LXC Template ubuntu-cloud does not work

Thank you for taking the time to report this bug and helping to make Ubuntu better.

I failed to reproduce this bug on 12.04. Using lxc 0.7.5-3ubuntu67, I get:

$ sudo lxc-create -t ubuntu-cloud -n test

No config file specified, using the default config
ubuntu-cloudimg-query is /usr/bin/ubuntu-cloudimg-query
wget is /usr/bin/wget
--2013-05-15 15:45:34-- https://cloud-images.ubuntu.com/server/releases/precise/release-20130502/ubuntu-12.04-server-cloudimg-amd64-root.tar.gz
Resolving cloud-images.ubuntu.com (cloud-images.ubuntu.com)... 91.189.88.141
Connecting to cloud-images.ubuntu.com (cloud-images.ubuntu.com)|91.189.88.141|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://cloud-images.ubuntu.com/releases/precise/release-20130502/ubuntu-12.04-server-cloudimg-amd64-root.tar.gz [following]
--2013-05-15 15:45:34-- https://cloud-images.ubuntu.com/releases/precise/release-20130502/ubuntu-12.04-server-cloudimg-amd64-root.tar.gz
Reusing existing connection to cloud-images.ubuntu.com:443.
HTTP request sent, awaiting response... 200 OK
Length: 230466207 (220M) [application/x-gzip]
Saving to: `ubuntu-12.04-server-cloudimg-amd64-root.tar.gz'

100%[=====================================================================================================================================================================================================>] 230,466,207 37.6M/s in 6.0s

2013-05-15 15:45:40 (36.6 MB/s) - `ubuntu-12.04-server-cloudimg-amd64-root.tar.gz' saved [230466207/230466207]

Extracting container rootfs
Configuring for running outside of a cloud environment
If you want to configure for a cloud evironment, please use '-- -C' to create the container
Container test created.
'ubuntu-cloud' template installed
'test' created

You have not posted exact steps to reproduce your problem. Please do so, explain why you believe this is a bug rather than a network problem at your end, and then change the bug status back to New. On the other hand, if this turns out to be a problem at your end, please change the bug status to Invalid.

Also please try running wget against the failed URL directly, rather than pasting it into a browser on what I presume is a different machine, and post the output.

Thanks!

Thank you very much for your answer. I tried:

>$ sudo lxc-create -t ubuntu-cloud -n test

With that i get the same error:

>$ sudo lxc-create -t ubuntu-cloud -n test
>
>No config file specified, using the default config
>ubuntu-cloudimg-query ist /usr/bin/ubuntu-cloudimg-query
>wget ist /usr/bin/wget
>failed to get https://cloud-images.ubuntu.com/query/precise/server/released-dl.current.txt
>failed to execute template 'ubuntu-cloud'
>aborted

Doing a wget on the url was the right tip. It resulted in:

>$ wget https://cloud-images.ubuntu.com/query/precise/server/released-dl.current.txt
>--2013-05-22 09:35:41-- https://cloud-images.ubuntu.com/query/precise/server/released-dl.current.txt
>Auflösen des Hostnamen »cloud-images.ubuntu.com (cloud-images.ubuntu.com)«... 91.189.88.141
>Verbindungsaufbau zu cloud-images.ubuntu.com (cloud-images.ubuntu.com)|91.189.88.141|:443... verbunden.
> FEHLER: Kann das Zertifikat von »cloud-images.ubuntu.com« nicht prüfen, ausgestellt von »»/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287««:.
> Ein selbst-signiertes Zertifikat gefunden.
>Verwenden Sie »--no-check-certificate«, um zu dem Server »cloud-images.ubuntu.com« eine nicht gesicherte Verbindung aufzubauen.

There must be a problem with the certificates. Altough i havn't changed or configured anything in that direction. I tried to modify the /usr/share/lxc/templates/lxc-ubuntu-cloud script with the --no-check-certificate option on both wget calls but it didn't help. I don't think this is a bug in the lxc package but a bug concerning wget or the certificates. I tried the link from the wget outpuz and the certificate does not seem to exist. Could it be that there is a loadbalancer behind the url and you are getting a different mirror?

Regards,
Andreas

Is this still happening for you?

Are you behind a proxy that would explain this behavior?

(I wonder if this could actually be a bug/misconfiguration in your ca-certificates?)

It still happenes. Wouldn't it be better to move this bug report somewhere else?
Because the problem seems to exist in a different component.

I use the regular precise wget. Now i've build the 1.14 package from saucy.
But even with this version i get the same error. I also tried the link with
three different browsers (firefox, google-chrome and opera) and there
is no problem with the url.

