canonical
`lxc remote add --accept-certificate` should accept an optional fingerprint instead of blindly accepting whatever cert presented
(I would have sent this to https://discourse.ubuntu.com/c/lxd/ , but there's simply no button to create a new topic.)
Required information
- Distribution: Ubuntu
- Distribution version: Lubuntu 23.04
- snap 5.18-da72b8b
Issue description
When adding a remote with lxc remote add ... there's two options:
-
Just use the normal syntax and add a remote. lxd will prompt with the fingerprint and interactively asks to verify and accept the hash, i.e. requires human interaction
-
use the --accept-certificate option which makes it run through, but accept just any certificate without verification
which is a security risk. When installing machines (e.g. large numbers of machines, from scripts or tools like puppet) automatically without human interaction, there is no way (is there?) to securely add a remote host, because --accept-certificate does not take a fingerprint as an argument.
There should be a way to pass the fingerprint as a parameter.
While it might be convenient to have lxc remote add --accept-certificate accept a fingerprint there are a few ways around that.
- Add the remote's cert ahead of time:
$ cat << EOF > ~/snap/lxd/common/config/servercerts/foo.crt
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
$ lxc remote add foo https://foo.example.com
- Pipe the expected fingerprint:
$ echo "${fingerprint}" | lxc remote add foo https://foo.example.com
- Use tokens to add the remote:
# on the server:
$ lxc config trust add --name jdoe
Client jdoe certificate add token:
...long-base64-line..=
# on the client:
$ lxc remote add foo "...long-base64-line..="
-
Have the remote server use a cert signed by an official CA (like Let's Encrypt), see
-
Seed the
server.caon the client prior to adding the remote, see https://documentation.ubuntu.com/lxd/en/latest/authentication/#using-a-pki-system
That said, I'm not opposed to having the new argument.
