https issue - mender server

[Naveen N]

Hello all,

I have problem visting mender server through https.

my mender.conf

{

"InventoryPollIntervalSeconds": 1800,

 "RootfsPartA": "/dev/mmcblk1p2",

  "RootfsPartB": "/dev/mmcblk1p3",

  "UpdatePollIntervalSeconds": 1800,

  "TenantToken" : "dummy" ,

  "ServerURL": "https://mender.mydomain.com",

  "ServerCertificate": "/etc/mender/server.crt"

}

added following in local.conf

FILESEXTRAPATHS_prepend_pn-mender := "/var/sslcert:"

SRC_URI_append_pn-mender = " file://server.crt"

Any other thing I have to do to make it work.

Thanks in advance,

Naveen

[Kristian Amlie]

On 09/11/17 18:48, Naveen N wrote:
> Hello all,
>
>
> I have problem visting mender server through https.

When you say problem, do you mean using the browser? Or the Mender client?

> my mender.conf
>
> {
> "InventoryPollIntervalSeconds": 1800,
>  "RootfsPartA": "/dev/mmcblk1p2",
>   "RootfsPartB": "/dev/mmcblk1p3",
>   "UpdatePollIntervalSeconds": 1800,
>   "TenantToken" : "dummy" ,
>   "ServerURL": "https://mender.mydomain.com",
>   "ServerCertificate": "/etc/mender/server.crt"
> }
>
>
> added following in local.conf
>
> FILESEXTRAPATHS_prepend_pn-mender := "/var/sslcert:"
> SRC_URI_append_pn-mender = " file://server.crt"

All this looks good to me. If it's the client you have problems with,
can you post the logs you get by running "journalctl -u mender" there?

--
Kristian

[navi]

Thanks for the response!

Attached image explains the issue.

The error message from the device logs looks like "failed to execute authorization request connection refused "

[navi]

Adding to that while following the steps from 

https://docs.mender.io/1.1/administration/production-installation

I get this error while running " git log --oneline 1.2.x..HEAD"

Naveen

fatal: ambiguous argument '1.2.x..HEAD': unknown revision or path not in the working tree.

Use '--' to separate paths from revisions, like this:

'git <command> [<revision>...] -- [<file>...]'

On Thursday, November 9, 2017 at 12:48:02 PM UTC-5, navi wrote:

[Drew Moseley]

Hi Naveen,

I am guessing your concern is regarding the "Not secure" designation in the browser URL bar.  That's normal for systems using self-signed certificates since there is no means to verify that they are who they claim to be.  That is normal for testing environments and is how our demo layer is setup by default.  The transport is encrypted but the browser cannot validate your certificate with a CA. There are options such as https://letsencrypt.org/ for getting signed/authenticated certificates if you need that.

Drew

--
You received this message because you are subscribed to the Google Groups "Mender List mender.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mender+un...@lists.mender.io.
To post to this group, send email to men...@lists.mender.io.
Visit this group at https://groups.google.com/a/lists.mender.io/group/mender/.

[Drew Moseley]

Naveen,

Thanks for this report.  The correct command on the 1.2 release is "git log --oneline 1.2.1..HEAD" and for 1.1 it is "git log --oneline 1.1.3..HEAD"

I've submitted documentation updates for these.

Drew

--

[Rod Milton]

Having same problem. Went to letsencrypt. followed instructions and (in /etc/letsencrypt) ended up with:

./csr/0000_csr-certbot.pem

./keys/0000_key-certbot.pem

./archive/MyHostName.net:

total 16

-rw-r--r-- 1 root root 2163 Jul 14 00:47 cert1.pem

-rw-r--r-- 1 root root 1647 Jul 14 00:47 chain1.pem

-rw-r--r-- 1 root root 3810 Jul 14 00:47 fullchain1.pem

-rw-r--r-- 1 root root 1704 Jul 14 00:47 privkey1.pem

Having trouble trying to integrate these files w/ mender (was using self-signed cert without issues).

Where do these files go on the server? Do any files need to go on the target (ie replacing server.crt)?

  -rod

[Kristian Amlie]

On 14/07/18 04:09, Rod Milton wrote:
> Having same problem. Went to letsencrypt. followed instructions and (in
> /etc/letsencrypt) ended up with:
> ./csr/0000_csr-certbot.pem
> ./keys/0000_key-certbot.pem
> ./archive/MyHostName.net:
> total 16
> -rw-r--r-- 1 root root 2163 Jul 14 00:47 cert1.pem
> -rw-r--r-- 1 root root 1647 Jul 14 00:47 chain1.pem
> -rw-r--r-- 1 root root 3810 Jul 14 00:47 fullchain1.pem
> -rw-r--r-- 1 root root 1704 Jul 14 00:47 privkey1.pem
>
> Having trouble trying to integrate these files w/ mender (was using
> self-signed cert without issues).
> Where do these files go on the server? Do any files need to go on the
> target (ie replacing server.crt)?

