Skip to content

Commit 78cda40

Browse files
committed
doc/tutorials: Add tutorial for manually enrolling client certificate
Signed-off-by: Mathias Gibbens <mathias.gibbens@futurfusion.io>
1 parent 1572b87 commit 78cda40

2 files changed

Lines changed: 51 additions & 0 deletions

File tree

doc/tutorials.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,4 +8,5 @@ Preparing a storage volume for Incus </tutorials/storage-preparing-volume-incus>
88
Import existing Incus instances from an unencrypted pool </tutorials/storage-import-unencrypted-incus-pool>
99
Directly attaching instances to host network </tutorials/network-direct-attach>
1010
Applying VLAN tagging to physical networks </tutorials/network-vlan-tagging>
11+
Emergency Procedure for a Lost Client Certificate </tutorials/emergency-procedure-lost-client-certificate>
1112
```
Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
# Emergency Procedure for a Lost Client Certificate
2+
3+
Losing the trusted client certificate/key pair will result in loss of access to the IncusOS API. By default, Incus stores its client certificate in `~/.config/incus/`, and the contents should be backed up appropriately.
4+
5+
It is possible to manually enroll a new trusted client certificate by hand, which will restore access to your IncusOS server.
6+
7+
## Requirements
8+
9+
* You must have an encryption recovery key for the IncusOS server, either the one automatically generated on first boot or a custom one set via the API. Without this recovery key, it will be impossible to decrypt the main IncusOS partition and you will have no choice but to reinstall IncusOS.
10+
11+
* You must have physical (console) access to the IncusOS server.
12+
13+
* The following steps assume Incus was installed on IncusOS and is the application responsible for handling client authentication. Recovery steps for Migration Manager and Operations Center will be different and are not covered in this document.
14+
15+
## Steps
16+
17+
1. Generate a new client certificate/key pair. You can do this easily via `incus remote get-client-certificate`. Make sure to backup your new client credentials. 🙂 Copy the certificate to a USB stick or other removable media for use in a later step.
18+
19+
1. Disable Secure Boot on the IncusOS server. Don't clear any certificates, just set the Secure Boot mode to disabled. The exact steps to accomplish this vary from manufacturer to manufacturer.
20+
21+
1. Boot a live Linux image of your choice on the IncusOS server. Any modern image will work, as long as the `cryptsetup` command is available.
22+
23+
1. Decrypt and mount the IncusOS root partition. We'll assume the main system drive is `/dev/sda`; adjust as appropriate for your system.
24+
25+
```
26+
cryptsetup luksOpen /dev/sda10 sda10_crypt
27+
mkdir -p /mnt/incusos/
28+
mount /dev/mapper/sda10_crypt /mnt/incusos/
29+
```
30+
31+
1. Prepare an Incus database hotfix patch to enroll the new client certificate.
32+
33+
```
34+
CERT="/path/to/new/client.crt"
35+
CERT_CONTENTS=$(cat $CERT)
36+
FINGERPRINT=$(openssl x509 -in $CERT -noout -fingerprint -sha256 | tr -d ":" | sed "s/sha256 Fingerprint=//")
37+
38+
echo "INSERT INTO certificates (fingerprint, type, name, certificate) VALUES (\"$FINGERPRINT\", 1, \"new-client-cert\", \"$CERT_CONTENTS\");" > /mnt/incusos/var/lib/incus/database/patch.global.sql
39+
```
40+
41+
1. Unmount the IncusOS root partition.
42+
43+
```
44+
umount /mnt/incusos/
45+
cryptsetup luksClose /dev/mapper/sda10_crypt
46+
```
47+
48+
1. Re-enable Secure Boot on the IncusOS server.
49+
50+
1. Upon reboot, IncusOS will boot normally and you will be able to authenticate with the new client certificate.

0 commit comments

Comments
 (0)