I have installed mender server using docker compose with self signed certificate. I also got the temp public domain from https://ipq.co/
I have generated the keys and certificates and then copied the certificate to the mender-client machine at /etc/mender/server.crt. My mender.conf is as below:
{
"DeviceTypeFile": "/var/lib/mender/device_type",
"UpdateControlMapExpirationTimeSeconds": 90,
"UpdateControlMapBootExpirationTimeSeconds": 45,
"UpdatePollIntervalSeconds": 5,
"InventoryPollIntervalSeconds": 5,
"RetryPollIntervalSeconds": 30,
"ServerURL": "https://e3c0j.ipq.co",
"ServerCertificate": "/etc/mender/server.crt"
}
When i start mender-client, it is not able to connect to the server and gives error below:
3:38:29 amerlin mender[2197193]: time="2022-08-01T23:38:29+04:00" level=error msg="Failed to authorize with \"https://e3c0j.ipq.co\": Unknown url.Error type: depth zero self-signed certificate, openssl verify rc: 18 server cert file: /etc/mender/cert.crt"
أغس 01 23:38:29 amerlin mender[2197193]: time="2022-08-01T23:38:29+04:00" level=warning msg="Reauthorization failed with error: transient error: authorization request failed"
أغس 01 23:38:29 amerlin mender[2197193]: time="2022-08-01T23:38:29+04:00" level=error msg="Failed to submit inventory data: transient error: authorization request failed"
أغس 01 23:38:29 amerlin mender[2197193]: time="2022-08-01T23:38:29+04:00" level=error msg="inventory submit failed: transient error: authorization request failed"
أغس 01 23:38:29 amerlin mender[2197193]: time="2022-08-01T23:38:29+04:00" level=warning msg="Reauthorization failed with error: transient error: authorization request failed"
أغس 01 23:38:29 amerlin mender[2197193]: time="2022-08-01T23:38:29+04:00" level=warning msg="Failed to refresh inventory: failed to submit inventory data: inventory submit failed: transient error: authorization request failed"
أغس 01 23:38:29 amerlin mender[2197193]: time="2022-08-01T23:38:29+04:00" level=info msg="Wait 30s before next inventory update attempt in 59.999998963s"
أغس 01 23:38:29 amerlin mender[2197193]: time="2022-08-01T23:38:29+04:00" level=error msg="Failed to submit inventory data: transient error: authorization request failed"
أغس 01 23:38:29 amerlin mender[2197193]: time="2022-08-01T23:38:29+04:00" level=error msg="inventory submit failed: transient error: authorization request failed"
أغس 01 23:38:29 amerlin mender[2197193]: time="2022-08-01T23:38:29+04:00" level=warning msg="Failed to refresh inventory: failed to submit inventory data: inventory submit failed: transient error: authorization request failed"
When i read the documentation, this error is prespecified with self signed certificate and is mentioned to put the certificate in local truststore of the mender-client machine. I did the same using the below
sudo cp server.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
it shows that 1 server is added but still getting the error.
when i try to ping the server using curl, it gets success as below
amer@amerlin:/etc/mender$ sudo curl --verbose https://e3c0j.ipq.co
* Trying 192.168.0.108:443...
* Connected to e3c0j.ipq.co (192.168.0.108) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=e3c0j.ipq.co
* start date: Jul 31 15:49:38 2022 GMT
* expire date: Jul 28 15:49:38 2032 GMT
* subjectAltName: host "e3c0j.ipq.co" matched cert's "e3c0j.ipq.co"
* issuer: CN=e3c0j.ipq.co
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x55d33ed2ae80)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: e3c0j.ipq.co
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 301
< location: https://e3c0j.ipq.co/ui/
< content-type: text/plain; charset=utf-8
< content-length: 17
< date: Mon, 01 Aug 2022 19:49:26 GMT
<
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection #0 to host e3c0j.ipq.co left intact
Moved Permanently