_dac_properties
• container_protection_delete
• unix_priv_drop
• pprof_http
• proxy_haproxy_protocol
• network_hwaddr
• proxy_nat
• network_nat_order
• container_full
• candid_authentication
• backup_compression
• candid_config
• nvidia_runtime_config
• storage_api_volume_snapshots
• storage_unmapped
• projects
• candid_config_key
• network_vxlan_ttl
• container_incremental_copy
• usb_optional_vendorid
• snapshot_scheduling
• snapshot_schedule_aliases
• container_copy_project
• clustering_server_address
• clustering_image_replication [206/330]
• container_protection_shift
• snapshot_expiry
• container_backup_override_pool
• snapshot_expiry_creation
• network_leases_location
• resources_cpu_socket
• resources_gpu
• resources_numa
• kernel_features
• id_map_current
• event_location
• storage_api_remote_volume_snapshots
• network_nat_address
• container_nic_routes
• rbac
• cluster_internal_copy
• seccomp_notify
• lxc_features
• container_nic_ipvlan
• network_vlan_sriov
• storage_cephfs
• container_nic_ipfilter
• resources_v2
• container_exec_user_group_cwd
• container_syscall_intercept
• container_disk_shift
• storage_shifted
• resources_infiniband
• daemon_storage
• instances
• image_types
• resources_disk_sata
• clustering_roles
• images_expiry
• resources_network_firmware
• backup_compression_algorithm
• ceph_data_pool_name
• container_syscall_intercept_mount
• compression_squashfs
• container_raw_mount
• container_nic_routed
• container_syscall_intercept_mount_fuse
• container_disk_ceph
• virtual-machines
• image_profiles
• clustering_architecture
• resources_disk_id
• storage_lvm_stripes
• vm_boot_priority
• unix_hotplug_devices
• api_filtering
• instance_nic_network
• clustering_sizing
• firewall_driver
• projects_limits
• container_syscall_intercept_hugetlbfs
• limits_hugepages
• container_nic_routed_gateway
• projects_restrictions
• custom_volume_snapshot_expiry
• volume_snapshot_scheduling
• trust_ca_certificates [144/330]
• snapshot_disk_usage
• clustering_edit_roles
• container_nic_routed_host_address
• container_nic_ipvlan_gateway
• resources_usb_pci
• resources_cpu_threads_numa
• resources_cpu_core_die
• api_os
• container_nic_routed_host_table
• container_nic_ipvlan_host_table
• container_nic_ipvlan_mode
• resources_system
• images_push_relay
• network_dns_search
• container_nic_routed_limits
• instance_nic_bridged_vlan
• network_state_bond_bridge
• usedby_consistency
• custom_block_volumes
• clustering_failure_domains
• resources_gpu_mdev
• console_vga_type
• projects_limits_disk
• network_type_macvlan
• network_type_sriov
• container_syscall_intercept_bpf_devices
• network_type_ovn
• projects_networks
• projects_networks_restricted_uplinks
• custom_volume_backup
• backup_override_name
• storage_rsync_compression
• network_type_physical
• network_ovn_external_subnets
• network_ovn_nat
• network_ovn_external_routes_remove
• tpm_device_type
• storage_zfs_clone_copy_rebase
• gpu_mdev
• resources_pci_iommu
• resources_network_usb
• resources_disk_address
• network_physical_ovn_ingress_mode
• network_ovn_dhcp
• network_physical_routes_anycast
• projects_limits_instances
• network_state_vlan
• instance_nic_bridged_port_isolation
• instance_bulk_state_change
• network_gvrp
• instance_pool_move
• gpu_sriov
• pci_device_type
• storage_volume_state
• network_acl
• migration_stateful
• disk_state_quota
• storage_ceph_features
• projects_compression
• projects_images_remote_cache_expiry
• certificate_project
• network_ovn_acl [82/330]
• projects_images_auto_update
• projects_restricted_cluster_target
