Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Image Library Service Certificate Configuration

Overview

The Image Library Service uses a TLS certificate to secure image upload and retrieval traffic. If your browser or CLI client does not trust that certificate, image uploads from the UI will be blocked, and CLI uploads without the --insecure flag will fail.

Private Cloud Director supports two deployment models with different certificate management paths:

  • SaaS — Platform9 operates the management plane. The Image Library Service endpoint certificate is managed by Platform9. You accept the certificate in your browser; you do not modify management-plane certificates directly.

  • Self-Hosted — You operate the management plane on-premise. You can supply your own custom certificate and apply it using airctl.

In this guide, you will trust or configure the Image Library Service certificate for your deployment model so that image uploads and VM provisioning succeed.

SaaS Deployments

In SaaS deployments, the Image Library Service host uses a self-signed certificate for the image upload endpoint. You must accept this certificate in your browser before you can upload images through the UI.

Accept the Certificate in Your Browser

  1. Sign in to the Private Cloud Director UI.

  2. Navigate to Images. If the certificate has not been trusted, a banner or notification appears that reads Action Required: Trust Certificate.

  3. Click the link in the notification. A new browser tab opens to the Image Library Service endpoint.

  4. In the browser's security warning page, expand Advanced (or Details, depending on your browser) and click the link to proceed to the site.

  5. After accepting the certificate, close the tab and return to the Images page. The upload controls should now be active.

For detailed steps for each browser, see Accept Certificate Authority.

Certificate acceptance is per browser and per machine

Each browser on each machine must accept the certificate separately. If a team member on a different workstation reports upload issues after you have already accepted the certificate, they must repeat these steps in their own browser.

CLI Uploads (SaaS)

When using the pcdctl CLI to upload images in a SaaS deployment, include the --insecure flag to bypass certificate verification for the Image Library endpoint:

This flag applies to the image endpoint only. It does not affect Identity Service authentication.

Management-Plane Certificate Changes (SaaS)

SaaS deployments only

In SaaS deployments, Platform9 manages the management-plane certificates. You cannot modify these certificates directly. If you need a custom or CA-signed certificate for the Image Library Service endpoint in a SaaS deployment, contact Platform9 Support.

Self-Hosted Deployments

In Self-Hosted deployments, you have full control over management-plane certificates and can supply a custom certificate.

Accept the Default Self-Signed Certificate

If you are using the default self-signed certificate generated during installation, follow the same browser-acceptance steps as for SaaS deployments (see above). This is the quickest path for small or evaluation deployments.

For CLI uploads, use the --insecure flag with pcdctl image create as shown in the SaaS section above.

Configure a Custom Certificate

Self-Hosted deployments only

The steps in this section apply only to Self-Hosted Self-hosted Private Cloud Director. In SaaS deployments, contact Platform9 Support for certificate changes.

To replace the default self-signed certificate with a CA-signed or custom certificate, use the airctl renew-certs command. This updates the management-plane certificate, which is then used by the Image Library Service and other services.

For full instructions, see Using Custom Certificates.

After applying a new certificate, verify that the Image Library Service endpoint is reachable:

If you configured a CA-signed certificate, this request should succeed without the -k flag. If it returns a certificate error, confirm that the certificate's Subject Alternative Names (SANs) include the Image Library host's FQDN or IP address.

Verify Certificate Trust After Changes

After updating certificates in a Self-Hosted deployment, restart the Image Library Service on the affected host:

Then re-check the endpoint health and attempt a test upload to confirm the change took effect.

Troubleshooting Certificate Issues

Symptom
Likely Cause
Resolution

UI upload button is not active; certificate warning shown

Certificate not accepted in this browser

Follow the browser-acceptance steps above.

SSL: CERTIFICATE_VERIFY_FAILED in CLI output

--insecure flag omitted, or a CA-signed cert whose CA is not trusted

Add --insecure, or add the CA certificate to the system trust store.

Certificate accepted, but upload still blocked

Browser cached an older, untrusted state

Clear the browser cache or retry in a private window.

Custom certificate applied but endpoint still shows old cert

Service not restarted after cert change

Run sudo systemctl restart pf9-glance-api on the Image Library host.

For general Image Library Service health checks, see Image Library Service Endpoint Health.

PreviousUpload an Image Using the UINextImage Properties

Last updated

Was this helpful?