3.4.0 mender-server set up failed

ak8893893 · October 26, 2022, 9:24am

I followed the 3.4.0 document to set up the mender-server.
https://docs.mender.io/3.4/server-installation/installation-with-docker-compose#close

But there are two container can’t be create, I can’t create the first user.

menderproduction_mender-device-auth_1
menderproduction_mender-useradm_1

I tried to use docker logs to check the error.
It showed:

failed to read rsa private key: failed to read server private key file: open /etc/deviceauth/rsa/private.pem: permission denied

failed to read rsa private key: failed to read server private key file: open /etc/useradm/rsa/private.pem: permission denied

But I didn’t find the private.pem file in that place, I don’t know how to fix the problem.

By the way, the same the same process I create 3.3.0 mender-server demo and enterprise is OK.
Is there any new step I need to do in 3.4.0 version?

ak8893893 · October 27, 2022, 10:11am

2022/10/27 Update

I solved the issue.

See that his data volume is bound /production/keys-generated/keys/deviceauth/private.key
Check whether this private.key has permission

found no permission

$ chmod +777 ~/mender-server/production/keys-generated/keys/useradm/private.key
$ chmod +777 ~/mender-server/production/keys-generated/keys/deviceauth/private.key

$ sudo ~/mender-server/production/run up -d

Change the permissions to full and start again, and you will see the useradm and deviceauth can be activated!

You also can check the 3.3.0’s private.key permission and change the 3.4.0’s to the same permission.

joelguittet · November 13, 2022, 8:47pm

Hello,

I have the same problem but clearly this is not the right solution. It works, yes obviously, but private key should not be accessible to world.
On my v3.3 private key was permissions 600 and I guess you have the same on v3.4 (I have this.).

Anybody having the same issue with a more convenient solution for that ?

Joel

TheYoctoJester · November 15, 2022, 11:00am

Hi @joelguittet,

one way should be to adjust the prod.yml to use the actual UID/GID like this:

 mender-useradm:
     command: server --automigrate
     user: "${UID}:${GID}"

Having said that, we strongly recommend. using the k8s version of the server setup.

Greetz,
Josef

ak8893893 · November 15, 2022, 12:51pm

ak8893893:

$ chmod 004 ~/mender-server/production/keys-generated/keys/useradm/private.key
$ chmod 004 ~/mender-server/production/keys-generated/keys/deviceauth/private.key

$ sudo ~/mender-server/production/run up -d

I tried to let the permission to the less. And it can works when I use 004 permission.

Craig-Anderson-Ins · February 23, 2024, 10:34pm

I needed to add your ‘user: …’ line to mender-device-auth as well.

After those two changes, all containers were fine.

Topic		Replies	Views
Mender Docker Install V3.4 General Discussions	15	770	August 30, 2023
Certificates and Keys Question while Installing General Discussions	3	468	June 18, 2019
Mender server 3.2: container deviceauth and useradm continuously restarting General Discussions mender-server	5	1055	March 30, 2023
TLS Handshake Verification Failure in Mender 3.4 Production Installation General Discussions	3	23	September 11, 2024
Authorization Failed while connecting mender-client to the self signed mender server General Discussions ubuntu , mender-client , selfsigned	0	865	August 1, 2022

3.4.0 mender-server set up failed

Related topics