Hi,
I’m following this doc https://docs.mender.io/hosted/server-integration/preauthorizing-devices , but then again here it uses the device ID to generate the key. In my scenario, the mender client is installed and device isn’t accessed through internet at all, So How do I get the devID.
Is there a way to generate device ID also for preauth
Hi there,
How is device ID generated, or where is it stored in mender client? It will be super useful to knw this now.
Hi,
The device’s identity (not to be confused with the Mender generated UUID) can practically be an arbitrary serialized JSON object (with string-type key/value pairs). However, the Mender client typically uses the mac address returned by a script on the device located at /usr/share/mender/identity/mender-device-identity by default.
You can also take a look at the API docs for a more detailed description of the request parameters.
Hi @alfrunes,
Basically, I want to Preauthorize the device, But according to this https://docs.mender.io/hosted/server-integration/preauthorizing-devices#the-identity-of-your-device, Ill need the device ID which is acquired only after Mender-client getting first hit to the server.
But In my case, there won’t be a internet access to the device until it reaches the customers hand, Thats why I was thinking how to get that device ID from mender client, so taht i can use it and then further carry on with https://docs.mender.io/hosted/server-integration/preauthorizing-devices#the-identity-of-your-device preauthorizing it.
I’m talking about this value:
Or is there any other way to Preauthorize without device id?
You do not use the “Device ID” which is showed above for pre-authorization. This is just something that is generated on the server the first time the device connects.
The “Device ID” is generated based on a unique pair of a device identity value(s) + a public key. You can read more about this here,
https://docs.mender.io/hosted/overview/identity
E.g the default is to use the MAC address of the first network interface as a unique identifier and is what you would input in the pre-authorization fields.
I can see how this section of the docs can look confusing as it makes the assumption in the prerequisites that the device already has a network connection. For pre-authorizing a device, all you need is the device’s identity (e.g. {"mac": "00:00:00:00"}) and the public key, the device ID (UUID) will be generated once the device connects for the first time.
For example, a pre-auth curl request may look something like:
curl https://hosted.mender.io/api/management/v2/devauth/devices -H "Content-Type: application/json" -H "Authorization: Bearer **JWT token returned by /login**" -d '{"identity_data": {"mac": "00:00:00:00"}, "pubkey": "**PUBLIC PEM BYTES GOES HERE**"}'
What abt the mac address ? Can I give 00:00:00:00 ? Will it be updated after the device is authorized and populated with other details?
Hi @alfrunes,
I tried the pre-curl request u sent here.
But It is giving this :::
404 Not FoundI’m sorry, I forgot to enclose the -d parameter to curl with single quotes. I updated the comment, could you please try again?
You need to give the mac of the device you want to pre-authorize. If Mender is installed correctly on the device you can run the script located in /usr/share/mender/identity/mender-device-identity to get the mac address for the correct network interface.
Ok sure, So if mac isn’t same as the devices mac, it wont preauth and connect to server?
curl request is giving me issues, so Im following this API instead
https://docs.mender.io/2.4/apis/open-source/management-apis/device-authentication
Correct! If the mac (or identity data) does not match, the device will get 401 Unauthorized response from the server.
OK sure, Ill get on with that.
But then @alfrunes, I’m using that POST method, and it is executed fine, but the device is coming in the GUI as pending request.
Do I need to add public key and key set in the Mender server “preauthorized” section too??
I corrected another error in the request body and verified that it works. Sorry - I should’ve done that to begin with.
Hi @alfrunes,
Im still trying, Device gets status: “accepted” from that POST request for Pre-Auth, but for some reason it is getting to pending, I added publickey and key sets to Preauthorized section too,.
Sorry to hear that.
Is the device appearing both as both pending and pre-authorized? If so, can you check if the Device Identity of the two devices are matching?
Both are different device ID.
FYI::
Do you it is because of my Post Auth API to refresh the JWT token (POST, /api/management/v1/useradm/auth/login) , Do u think thats the reason? (But I kept this because JWT token expires in 7 days )
I have added this in my Preauth sec too in server,
Hi @alfrunes,
I’m using this initial parameter to config to the server:
SERVER_URL=“https://mender-server.com”
SERVER_CERT="/usr/share/doc/mender-client/examples/server.crt"
sudo DEBIAN_FRONTEND=noninteractive dpkg -i mender-client_2.2.0-1_arm64.deb
sudo mender setup
–device-type $DEVICE_TYPE
–server-url $SERVER_URL
–server-cert $SERVER_CERT
–inventory-poll 5
–update-poll 5
–retry-poll 30"""
Maybe because of this and the preauthorization, it is getting created with twice JWT token? If you think this is the issue, could you tell me how to combine these parameters with the preauth API.
I suspect that the Device Identity passed in the identity_data parameter to the preauth request does not match the id_data in the auth request made from the device.
Can you expand both devices in the UI and compare the Device Identity sections of the pending and pre-authorized devices?
Actually, Now Im not able to check becuase Im having this in my mender status:
r msg=“authorize failed: transient error: authorization request failed: (request_id: ): authentication request rejected server error message: dev auth: unauthorized”
I always run those parameters, and it connects to server in the “pending” state, Now, when this Pre-Auth process Is also been executed I guess two device ID for same mac id is created.
I think so, Isn’t this causing the issue? How do I combine both, because those parameters r giving me the role of adding server.crt and all.