• images_default_architecture
• network_ovn_acl_defaults
• gpu_mig
• project_usage
• network_bridge_acl
• warnings
• projects_restricted_backups_and_snapshots
• clustering_join_token
• clustering_description
• server_trusted_proxy
• clustering_update_cert
• storage_api_project
• server_instance_driver_operational
• server_supported_storage_drivers
• event_lifecycle_requestor_address
• resources_gpu_usb
• clustering_evacuation
• network_ovn_nat_address
• network_bgp
• network_forward
• custom_volume_refresh
• network_counters_errors_dropped
• metrics
• image_source_project
• clustering_config
• network_peer
• linux_sysctl
• network_dns
• ovn_nic_acceleration
• certificate_self_renewal
• instance_project_move
• storage_volume_project_move
• cloud_init
• network_dns_nat
• database_leader
• instance_all_projects
• clustering_groups
• ceph_rbd_du
• instance_get_full
• qemu_metrics
• gpu_mig_uuid
• event_project
• clustering_evacuation_live
• instance_allow_inconsistent_copy
• network_state_ovn
• storage_volume_api_filtering
• image_restrictions
• storage_zfs_export
• network_dns_records
• storage_zfs_reserve_space
• network_acl_log
• storage_zfs_blocksize
• metrics_cpu_seconds
• instance_snapshot_never
• certificate_token api_status: stable api_version: "1.0" auth: trusted public: false auth_methods: [20/330]
• tls environment: addresses:
  • eul6800573:8443 architectures:
  • x86_64
  • i686 certificate: | -----BEGIN CERTIFICATE----- MIICDzCCAZagAwIBAgIRAIIMm6j1OVJGJzTC3p8sF3swCgYIKoZIzj0EAwMwODEc MBoGA1UEChMTbGludXhjb250YWluZXJzLm9yZzEYMBYGA1UEAwwPcm9vdEBldWw2 ODAwNTczMB4XDTIyMDIwODEzNTgzNVoXDTMyMDIwNjEzNTgzNVowODEcMBoGA1UE ChMTbGludXhjb250YWluZXJzLm9yZzEYMBYGA1UEAwwPcm9vdEBldWw2ODAwNTcz MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEyPHVgRB1xO/+bBgUQ0htA5Ocz4UJ26IL cGPPubN4JjdbVhkq/lwL73Plq6K/TU58K886DSfgaItfnhgittV4s7y41tmtCixH R0pIhWNdeajNxBgSNA8LzPMDpQSXpnwZo2QwYjAOBgNVHQ8BAf8EBAMCBaAwEwYD VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAtBgNVHREEJjAkggpldWw2 ODAwNTczhwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMDA2cAMGQC MGv7uxOxZR2qQ3/61rB43dEyUhEGSaez5PNYZcfST/5tGAzTqAe0M2+BchEdTvhT 9AIwW7BYNo0a/CW8ZjC9wTCPaDH9UjfctwviyZVH1dKzi7UH826E9/iMdStCJkRH kmdu -----END CERTIFICATE----- certificate_fingerprint: dae4633c3efc079e2004a719b6781c648807c1f7eb71e4648d8eac2c0ab0bd6e driver: qemu | lxc driver_version: 6.1.1 | 4.0.12 firewall: xtables kernel: Linux kernel_architecture: x86_64 kernel_features: netnsid_getifaddrs: "true" seccomp_listener: "false" seccomp_listener_continue: "false" shiftfs: "false" uevent_injection: "true" unpriv_fscaps: "true" kernel_version: 4.18.0-348.12.2.el8_5.x86_64 lxc_features: cgroup2: "true" core_scheduling: "true" devpts_fd: "true" idmapped_mounts_v2: "true" mount_injection_file: "true" network_gateway_device_route: "true" network_ipvlan: "true" network_l2proxy: "true" network_phys_macvlan_mtu: "true" network_veth_router: "true" pidfd: "true" seccomp_allow_deny_syntax: "true" seccomp_notify: "true" seccomp_proxy_send_notify_fd: "true" os_name: Red Hat Enterprise Linux os_version: "8.5" project: default server: lxd server_clustered: false server_name: eul6800573 server_pid: 3614699 server_version: "4.23" storage: zfs storage_version: 2.0.7-1 storage_supported_drivers:
  • name: cephfs version: 15.2.14 remote: true
  • name: dir version: "1" remote: false
  • name: lvm version: 2.03.07(2) (2019-11-30) / 1.02.167 (2019-11-30) / 4.43.0 remote: false
  • name: zfs version: 2.0.7-1 remote: false
  • name: ceph version: 15.2.14 remote: true
  • name: btrfs version: 5.4.1 remote: false