Now i tried the link with curl and i get this:
curl https://cloud-images.ubuntu.com/query/precise/server/released-dl.current.txt
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

I don't think that both wget and curl have the same problem.
Maybe somewhere in their libs?

> Date: Thu, 6 Jun 2013 20:34:12 +0000
> From: <email address hidden>
> To: <email address hidden>
> Subject: [Bug 1180355] Re: LXC Template ubuntu-cloud does not work
>
> Is this still happening for you?
>
> Are you behind a proxy that would explain this behavior?
>
> (I wonder if this could actually be a bug/misconfiguration in your ca-
> certificates?)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1180355
>
> Title:
> LXC Template ubuntu-cloud does not work
>
> Status in “lxc” package in Ubuntu:
> Incomplete
>
> Bug description:
> I tried the template with regular precise lxc package and then the
> with the 0.8 backport. Both resulted in the error reading:
>
> failed to get https://cloud-images.ubuntu.com/query/precise/server
> /released-dl.current.txt
>
> When i copy this URL into a browser the file is there. The problem
> must be in the ubuntu-cloud template. The normal ubuntu template
> works.
>
> My specs: Ubuntu 12.04.2, LTS Release: 12.04, lxc 0.7.5-3ubuntu67 and
> 0.8.0~rc1-4ubuntu39.12.10.2~ubuntu12.04.1
>
> ProblemType: Bug
> DistroRelease: Ubuntu 12.04
> Package: lxc 0.8.0~rc1-4ubuntu39.12.10.2~ubuntu12.04.1
> ProcVersionSignature: Ubuntu 3.8.0-20.31~precise1-generic 3.8.11
> Uname: Linux 3.8.0-20-generic x86_64
> ApportVersion: 2.0.1-0ubuntu17.2
> Architecture: amd64
> Date: Wed May 15 10:58:20 2013
> InstallationMedia: Ubuntu 12.04.2 LTS "Precise Pangolin" - Release amd64 (20130213)
> MarkForUpload: True
> ProcEnviron:
> TERM=xterm
> PATH=(custom, no user)
> LANG=de_DE.UTF-8
> SHELL=/bin/bash
> SourcePackage: lxc
> UpgradeStatus: No upgrade log present (probably fresh install)
> mo...

Quoting Andreas Wirooks (<email address hidden>):
> It still happenes. Wouldn't it be better to move this bug report somewhere else?

Probably, but as you point out I'm not sure where. I'll mark this as
affecting wget and ca-certificates.

Could you show the result of

curl -Iv https://cloud-images.ubuntu.com/query/precise/server/released-dl.current.txt

 affects: wget
 affects: ca-certificates

> Could you show the result of
>
> curl -Iv https://cloud-images.ubuntu.com/query/precise/server/released-
> dl.current.txt

This is the result:
curl -Iv https://cloud-images.ubuntu.com/query/precise/server/released-dl.current.txt
* About to connect() to cloud-images.ubuntu.com port 443 (#0)
* Trying 91.189.88.141... connected
* successfully set certificate verify locations:
* CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

I looked into synaptic and ca-certificates and ca-certificates-java are installed.
I also verified that all installed the files are there and everything was in place.
After that i reinstalled both packages and after that it worked:

* About to connect() to cloud-images.ubuntu.com port 443 (#0)
* Trying 91.189.88.141... connected
* successfully set certificate verify locations:
* CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: O=cloud-images.ubuntu.com; OU=Domain Control Validated; CN=cloud-images.ubuntu.com
* start date: 2012-07-12 13:57:09 GMT
* expire date: 2013-07-14 07:49:21 GMT
* subjectAltName: cloud-images.ubuntu.com matched
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certificates.godaddy.com/repository; CN=Go Daddy Secure Certification Authority; serialNumber=07969287
* SSL certificate verify ok.
> HEAD /query/precise/server/released-dl.current.txt HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: cloud-images.ubuntu.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: ...

Proxy configuration

In most setups, you’ll want the LXD daemon to fetch images from remote servers.

If you are in an environment where you must go through a HTTP(s) proxy to reach the outside world, you’ll want to set a few configuration keys or alternatively make sure that the standard PROXY environment variables are set in the daemon’s environment.

lxc config set core.proxy_http http://squid01.internal:3128
lxc config set core.proxy_https http://squid01.internal:3128
lxc config set core.proxy_ignore_hosts image-server.local
With those, all transfers initiated by LXD will use the squid01.internal HTTP proxy, except for traffic to the server at image-server.local

Source : https://www.stgraber.org/2016/03/15/lxd-2-0-installing-and-configuring-lxd-212/

Thank you for the information. It works now.