Using Candid with Juju results in error on the Juju dashboard

Hello all,
I setup Juju with the following command to use Candid:

juju bootstrap _______ --config identity-url=http://________:8081/ --constraints tags=juju --config identity-public-key=___________ --config allow-model-access=true --credential _________.

While I am able to login to Juju via CLI and I can execute Juju commands using the LDAP user I have linked with Candid, I cannot login to the Juju dashboard.


In the browser console, I see that the browser blocked loading mixed content since my Candid URL is setup via http. After forcing it to continue, there’s a CORS error:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://___________:8081/discharge. (Reason: CORS request did not succeed).

Is it required to setup Candid with HTTPS to use it with Juju? If so, is there a guide on how to do that, or a list of what paths need to be passed through so I can just use NGINX?


Hi @dksingh,

I would certainly recommend running candid over https. You have a couple of options for how to do this.

You can configure candid with a certificate a private key to use in the configuration file. The default configuration file for the snap is found at /var/snap/candid/current/config.yaml. As you have configured LDAP already, you shouldn’t have any problems finding it.

There are two options tls-cert and tls-key. If these are configured then candid will serve it’s endpoints over https using the provided certificates. The tls-cert parameter is a string that holds a PEM encoded certificate that is used in the TLS handshake. The tls-key parameter is a string that holds the PEM encoded private key that goes along with the certificate. The private key should not be encrypted as there is no mechanism for candid to prompt for the password. If necessary tls-cert may hold a certificate chain so long as the first certificate is the one that matches tls-key.

When setting up certificates you will have to update the location parameter to tell candid to generate URLs using https rather than http.

Alternatively if you wish to deploy candid behind a reverse proxy then you should either give candid it’s own subdomain, or it’s own sub-tree on the server. Either or The reverse proxy can terminate the TLS connection and proxy to the candid server. In either case you will need to update location parameter in the configuration file (see above) to tell candid where it is being served.

If you chose to use a sub-tree for candid you will have to also manipulate paths in the request and response. The request will have to be modified such that the sub-tree is removed from the request path, e.g. /candid/discharge should be mapped to /discharge before forwarding. Also in the reverse direction any Locationheaders or Set-Cookie headers need to update to re-add the sub-tree path, e.g. /login -> /candid/login. When using apache these functions are provided by the ProxyPass, ProxyPassReverse & ProxyPassReverseCookiePath directives.

1 Like