Authentication Setup FAQ
You can use the same client certificate for multiple LXD sites. If you have previously created and imported a client certificate into your browser and selected it for the current LXD site, generate a token using the LXD command line and paste it into LXD-UI to gain access.
This is described in LXD-UI by the "A client certificate must be present and selected in your browser" notification.
An HTTP proxy in front of LXD-UI will not forward the client certificate. You need to either use a TCP based proxy, or rely on OIDC as an authentication method.
Firefox remembers a decision to not use a certificate on a domain or IP/port. Validate in "settings > privacy > view certificates > authentication decisions" if your host is listed as "send no cert". If so, delete that entry. You might have to restart the browser afterwards for the change to take effect. Next time you open LXD-UI, the browser should ask which certificate to use. But only if a certificate was previously imported to Firefox.
If macOS is giving you a popup to enter the keychain password on every request, this might be due to settings on the client certificate. To fix the settings, follow the below steps:
- Open the keychain app
- search for your cert (likely lxd-ui)
- Double-click the private key for your cert
- Click "Access Control"
- a. on macOS prior to 12.5.2 Hit the "+" in "Always allow access by these applications" and select Safari
- b. on newer macOS, select "allow access from all apps"
- Close dialogue
- Close Keychain App
- Restart Safari