Unhelpful message: "A client certificate must be present and selected in your browser"

[rptb1]

On making a connection to the LXD UI today (to an LXD instance I have previously used), the UI refuses to authenticate, saying "A client certificate must be present and selected in your browser".

What does it mean to "select" the certificate? Neither the LXD UI nor Firefox present any UI that would allow me to select a certificate. Nor does Firefox have any obvious interface for "selecting" a certificate. Even if it does, this message is not helpful because it does not give any guidance on how to do it, or link to any documentation.

In this case, a previously-used certificate is present in the browser. That certificate is registered with the LXD. I checked this by comparing the certificate fingerprint in the browser and as shown by lxc config trust list. Just to make sure, I followed the steps to generate a new certificate and also installed that in the LXD instance with lxc config trust add but this did not help -- I get the same message. Obviously I'd appreciate any insight into what is going wrong, but mainly I'd like a message that leads me to the right steps.

When I connect to another LXD server (same LXD version on same version OS) I get a dialog in Firefox that says "... has requested that you identify yourself with a certificate" and asks me which one to send. Is this the "selection"? Why might one LXD ask for this and the other not?

Thanks!

Configuration details:

• Firefox 119.0.1 (tried with empty profile, no addons)
• Ubuntu 22.04 (client and both servers)
• LXD snap 5.19-31ff7b6 (both servers)

[edlerd]

Hello, thanks for your report,

Firefox remembers a decision to not use a certificate on a domain or ip/port. I suspect this might be the case for you. Can you validate in "settings > privacy > view certificates > authentication decisions" if your instance is listed as "send no cert"? If so, remove that entry. You might have to restart the browser and then when browsing to that LXD server the browser should ask which cert to use.
Edit: Another problem might be a proxy in front of the LXD server, do you have that in your setup?

Regarding the problem with the warning message - we will look into that. Please let us know if you have suggestions how to improve it.

[rptb1]

Thanks for the very rapid response.

Yes, I can confirm that the Authentication Decisions list did have an entry for the site. It did not say "send no cert" but instead "(unavailable)". (This might indicate a bug in Firefox.) I deleted all the entries relevant to the server. That didn't help immediately. But then restarting the browser (as you suggested) did seem to force Firefox to pay attention to its own settings and ask me to select a certificate. I can now connect. Excellent.

It would be great if you could improve the message for future users. A simple fix would be to link the message to your reply above! But not very neat. I would suggest a broader improvement.

Since you're a web UI, it should be easy to link all messages to articles about those messages. ZFS does this even for command line output. For example, I recently ran in to a problem with a ZFS pool and zpool status helpfully printed the URL https://zfsonlinux.org/msg/ZFS-8000-8A/ .

Perhaps all your messages could link to a wiki (or similar) where people could contribute solutions to the problems they indicate. You have one over here -> https://github.com/canonical/lxd-ui/wiki

Thanks again.

[rptb1]

I note that you already link some UI elements with ⓘ, e.g.