Issue description

When adding the remote via token it fails with Error: Failed to find project: not authorized, the certificate is added though, but not the entry in config.yaml

Steps to reproduce

$ rm -rf .config/lxc/ $ ssh yyy33 lxc config trust add Please provide client name: test Client test certificate add token: (token) $ lxc --debug remote add yyy33 (token) Generating a client certificate. This may take a minute... DBUG[02-16|21:06:27] Connecting to a remote LXD over HTTPS DBUG[02-16|21:06:27] Sending request to LXD method=GET url=https://eul6800573:8443/1.0 etag= DBUG[02-16|21:06:27] Connecting to a remote LXD over HTTPS DBUG[02-16|21:06:27] Sending request to LXD method=GET url=https://eul6800573:8443/1.0 etag= DBUG[02-16|21:06:27] Got response struct from LXD DBUG[02-16|21:06:27] { "config": null, "api_extensions": [ "storage_zfs_remove_snapshots", "container_host_shutdown_timeout", .... "instance_snapshot_never", "certificate_token" ], "api_status": "stable", "api_version": "1.0", "auth": "untrusted", "public": false, "auth_methods": [ "tls" ], "environment": { "addresses": null, "architectures": null, "certificate": "", "certificate_fingerprint": "", "driver": "", "driver_version": "", "firewall": "", "kernel": "", "kernel_architecture": "", "kernel_features": null, "kernel_version": "", "lxc_features": null, "os_name": "", "os_version": "", "project": "", "server": "", "server_clustered": false, "server_name": "", "server_pid": 0, "server_version": "", "storage": "", "storage_version": "", "storage_supported_drivers": null } } DBUG[02-16|21:06:27] Sending request to LXD method=POST url=https://eul6800573:8443/1.0/certificates etag= DBUG[02-16|21:06:27] { "name": "", "type": "", "restricted": false, "projects": null, "certificate": "", "password": "eyJjbGllbnRfbmFtZSI6InRlc3QiLCJmaW5nZXJwcmludCI6ImRhZTQ2MzNjM2VmYzA3OWUyMDA0YTcxOWI2NzgxYzY0ODgwN2MxZjdlYjcxZTQ2NDhkOGVhYzJjMGFiMGJkNmUiLCJhZGRyZXNzZXMiOlsiZXVsNjgwMDU 3Mzo4NDQzIl0sInNlY3JldCI6ImRmZjRhNGQ2NzFkZTk1NDJlZDY4NjBlZWQyYmFmM2QyN2U0NTBiZDFhZDI5ZjBhMDZlZTU1YzU5YThiMzIzN2MifQ==", "token": false } DBUG[02-16|21:06:27] Sending request to LXD method=GET url=https://eul6800573:8443/1.0/projects etag= Error: Failed to find project: not authorized

similar thing happens without specifying the token in the command but entring instead of admin passowrd, except the error message is different:

Error: Server doesn't trust us after authentication

no config.yml is generated but the trust is there:

$ ssh yyy33 lxc config trust list +--------+-------+-----------------+--------------+-------------------------------+-------------------------------+ | TYPE | NAME | COMMON NAME | FINGERPRINT | ISSUE DATE | EXPIRY DATE | +--------+-------+-----------------+--------------+-------------------------------+-------------------------------+ | client | test | root@EUL6800585 | 61e0346e05ac | Feb 16, 2022 at 7:55pm (UTC) | Feb 14, 2032 at 7:55pm (UTC) | +--------+-------+-----------------+--------------+-------------------------------+-------------------------------+

$ lxc ls yyy33: Error: The remote "yyy33" doesn't exist

but... since the trust is there, repeated add succeeeds $ lxc remote add yyy33 $ lxc info yyy33: config: cluster.https_address: eul6800573:8443 core.https_address: eul6800573:8443 ...

[stgraber]

Can you show lxc config trust show 61e0346e05ac?

[aivanise]

I've already cleaned up, but I also noticed that it works with lxc from snap so downloaded the latest build of lxc and now it works

looks like I caught a bad build yesterday, sorry for the trouble