LXD Auth issue about lxd-webgui HOT 16 CLOSED

I don't know lxd-webgui but for that option you need a recent self compiled version of LXD:

canonical/lxd#2245

from lxd-webgui.

OK, thanks. I'm gonna try it ASAP.

from lxd-webgui.

I think the patch will be included in the next version of LXD.

from lxd-webgui.

Thanks Dobin for your reply.
I just tried the new version of LXD (2.1) and, indeed, i can now set the core.https_allowed_credentials parameter.
That said, i still obtain "Auth Fail" when I try "Test LXD Auth" while i followed step-by-step the mentioned install procedure... (on a fresh OS install)
Do you have an idea of what happens?

from lxd-webgui.

Ohhh OK... It was due to the default hostname registered in my certfile.
Sorry to bother you.

from lxd-webgui.

On my local desktop, my tests are OK except when I try to "add remote image" I get the following error message:
Loading... please wait, this can take some time
Connection error. Could not retrieve data.

I'm obliged to import images manually..

However, if I try to connect remotely (from my laptop into lxd-webgui located on my desktop) I get the same problem at the begining : LXD Auth Fail.

Maybe this is coming from my way to create my certificates. If it is, can you help to create these? because i'm clearly not an expert :)

Thanks in advance.

from lxd-webgui.

Concerning the "add remote image": It will need to download stuff from the internet. Do you have Internet connection your desktop browser? Using the correct proxy?

For your laptop: Did you import the cert.p12 into the browser you are using? Can you connect to the port :9000 (the LXD api) on your desktop (manually with a browser, e.g. hostname:9000/1.0/containers?

from lxd-webgui.

Concerning my desktop internet connection: of course. That said, is it using a special output port (other than 80, 443)? If it is, i'll need to ask our network admin to open it.

Concerning my laptop, i added my cert.p12 (the same as the server) into.
Below the output of hostname:9000/1.0/containers :
{"error":"not authorized","error_code":403,"type":"error"}

I just tried it remotely (from home through VPN) with another laptop and the result seems to be the same...

Thereafter what I can find in the lxd log file:
lvl=warn msg="rejecting request from untrusted client" ip=172.27.0.156:63675
lvl=warn msg="rejecting request from untrusted client" ip=10.242.2.6:49823
(my 2 laptop IP)

from lxd-webgui.

Hmm strange. "Add remote image" just uses standard HTTP/HTTPS ports (basically just a GET to https://images.linuxcontainers.org/1.0/images and all these path's). You can press F12 in the browser and follow the network traffic. Is there a reason mentioned in the logs, why the GET request fails?

According to the LXD source, the log message "rejecting request from untrusted client" only appears if the server could not verify the client certificate. Please double check that you imported the correct cert, and also select the correct one when prompted by the browser.
Or: Are you using your company proxy on your notebook, and does this proxy perform SSL/TLS Man-in-the-middle? Try putting your desktop (LXD server) IP in the exception list in the proxy configuration in the browser.

from lxd-webgui.

Indeed, really really strange!
OK, i forgot to specify my laptops are under OSX. I just tried it on another Linux machine (a desktop PC) and I'm successfully authenticated by LXD but... I still can not list available remote images in "Add remote images" part. However, with my 2 laptops, I cannot be authenticated by LXD (untrusted clients in log file) but I can list available remote images... ;-p

On my laptops, I'm using Firefox 48.0.1
On my desktop, Firefox 48.0
I follow the same procedure to import my p12 certificate.

I dont have any proxy configuration set in my system preferences but, regardless, I add your asked exception without any effet.

from lxd-webgui.

For the notebooks:
Hmm, Firefox has its own certificate store, and will not use the certificate store from OSX. So if you imported the cert as described, there should be no problem. When you browse to https://host:9000/1.0/containers , does the browser show a dialogbox where you can select a cert? Did you enable "Send XHRs with credentials" in the settings page?

For the remote image:
I can reproduce this issue with Firefox.

from lxd-webgui.

Nonfunctional remote images when using a remote lxd server should be fixed with ac1d062

from lxd-webgui.

Thanks for your reply. Now, remote images are available!!!!
Concerning the remote LXD auth, it was due -apparently- exclusively to the way to import and manage cert files in the Apple Keychain (not in Firefox). Now, at least from one of my laptop, all seems to be OK for me. Thanks again!

That said, only for information if needed, Safari browser does not seem to be supported.

from lxd-webgui.

In addition, I note a lot of "Failed to load resource: net::ERR_INSECURE_RESPONSE https://hostname:9000/1.0/containers/..." in the javascript console, from Firefox, Chrome and Safari.

from lxd-webgui.

Quite honestly, I dont understand what was happened. After having reset Firefox (and deleted the cert entry in the OSX keychain), i redo the same procedure to add my cert file into Firefox cert store and now all seems to be OK... Maybe a bug or strange behavior with the last version of Firefox.

Thanks again for your help and your webapp.

from lxd-webgui.

Thanks for the feedback. You're welcome, and have fun using LXD :-) Keep the bug reports coming!

I read something like this (with reset firefox profile), but cannot reproduce as i dont have an OSX machine atm. I'm glad it's working now :-) Certificates seem to ALWAYS generate some kind of problems, everywhere...

I think the "failed to load resource" OK and from normal operation.

from lxd-webgui.