There is currently a known issue where LetsEncrypt certificates are not
accepted by the client out of the box. Until that's fixed however, you
can work around the issue as you describe, by replacing server.crt and
making sure it's listed in the mender.conf file.

With meta-mender, the easiest approach is simply to include the file
server.crt in SRC_URI.

--
Kristian

[Matthijs ter Woord]

Just my 2 cents here..

I'm using LetsEncrypt certificates and it works fine...

--
You received this message because you are subscribed to the Google Groups "Mender List mender.io" group.

To unsubscribe from this group and stop receiving emails from it, send an email to mender+unsubscribe@lists.mender.io.

[Kristian Amlie]

On 16/07/18 09:56, Matthijs ter Woord wrote:
> Just my 2 cents here..
> I'm using LetsEncrypt certificates and it works fine...

Interesting... We are having internal issues with LetsEncrypt as well,
so Rod is not the only one. But I guess the issue is more complex than
first assumed.

--
Kristian

> 2018-07-16 9:43 GMT+02:00 Kristian Amlie <kristia...@northern.tech

> <mailto:kristia...@northern.tech>>:

> Groups "Mender List mender.io <http://mender.io>" group.

> To unsubscribe from this group and stop receiving emails from it,

> send an email to mender+un...@lists.mender.io
> <mailto:mender%2Bunsu...@lists.mender.io>.

> To post to this group, send email to men...@lists.mender.io

> <mailto:men...@lists.mender.io>.

> Visit this group at
> https://groups.google.com/a/lists.mender.io/group/mender/

> <https://groups.google.com/a/lists.mender.io/group/mender/>.

>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Mender List mender.io" group.
> To unsubscribe from this group and stop receiving emails from it, send

> an email to mender+un...@lists.mender.io
> <mailto:mender+un...@lists.mender.io>.

> To post to this group, send email to men...@lists.mender.io

> <mailto:men...@lists.mender.io>.

[Matthijs ter Woord]

I had to use the same certificates on both the api gateway and the storage service. I can look tonight, if you want...

2018-07-16 10:03 GMT+02:00 Kristian Amlie <kristia...@northern.tech>:

On 16/07/18 09:56, Matthijs ter Woord wrote:
> Just my 2 cents here..
> I'm using LetsEncrypt certificates and it works fine...

Interesting... We are having internal issues with LetsEncrypt as well,
so Rod is not the only one. But I guess the issue is more complex than
first assumed.

--
Kristian



> 2018-07-16 9:43 GMT+02:00 Kristian Amlie <kristia...@northern.tech

> <mailto:kristian.amlie@northern.tech>>:

>     send an email to mender+unsubscribe@lists.mender.io
>     <mailto:mender%2Bunsubscribe@lists.mender.io>.

>     To post to this group, send email to men...@lists.mender.io
>     <mailto:men...@lists.mender.io>.
>     Visit this group at
>     https://groups.google.com/a/lists.mender.io/group/mender/
>     <https://groups.google.com/a/lists.mender.io/group/mender/>.

>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Mender List mender.io" group.
> To unsubscribe from this group and stop receiving emails from it, send

> an email to mender+unsubscribe@lists.mender.io
> <mailto:mender+unsubscribe@lists.mender.io>.

[Kristian Amlie]

On 16/07/18 10:04, Matthijs ter Woord wrote:
> I had to use the same certificates on both the api gateway and the
> storage service. I can look tonight, if you want...

Yes, if you can, find out if you have this certificate listed in
ServerCertificate in mender.conf or not. It may be that it works because
it is specified there.

--
Kristian

> 2018-07-16 10:03 GMT+02:00 Kristian Amlie <kristia...@northern.tech

> <mailto:kristia...@northern.tech>>:

>
> On 16/07/18 09:56, Matthijs ter Woord wrote:
> > Just my 2 cents here..
> > I'm using LetsEncrypt certificates and it works fine...
>
> Interesting... We are having internal issues with LetsEncrypt as well,
> so Rod is not the only one. But I guess the issue is more complex than
> first assumed.
>
> --
> Kristian
>
>
>
> > 2018-07-16 9:43 GMT+02:00 Kristian Amlie <kristia...@northern.tech

> > <mailto:kristia...@northern.tech
> <mailto:kristia...@northern.tech>>>:

> >     send an email to mender+un...@lists.mender.io
> <mailto:mender%2Bunsu...@lists.mender.io>
> >     <mailto:mender%2Bunsu...@lists.mender.io
> <mailto:mender%252Buns...@lists.mender.io>>.

> >     To post to this group, send email to men...@lists.mender.io <mailto:men...@lists.mender.io>

> >     <mailto:men...@lists.mender.io <mailto:men...@lists.mender.io>>.

