If you try to set up a remote LXD cloud with mode 'interactive' you end up getting:
$ juju add-model nuc1 lxd-nuc1
ERROR failed to open environ: Get https://192.168.86.100:8443/1.0: x509: certificate is valid for 127.0.0.1, ::1, not 192.168.86.100
According to this bug:
https://github.com/lxc/lxd/issues/6802
LXD intentionally does *not* regenerate its certificate when you add a non-local IP address (so that existing clients can trust the same certificate.)
That means that when talking to LXD, we need to verify the fingerprint, rather than assuming it has a signed certificate for the IP address that we are connecting to. I would have thought that we were using the LXD library, which should already be handling this. But maybe we are doing something like a URL test using the stock HTTP library, which would complain about an invalid TLS certificate.
Note that if I set up the remote LXD using auth-type: certificate instead of 'interactive' it works just fine. It is *way* more difficult to set up, as I have to generate a certificate, trust it in the remote, etc.
I was able to get it to spawn a container after using Certificate authentication.