Client complains server's cert signed by unknown authority

Hello all

In production, I have a setup that I think is incorrect/sub-optimal, but actually works.

Here’s how I got there:

At the time I first set up my server and client, I didn’t have access to our organization’s CA-signed SSL cert. So, I created a self-signed cert, and in order to get the client to talk to the server had to put that self-signed cert on the client.

I put the self-signed cert into /etc/mender/server.crt.

Also, the mender.conf contained the line:

“ServerCertificate”: “/etc/mender/server.crt”

This worked just fine.

I finally obtained a copy of the organization’s CA-signed SSL cert. I installed the CA-signed cert onto the Mender server.

Based on my experience on what I had to do to get the self-signed cert to work, I concatenated the CA-signed cert to the /etc/mender/server.crt file (it now had both certs in the file).

At this point I didn’t have devices deployed in the field. I was still working with client devices in a lab. After flashing a new SSD with this new config, the client device successfully connected to the server.

Now, here’s the challenge:

I recently learned that our CA-signed cert will expire in late October. At first, I thought my course of action would be that I need to deploy an update with the new CA-signed cert, also concatenated to the server.crt file However, after doing some research, I came away with the impression that IF the server’s cert is CA-signed, then there’s no need to have any cert on the client at all, which I really welcomed because it made me think that we can simply install the new CA-signed cert on the server when we receive it from the certificate authority, and the devices will just be fine. (note, by this time, there are now devices in the field).

Of course, I needed to test this proof-of-concept.

Surprisingly, everything I’ve tried has not worked.

1. If I remove the reference to the server.crt from the mender.conf file, even though the device is trying to connect to a server with a CA-signed cert, it complains “certificate signed by an unknown authority”.
2. If I leave the reference to server.crt inside of mender.conf, but delete the organization’s CA-signed cert from it, it also fails with the same message.

Sorry for being so verbose, but I couldn’t explain it any more succinctly than this.

So, thoughts? Is there a way to configure this that doesn’t require us to keep deploying the organizations CA-signed certs to the clients?

FWIW, the CA is GoDaddy and the root & class 2 certs are in the client’s /etc/ssl/certs directory.

Did you install the GoDaddy public CA-cert in /etc/ssl/certs or did it come bundled with the ca-certificates package that you installed on the client OS.

Also compare the GoDaddy public CA cert fingerprint of the one installed on the server to the one installed on your client to ensure they are definitely the same.

Also on the server have you configured it to send both the CA-cert and any intermediates to the clients i.e the full chain?

Hi @dellgreen

I will have to research the answers to your first reply. Regrading your second reply, I’m not sure.

Could I kindly ask to post a link to the Mender doc where this is described? That will help me look into how my server is configured.

I set this up and haven’t touched anything for about a year and a half so I’m learning everything all over again to work on this.

BTW, I’m running version 2.6.0.

Thanks!

Here you go:

For server side config all you should need to do is concatenate your public cert, intermediate public certs and public CA-cert

UPDATE: order matters

Thanks @dellgreen.

I think the very best place to begin is the beginning. Forgetting the clients for a minute, when I am given my new signed CA-cert, where on a Mender production server should that cert file go?

Is it in /etc/ssl (.crt and .key)

…or…

does it go in $HOME/mender-server/production/keys-generated/certs/server.crt?

It occurred to me I need to update the sever no matter what, I’m not sure which cert file I’ll need to eventually overwrite with the new cert.

Regards,

Joe

The location of your cert file and private key is defined in your mender server prod.yml config file as per the mender production documentation for a couple of the services. So technically can be anywhere as they get mapped into the docker service environment at fixed paths

@dellgreen - Solved. Thanks.

“For server side config all you should need to do is concatenate your public cert, intermediate public certs and public CA-cert”

I found out the order matters. I didn’t read what you wrote to understand that order matters, but it does. I originally concatenated the root cert, intermediate cert and the domain name public cert in that order and it didn’t work.

I then concatenated them in essentially the reverse of that (matching what you wrote), and that does indeed work.

Thanks so much, @dellgreen