1

I am trying to access LXD REST API over the Network.

Followed : Link to Doc.

  1. lxc config set core.https_address "[::]:8443"
  2. lxc config set core.trust_password <some random password>
  3. curl -s -k --cert ~/.config/lxc/client.crt --key ~/.config/lxc/client.key https://127.0.0.1:8443/1.0/certificates -X POST -d '{"type": "client", "password": "some-password"}' | jq

As stated Here the official REST API Doc.

GET to / is allowed for everyone (lists the API endpoints)

But on pointing the Browser (Chrome) to

  • http://<server-ip>:8443
  • https://<server-ip>:8443

Both result in ERR_INVALID_HTTP_RESPONSE.

Added the client.crt to Windows 10 certificated, via Chrome > Settings > Manage Certificated and Import.

Tried it with POSTMAN

Still the same issue.

Works all fine , when access from inside the server.

curl -s -k --cert ~/.config/lxc/client.crt --key ~/.config/lxc/client.key https://127.0.0.1:8443/1.0 | jq .metadata.auth

The above command works fine.

My understanding of certificate based auth is very limited. Any pointer would be very much appreciated.

Maharshi Raval
  • 63
  • 2
  • 8

1 Answers1

4

Going thru a lot of trial and errors. I have finally stumbled upon this Link. It's part of Configuration of LXD works just perfectly. Below are the steps I followed.

Install ZFS , LXD and then do sudo LXD init to get the normal configuration done.

After that,

Configuration of LXD

  1. sudo lxc config set core.https_address [::]:8443 , it can be your port of choice.
  2. sudo lxc config set core.https_allowed_origin "*" Ideally replace the start with the domain from with the API would be accessed. * would make it accessible from everywhere.
  3. sudo lxc config set core.https_allowed_methods "GET, POST, PUT, DELETE, OPTIONS"
  4. sudo lxc config set core.https_allowed_headers "Content-Type"
  5. sudo service lxd restart # sometimes is required

Setting up of Authentication Certificate (Self Signed)

  1. mkdir lxd-api-access-cert-key-files
  2. cd lxd-api-access-cert-key-files

This is just to keep the files related to authentication in a separate directory.

  1. openssl genrsa -out lxd-webui.key 4096 , this would generate a private key for you.
  2. openssl req -new -key lxd-webui.key -out lxd-webui.csr , This would create a certificate request.
  3. openssl x509 -req -days 3650 -in lxd-webui.csr -signkey lxd-webui.key -out lxd-webui.crt. Generate an auto signed certificate.
  4. openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in lxd-webui.crt -inkey lxd-webui.key -out lxd-webui.pfx -name "LXD WebUI" , This would export the keys in .pfx format that can be used inside browser for authentication.
  5. Now download the lxd-webui.pfx file. Locally.
  6. Import the file to the browser.
    1. Chrome Linux
    2. Chrome Windows
    3. FireFox
  7. lxc config trust add lxd-webui.crt Tells LXC to use this certificate for auth.

Testing

  • Now Close and Start your browser again.
  • Point your browser to https://[serveri-ip]:[port-defined-earlier]/1.0/networks

This should give a response similar to below, {"type":"sync","status":"Success","status_code":200,"operation":"","error_code":0,"error":"","metadata":["/1.0/networks/lo","/1.0/networks/ens33","/1.0/networks/lxdbr0"]}

Maharshi Raval
  • 63
  • 2
  • 8