Authorization fails

I get the following error when trying to authorize a device:

Jul 29 01:09:42 jetson-tx2 mender[37345]: time="2020-07-29T01:09:42Z" level=debug msg="making an authorization request () to server "<my-server>" module=client_auth
Jul 29 01:09:42 jetson-tx2 mender[37345]: time="2020-07-29T01:09:42Z" level=debug msg="got response: &{401 Unauthorized 401 HTTP/2.0 2 0 map[Access-Control-Allow-Origin:[*] Content-Type:[application/json; charset=utf-8] Date:[Wed, 29 Jul 2020 01:09:42 GMT] Server:[openresty/] Vary:[Accept-Encoding] X-Authentication-Version:[unknown] X-Men-Requestid:[5bfd577a-9ccb-4f3a-9975-b8b468579ed8]] 0x400000e0e0 -1 [] false true map[] 0x40002ce100 0x40005de160}" module=client_auth
Jul 29 01:09:42 jetson-tx2 mender[37345]: time="2020-07-29T01:09:42Z" level=error msg="authorize failed: transient error: authorization request failed: (request_id: ): authentication request rejected server error message: dev auth: unauthorized" module=state
Jul 29 01:09:42 jetson-tx2 mender[37345]: time="2020-07-29T01:09:42Z" level=info msg="State transition: authorize [Sync] -> authorize-wait [Idle]" module=mender

Looking at other posts on this site, I was wondering if this might be a device identity issue. I’m using the mac address for the device id, so maybe if this device had been used previously, that would cause some issues. But I looked through all of the devices that are pending authorization or were already accepted, and I do not see the device anywhere.

After getting these errors, I tried to preauthorize the device, but when I try to preauthorize it using its mac address, I get an error message that says “A preauthorization with a matching identity data set already exists”, even though it says there are no preauthorized devices (and again, I do not see this device in the list of devices pending authorization or devices accepted).

Any thoughts on what might cause these issues?


Have you checked if the device was previously rejected?

Can you try the following request and see what you get?
GET<insert mac here>

I don’t see the device in the list of rejected devices, and when I run that request I just get an empty response: []

I realized that I’m using version 2.2 on the client device, and an older version (less than 2, I’m not sure what it is) on the server, so I think that might be the issue. Is it a fair assumption that a newer client version will not work with an older server?

Yes. In general, the server puts an upper limit for the compatible client versions. However, the authorization API should still be compatible so I don’t think that’s the issue here.

We quite recently updated our versioning scheme for the backend services to follow the client versioning scheme, so the docker tags looks like mender-X.X (e.g. mendersoftware/api-gateway:mender-2.4). If your server version is older than 2.4, that might explain why the above query doesn’t return any devices as this information was not previously propagated to the inventory service.

If the former device was decommissioned you could try running:

docker exec $(docker ps -q -n 1 -f 'name=device-auth') /usr/bin/deviceauth maintenance --decommissioning-cleanup

We are not testing it explicitly, but it should work, because we have never made any breaking change to the client API. It is still “v1” and has been since the beginning.

Just a slight correction: The new versioning scheme for the backend does not follow the client, it follows integration. This is worth noting since the latest client is 2.3.0, while the latest integration is 2.4.0.

I do not think that this is related to the problem though, since any backend should work with any client.