Artifact update fail

General Discussions
1

Hi

I have hosted an on prim secure server ,with proper domain,make it production ready as per the document .
But when i am trying to update i get error, also attached the logs below.

2020-08-04 13:15:49 +0000 UTC info: Running Mender version 2.2.0
2020-08-04 13:15:50 +0000 UTC debug: handle update fetch state
2020-08-04 13:15:50 +0000 UTC debug: status reported, response 204 No Content
2020-08-04 13:18:02 +0000 UTC error: Can not fetch update image: Get https://serverdemo.westus2.cloudapp.azure.com:9000/mender-artifact-storage/1bf928b8-1128-48d2-9f4e-d6d27755b1cf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=mender-deployments%2F20200804%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200804T131548Z&X-Amz-Expires=86400&X-Amz-SignedHeaders=host&response-content-type=application%2Fvnd.mender-artifact&X-Amz-Signature=f4a2cd57557130c340165c8b01331a08961023a198a8d3111be7172c4fadd4c9: dial tcp 51.143.22.248:9000: connect: connection timed out
2020-08-04 13:18:02 +0000 UTC error: update fetch failed: update fetch request failed: Get https://serverdemo.westus2.cloudapp.azure.com:9000/mender-artifact-storage/1bf928b8-1128-48d2-9f4e-d6d27755b1cf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=mender-deployments%2F20200804%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200804T131548Z&X-Amz-Expires=86400&X-Amz-SignedHeaders=host&response-content-type=application%2Fvnd.mender-artifact&X-Amz-Signature=f4a2cd57557130c340165c8b01331a08961023a198a8d3111be7172c4fadd4c9: dial tcp 51.143.22.248:9000: connect: connection timed out
2020-08-04 13:18:02 +0000 UTC info: State transition: update-fetch [Download_Enter] -> fetch-install-retry-wait [Download_Enter]
2020-08-04 13:18:02 +0000 UTC debug: handle fetch install retry state
2020-08-04 13:18:02 +0000 UTC info: State transition: fetch-install-retry-wait [Download_Enter] -> update-error [ArtifactFailure]
2020-08-04 13:18:02 +0000 UTC debug: transitioning to error state
2020-08-04 13:18:02 +0000 UTC debug: statescript: timeout for executing scripts is not defined; using default of 1h0m0s seconds
2020-08-04 13:18:02 +0000 UTC debug: statescript: timeout for executing scripts is not defined; using default of 1h0m0s seconds
2020-08-04 13:18:02 +0000 UTC debug: handle update error state
2020-08-04 13:18:02 +0000 UTC info: State transition: update-error [ArtifactFailure] -> cleanup [Error]
2020-08-04 13:18:02 +0000 UTC debug: statescript: timeout for executing scripts is not defined; using default of 1h0m0s seconds
2020-08-04 13:18:02 +0000 UTC debug: statescript: timeout for executing scripts is not defined; using default of 1h0m0s seconds
2020-08-04 13:18:02 +0000 UTC debug: Handling Cleanup state
2020-08-04 13:18:02 +0000 UTC info: State transition: cleanup [Error] -> update-status-report [none]
2020-08-04 13:18:02 +0000 UTC debug: statescript: timeout for executing scripts is not defined; using default of 1h0m0s seconds
2020-08-04 13:18:02 +0000 UTC debug: handle update status report state
2020-08-04 13:18:03 +0000 UTC debug: status reported, response 204 No Content
2020-08-04 13:18:03 +0000 UTC debug: attempting to upload deployment logs for failed update

Thanks
Arun

2

It appears something is wrong with your storage proxy settings. When a client downloads an artifact, a temporary URL is generated against an S3-compatible service. In the default config that is minio running on the same docker host as the rest of the server services.

Is serverdemo.westus2.cloudapp.azure.com the proper domain name for your server? Do you have some kind of firewall that may be blocking port 9000?

Drew

3

HI @drewmoseley,

Thanks for you quick response.
I rechecked Port 9000 was blocked, I unblocked it & successfully able to update.
Although, my server is secured when i am trying to get the Artifacts buy using Management API,
Getting error as “code”:“UNABLE_TO_VERIFY_LEAF_SIGNATURE”.
But works fine for hosted mender,is there any additional parameter neede to be passed?

Thanks
Arun

4

Hi @arun,

I have no idea what that error means. @merlin do you know?

Drew

5

hello Arun!

thanks for using Mender.
could you try to run the following command:

echo  | openssl s_client -verify 4 -connect serverdemo.westus2.cloudapp.azure.com:9000

and send the result?
I think, if you want to have the certificate verified, and you do not want to turn off the verification in the client, you have to add the certificate to your trusted store. First, get the certificate:

# echo | openssl s_client -showcerts -servername serverdemo.westus2.cloudapp.azure.com -connect serverdemo.westus2.cloudapp.azure.com:9000 2> /dev/null | sed -n -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/ p' > serverdemo.crt

and then add serverdemo.crt to the trusted store by copying to the ‘certs’ directory to the default one for your system. to find out where it is, run openssl version -d, for example:

# openssl version -d
OPENSSLDIR: "/opt/local/etc/openssl"

means that when I want to add certificate to default trust store I have to put the pem file in /opt/local/etc/openssl/certs directory, or append it to the /opt/local/etc/openssl/cert.pem file.
Do not forget to run c_rehash command.
Then you can run verify again:

echo  | openssl s_client -verify 4 -connect serverdemo.westus2.cloudapp.azure.com:9000

Let me know how it goes.

peter