I have several incus servers, and want to create containers from one central place (i.e. my laptop). therefore it needs to work via https and incus API. I also need to use my PKI so that I can issue certificates to other users.
On Incus server, I placed CA cert in /var/lib/incus/server.ca and using incus config trust add-certificate command. See relevant links below.
I stored client cert/key and CA (client.crt, client.key, client.ca) on my laptop in ~/.config/incus/.
curl tests pass, see below.
issue
I think certificates and PKI are setup correctly, and deployed into incus server correctly. curl test works with these certs,
however does not work when I use terraform.
I tried concatenating (cat) client.ca into client.crt, still works for curl but still does not work for terraform.
incus_instance.instance: Creating...
╷
│ Error: Failed to retrieve Incus InstanceServer
│
│ with incus_instance.instance,
│ on main.tf line 1, in resource "incus_instance" "instance":
│ 1: resource "incus_instance" "instance" {
│
│ Unable to create server client for remote "test-11": Unable to authenticate with remote server: not authorized
$ inotifywait -m -e open ~/.config/incus/*
Setting up watches.
Watches established.
/home/invizus/.config/incus/servercerts/ OPEN test-11.crt
/home/invizus/.config/incus/client.crt OPEN
/home/invizus/.config/incus/client.ca OPEN
/home/invizus/.config/incus/client.key OPEN
summary
I have several incus servers, and want to create containers from one central place (i.e. my laptop). therefore it needs to work via https and incus API. I also need to use my PKI so that I can issue certificates to other users.
On Incus server, I placed CA cert in
/var/lib/incus/server.ca
and usingincus config trust add-certificate
command. See relevant links below.I stored client cert/key and CA (
client.crt
,client.key
,client.ca
) on my laptop in~/.config/incus/
.curl tests pass, see below.
issue
I think certificates and PKI are setup correctly, and deployed into incus server correctly.
curl
test works with these certs,however does not work when I use terraform.
I tried concatenating (
cat
)client.ca
intoclient.crt
, still works for curl but still does not work for terraform.terraform code:
other relevant logs
terraform can access certs
curl works:
Update: Just FYI curl works only when concatenating CA into client cert.
relevant links
https://discuss.linuxcontainers.org/t/how-to-add-a-certificate-to-incus-remotely/19549
https://linuxcontainers.org/incus/docs/main/authentication/#using-a-pki-system