In production, I have a setup that I think is incorrect/sub-optimal, but actually works.
Here’s how I got there:
At the time I first set up my server and client, I didn’t have access to our organization’s CA-signed SSL cert. So, I created a self-signed cert, and in order to get the client to talk to the server had to put that self-signed cert on the client.
I put the self-signed cert into /etc/mender/server.crt.
Also, the mender.conf contained the line:
This worked just fine.
I finally obtained a copy of the organization’s CA-signed SSL cert. I installed the CA-signed cert onto the Mender server.
Based on my experience on what I had to do to get the self-signed cert to work, I concatenated the CA-signed cert to the /etc/mender/server.crt file (it now had both certs in the file).
At this point I didn’t have devices deployed in the field. I was still working with client devices in a lab. After flashing a new SSD with this new config, the client device successfully connected to the server.
Now, here’s the challenge:
I recently learned that our CA-signed cert will expire in late October. At first, I thought my course of action would be that I need to deploy an update with the new CA-signed cert, also concatenated to the server.crt file However, after doing some research, I came away with the impression that IF the server’s cert is CA-signed, then there’s no need to have any cert on the client at all, which I really welcomed because it made me think that we can simply install the new CA-signed cert on the server when we receive it from the certificate authority, and the devices will just be fine. (note, by this time, there are now devices in the field).
Of course, I needed to test this proof-of-concept.
Surprisingly, everything I’ve tried has not worked.
- If I remove the reference to the server.crt from the mender.conf file, even though the device is trying to connect to a server with a CA-signed cert, it complains “certificate signed by an unknown authority”.
- If I leave the reference to server.crt inside of mender.conf, but delete the organization’s CA-signed cert from it, it also fails with the same message.
Sorry for being so verbose, but I couldn’t explain it any more succinctly than this.
So, thoughts? Is there a way to configure this that doesn’t require us to keep deploying the organizations CA-signed certs to the clients?
FWIW, the CA is GoDaddy and the root & class 2 certs are in the client’s /etc/ssl/certs directory.