Download Enter script is not working

Also, what happens if you manually run the script from a shell prompt?
Drew

I am not sure what kind of packages you are addressing. Can you be more specific or send some references?

Thanks.

Saman

The script runs flawlessly when I run manually. The interpreter and code should be fine.

Thanks.

Saman

Can you share the script?
Drew

If you running a Debian based linux distribution it should be the “ca-certificates” package:

sudo apt install ca-certificates

If you managing a yocto linux project then the recipe to add to your local.conf or image conf file should be ‘ca-certificates’ which should be in:

poky/meta/recipes-support/ca-certificates

either way you should have a load of certificate authority certificates in /usr/share/ca-certificates/mozilla/ and /etc/ssl/certs

If you are self-hosting then you may need to add any missing certificate-authority certificates yourself

If you can give us more details about your build process and mender server your using it could help to narrow down the problem

It is just a test script right now. I made sure the interpreter is available in the bin folder.

#!/usr/bin/python3.7

import tkinter
import os, pwd

os.environ[“DISPLAY”] = “:0”
pwstruct = pwd.getpwnam(“pi”)
os.setgid(pwstruct.pw_uid)
os.setuid(pwstruct.pw_gid)

print(“This is a test”)

tkinter.sys.exit(0)

The ca-certificates are already in the newest version.

sudo apt install ca-certificates
Reading package lists… Done
Building dependency tree
Reading state information… Done
ca-certificates is already the newest version (20200601~deb10u2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

are you self-hosting or using the mender hosted option?

It does look like the error is coming from the underlying openssl library as that error message is coming from the mender openssl C binding

I assume openssl is installed, helpfully there doesn’t seem to be any underlying error from the lib propagating back up the stack.

What linux distro and version of the distro are you running?
What version of openssl are you running?
What version of Mender Client are you running?

Hosted.mender.io
Using mender hosted server

Saman

At this point it would be helpful to know more about your system.

What hardware?
What distro and version?
Mender client version?
Openssl version?

I have the following configuration:

Raspberry pi 4
Raspberry pi Lite OS, Raspbian GNU/Linux 10 (buster), Kernel version 5.10.11-v7l+ #1399
Mender client version 2.5.0
openssl version 1.1.1d

Has there been any changes in the platform? I was able to successfully run the Download_Enter script few months back by same method. I was using Raspberry Pi OS instead of Raspberry Pi Lite. I think that is the only difference between now and then.

How did you install Mender? I see in your log that you do not have the dual-rootfs setup so I assume you used the setup from our docs using “mender setup” right?

Do you have all the latest package updates installed? Can you run the following?

$ sudo apt update
$ sudo apt dist-upgrade

Can you share your /etc/mender/mender.conf and /data/mender/mender.conf files? Note that your tenant token should be in one of them and you’ll want to blank that out before posting

Drew

Content from /etc/mender/mender.conf

{
“ClientProtocol”: “https”,
“ArtifactVerifyKey”: “”,
“HttpsClient”: {
“Certificate”: “”,
“Key”: “”,
“SSLEngine”: “”
},
“Security”: {
“AuthPrivateKey”: “”,
“SSLEngine”: “”
},
“RootfsPartA”: “”,
“RootfsPartB”: “”,
“DeviceTypeFile”: “/var/lib/mender/device_type”,
“DBus”: {
“Enabled”: true
},
“UpdatePollIntervalSeconds”: 5,
“InventoryPollIntervalSeconds”: 5,
“SkipVerify”: false,
“RetryPollIntervalSeconds”: 30,
“StateScriptTimeoutSeconds”: 0,
“StateScriptRetryTimeoutSeconds”: 0,
“StateScriptRetryIntervalSeconds”: 0,
“ModuleTimeoutSeconds”: 0,
“ServerCertificate”: “”,
“ServerURL”: “”,
“UpdateLogPath”: “”,
“TenantToken”: <MY_TOKEN_HERE>
“Servers”: [
{
“ServerURL”: “https://hosted.mender.io
}
]
}

I don’t have the /data/mender/mender.conf in my system. I don’t even have the /data directory.

The results from the apt update and apt dist-upgrade are all up-to-date.

I used the ‘CONNECT A DEVICE’ option from the hosted mender dashboard to install mender client on my raspberry pi.

Saman

OK so you’re not setup for system updates given that you don’t have a /data. partition. I just setup a system from scratch and do get occasional SSL errors so I think that may be OK in your case. (although @kacf we may want to investigate this since it’s explicitly listed as an error in the logs:

Feb 15 19:07:11 raspberrypi mender[7613]: time="2021-02-15T19:07:11Z" level=info msg="State transition: check-wait [Idle] -> inventory-update [Sync]"
Feb 15 19:07:11 raspberrypi mender[8275]: time="2021-02-15T19:07:11Z" level=error msg="Failed to Load the Server certificate. Err SSL errors: "
Feb 15 19:07:11 raspberrypi mender[8275]: time="2021-02-15T19:07:11Z" level=warning msg="Failed to load the server TLS certificate settings: SSL errors: "

As for the download enter script, the only thing I can suggest is to edit your script so that it outputs some text to a log file and see if it’s getting executed and how far. Just putting in “echo” commands redirected to /home/pi/log.txt or some such should help figure out where it is failing.
Drew

Are you able to run Download_Enter scripts in your setup? If yes, can you share a sample script that you could run successfully?

Saman

Yes, mine work. First create the script dir and version file:

sudo mkdir /etc/mender/scripts
sudo sh -c 'echo -n 3 > /etc/mender/scripts/version'

and then create the script as shown here:

pi@raspberrypi:~$ ls -l /etc/mender/scripts/Download_Enter_01_Testing 
-rwxr-xr-x 1 root root 84 Feb 15 22:32 /etc/mender/scripts/Download_Enter_01_Testing
pi@raspberrypi:~$ cat /etc/mender/scripts/Download_Enter_01_Testing 
#!/bin/sh

echo "Called into $0 at $(date)" >> /home/pi/state-script-log.txt
exit 0

Then when I start a deployment the log message appears in /home/pi/state-script-log.txt

Drew

What should be inside the version file?

It’s the version number of state scripts. You can see the Yocto setup of it here.

I would have expected other error messages in your log if that file had been missing but please let us know if manually creating it resolves the issue for you.

@alan @lluiscampos we may want to see about having the debian package automatically create this file.

Drew

@drewmoseley I think it makes sense creating the file in the deb package. I’ll follow-up on that. Thanks!