Skip to content

Commit 575abee

Browse files
authored
Merge pull request #706 from gibmat/add-emergency-cert-recovery
Add tutorial for manually enrolling client certificate
2 parents 1572b87 + e84881d commit 575abee

3 files changed

Lines changed: 53 additions & 0 deletions

File tree

doc/.wordlist.txt

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ FuturFusion
2525
GiB
2626
Github
2727
homelab
28+
hotfix
2829
HTTPS
2930
Incus
3031
IncusOS
@@ -92,6 +93,7 @@ Uncheck
9293
Unencrypted
9394
unencrypted
9495
unmanaged
96+
Unmount
9597
USBIP
9698
VirtIO
9799
VirtualBox

doc/tutorials.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,4 +8,5 @@ Preparing a storage volume for Incus </tutorials/storage-preparing-volume-incus>
88
Import existing Incus instances from an unencrypted pool </tutorials/storage-import-unencrypted-incus-pool>
99
Directly attaching instances to host network </tutorials/network-direct-attach>
1010
Applying VLAN tagging to physical networks </tutorials/network-vlan-tagging>
11+
Emergency Procedure for a Lost Client Certificate </tutorials/emergency-procedure-lost-client-certificate>
1112
```
Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
# Emergency Procedure for a Lost Client Certificate
2+
3+
Losing the trusted client certificate/key pair will result in loss of access to the IncusOS API. By default, Incus stores its client certificate in `~/.config/incus/`, and the contents should be backed up appropriately.
4+
5+
It is possible to manually enroll a new trusted client certificate by hand, which will restore access to your IncusOS server.
6+
7+
## Requirements
8+
9+
* You must have an encryption recovery key for the IncusOS server, either the one automatically generated on first boot or a custom one set via the API. Without this recovery key, it will be impossible to decrypt the main IncusOS partition and you will have no choice but to reinstall IncusOS.
10+
11+
* You must have physical (console) access to the IncusOS server.
12+
13+
* The following steps assume Incus was installed on IncusOS and is the application responsible for handling client authentication. Recovery steps for Migration Manager and Operations Center will be different and are not covered in this document.
14+
15+
## Steps
16+
17+
1. Generate a new client certificate/key pair. You can do this easily via `incus remote get-client-certificate`. Make sure to backup your new client credentials. 🙂 Copy the certificate to a USB stick or other removable media for use in a later step.
18+
19+
1. Disable Secure Boot on the IncusOS server. Don't clear any certificates, just set the Secure Boot mode to disabled. The exact steps to accomplish this vary from manufacturer to manufacturer.
20+
21+
1. Boot a live Linux image of your choice on the IncusOS server. Any modern image will work, as long as the `cryptsetup` command is available.
22+
23+
1. Decrypt and mount the IncusOS root partition. We'll assume the main system drive is `/dev/sda`; adjust as appropriate for your system.
24+
25+
```
26+
cryptsetup luksOpen /dev/sda10 sda10_crypt
27+
mkdir -p /mnt/incusos/
28+
mount /dev/mapper/sda10_crypt /mnt/incusos/
29+
```
30+
31+
1. Prepare an Incus database hotfix patch to enroll the new client certificate.
32+
33+
```
34+
CERT="/path/to/new/client.crt"
35+
CERT_CONTENTS=$(cat $CERT)
36+
FINGERPRINT=$(openssl x509 -in $CERT -noout -fingerprint -sha256 | tr -d ":" | sed "s/sha256 Fingerprint=//")
37+
38+
echo "INSERT INTO certificates (fingerprint, type, name, certificate) VALUES (\"$FINGERPRINT\", 1, \"new-client-cert\", \"$CERT_CONTENTS\");" > /mnt/incusos/var/lib/incus/database/patch.global.sql
39+
```
40+
41+
1. Unmount the IncusOS root partition.
42+
43+
```
44+
umount /mnt/incusos/
45+
cryptsetup luksClose /dev/mapper/sda10_crypt
46+
```
47+
48+
1. Re-enable Secure Boot on the IncusOS server.
49+
50+
1. Upon reboot, IncusOS will boot normally and you will be able to authenticate with the new client certificate.

0 commit comments

Comments
 (0)