> >     Visit this group at
> >     https://groups.google.com/a/lists.mender.io/group/mender/
> <https://groups.google.com/a/lists.mender.io/group/mender/>
> >     <https://groups.google.com/a/lists.mender.io/group/mender/
> <https://groups.google.com/a/lists.mender.io/group/mender/>>.
> >
> >
> > --
> > You received this message because you are subscribed to the Google

> > Groups "Mender List mender.io <http://mender.io>" group.
> > To unsubscribe from this group and stop receiving emails from it, send

> > an email to mender+un...@lists.mender.io
> <mailto:mender%2Bunsu...@lists.mender.io>
> > <mailto:mender+un...@lists.mender.io
> <mailto:mender%2Bunsu...@lists.mender.io>>.

> > To post to this group, send email to men...@lists.mender.io <mailto:men...@lists.mender.io>

> > <mailto:men...@lists.mender.io <mailto:men...@lists.mender.io>>.

[Will Moffat]

Hi Rod,

I've been using Mender + LetsEncrypt without problems.
I use the following config:

mender-api-gateway:
volumes:
- /etc/letsencrypt/live/mender.muuselabs.com/fullchain.pem:/var/www/mendersoftware/cert/cert.crt:ro
- /etc/letsencrypt/live/mender.muuselabs.com/privkey.pem:/var/www/mendersoftware/cert/private.key:ro

storage-proxy:
volumes:
- /etc/letsencrypt/live/s3.muuselabs.com/fullchain.pem:/var/www/storage-proxy/cert/cert.crt:ro
- /etc/letsencrypt/live/s3.muuselabs.com/privkey.pem:/var/www/storage-proxy/cert/private.key:ro

mender-deployments:
volumes:
- /etc/letsencrypt/live/s3.muuselabs.com/fullchain.pem:/etc/ssl/certs/storage-proxy.crt:ro


On the device, my server.crt is just a dummy:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
I'm not sure if this is still required.

regards,
--Will

--
regards,
--Will

[Matthijs ter Woord]

If I recall correctly, I do the docker config like Will has, but have no thing on my device..

> email to mender+unsubscribe@lists.mender.io.

> To post to this group, send email to men...@lists.mender.io.
> Visit this group at
> https://groups.google.com/a/lists.mender.io/group/mender/.

--
regards,
--Will

--
You received this message because you are subscribed to the Google Groups "Mender List mender.io" group.

To unsubscribe from this group and stop receiving emails from it, send an email to mender+unsubscribe@lists.mender.io.

[Kristian Amlie]

On 16/07/18 13:12, Will Moffat wrote:
> Hi Rod,
>
> I've been using Mender + LetsEncrypt without problems.
> I use the following config:
>
> mender-api-gateway:
> volumes:
> - /etc/letsencrypt/live/mender.muuselabs.com/fullchain.pem:/var/www/mendersoftware/cert/cert.crt:ro
> - /etc/letsencrypt/live/mender.muuselabs.com/privkey.pem:/var/www/mendersoftware/cert/private.key:ro
>
> storage-proxy:
> volumes:
> - /etc/letsencrypt/live/s3.muuselabs.com/fullchain.pem:/var/www/storage-proxy/cert/cert.crt:ro
> - /etc/letsencrypt/live/s3.muuselabs.com/privkey.pem:/var/www/storage-proxy/cert/private.key:ro
>
> mender-deployments:
> volumes:
> - /etc/letsencrypt/live/s3.muuselabs.com/fullchain.pem:/etc/ssl/certs/storage-proxy.crt:ro
>
>
> On the device, my server.crt is just a dummy:
> -----BEGIN CERTIFICATE-----
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> -----END CERTIFICATE-----
> I'm not sure if this is still required.

Is this using Yocto to build the client image?

--
Kristian

[Will Moffat]

Hi Kristian,

>> On the device, my server.crt is just a dummy:
>> -----BEGIN CERTIFICATE-----
>> -----END CERTIFICATE-----
>> -----BEGIN CERTIFICATE-----
>> -----END CERTIFICATE-----
>> I'm not sure if this is still required.
>
> Is this using Yocto to build the client image?

Yes and it ends up in /etc/mender/server.crt

regards,
--Will

[Rod Milton]

Thanks for getting back to me, sorry about being so thick, but certs are new to me, I'm a low level kernel guy....

I currently have a self-signed cert (created on my mender server using keygen). I copied server.crt to to by build system, created a mender_%.bbappend file, and the cert is created in /etc/mender/server.crt.

File server.crt is concatenation of api-gateway/cert.crt and storage-proxy/cert.crt

I'm assuming some (which ones?) of the files created by letsencrypt are appended to server.crt? Do I need to delete current cert for api-gateway or storage-proxy?

You mentioned LetEncrypt certs seems to have a problem. I'm not tied to letsencrypt, just the first one which showed up in google search, is there a better (free) alternative?

thanks

[Rod Milton]

Thanks Will, didn't see this when posting previous message, I'll try this.

[Rod Milton]

Thanks Will, this did the trick.

-rod