The parameters to mender setup
has little to do with this issue as long as it connects to the server you’re fine.
The log message shows that the device is not authorized (hence the pending device you observe). This can only mean one thing: the parameters passed to the pre-authorization request (either the pubkey
or identity_data
does not match that of the device).
The device you see in the Preauthorized tab is only a provisional device, as long as no device connects with the given public key / identity data, the authentication set will remain in this state.
You need to make sure you have the correct identity data and public key in the preauth request, if you get an error from the server saying the device already exists (even if its status is pending), then you need to decommission the device before you issue another preauth request.
Right now I have decommisioned the device.
-
I re-ran the entire POST Preauth request, Public key is same,. identity data is just this:
(Just like doc mentioned , there was no output)
preauth_dev = json.dumps({
“identity_data”: {
“mac”: “b8:27:eb:b4:b5:d2”,
},
.How do I make sure this is the only parameter needed for identity_data?? -
Then I did, sudo systemctl start mender-client.service. but in logs its:
msg=“Authorize failed: transient error: authorization request failed: (request_id: ): authentication request rejected server error message: dev auth: unauthorized”
this is how I have given:
And this is whats happening, In the preauthorized tab, it shows pending and then In the status log that above error:
So, I ran the Pre-Auth request and the device is connecting to seerver I guess, it shows up in the “preauthorized” tab, under inactive authentication sets, I can see the new request, and When I click accept, The device goes to the device group.,
But again, the whole idea of Preauth is to avoid clicking “accept” device right. Whats wrong now @alfrunes. Is this how PreAuth feature is? or Am I missing something ? Because again it requires human intervention
Correct me if I’m wrong, but from what I can see, neither the public key nor the mac address matches between the preauth request and the actual (pending) device. From the above image and the comment before that I can see you used two different mac addresses, is that so? You need to set this value to the mac address of the device, same goes for the public key - you need to use the public key that the device is using (i.e. the public key-pair of the private key located at /data/mender/mender-agent.pem
on the device).
The “device” shown in the Preauthorized tab is not an actual device until a device is connected with a matching key pair and identity data - think of it as a “device reservation” created from the preauth request.
Hi @alfrunes,
Im using the same mac address, Its b8:27:eb:b4:b5:d2 for my RPi, and I have genereated the PUblic key using this section Generate a client keypair from https://docs.mender.io/hosted/server-integration/preauthorizing-devices and then I have uploaded the Public key to the Pre-authorized tab in the server GUI.
But I have not done anything with the private.key which is generated from this https://docs.mender.io/hosted/server-integration/preauthorizing-devices. Where should I keep this Private.key in the device ???
- Tell me what you meant by you need to use the public key that the device is using (i.e. the public key-pair of the private key located at
/data/mender/mender-agent.pem
on the device). , According to that link, pub.key is generated using that keygen-client knw?
If you’re still having a hard time, you can fetch these parameters using ssh:
echo "Mac address:"
ssh root@${DEVICE_IP} -- /bin/sh /usr/share/mender/mender-identity-data
echo "Public key:"
ssh root@${DEVICE_IP} -- /bin/cat /var/lib/mender/mender-agent.pem | openssl rsa -pubout | awk '{printf "%s\\n", $0}'
@alfrunes,
So far I have used Mender-Client directly by installing and configuring thru those parameters, I have only folder /etc/mender, /usr/share/mender and /var/lib/mender-client., There is no /data/mender/mender-agent.pem
I have the mender-agent.pem in /var/lib/mender/mender-agent.pem
Where should I use this.
Its confirm, I’m using the mac address right only. It is from my RPi, and Public key generated frm that documentation(keygen-client) from the server.
Sorry, I was trying to recreate this on a device with a persistant data partition, but /var/lib/mender/mender-agent.pem
is the right one. If you ran the keygen script, you need to replace the mender-agent.pem file with the generated private key.
So If I use this mender-agent.pem into the “Preauthorized” tab in the server and start mender-client, it gets connected, I guess It worked @alfrunes, I added this key to the server and just restart the mender-client, I didn’t even run the post-auth and thje device got preauthorized and go into running mode.
But, the whole idea of PreAuth I was thinking is to not access the Mender-Client(here RPi), and to reduce Human intervention, But here it involves alot of getting into device and taking the key etc.
Or Did I miss anything again.
Usually you want to provision a new (known) private key once you install mender on the device. This way you know the public key ahead of time and will not require to reach out to the device to fetch it. As for the device identity, you can actually rewrite/modify the script located at /usr/share/mender/mender-identity-data
on the device to use any kind of key/value pairs that floats your boat
How to make the Public key value the same? Thanks!
@triampmeili you need to provision your private key to the device /data/mender/mender-agent.pem
, otherwise the mender-client
will generate a new key on bootstrap.
Can the preauthorizing devices be transformed into a real device and automatically accepted (via mender API or other methods)?
Thanks!
Hi @triampmeili that’s essentially what happens when the device connects for the first time. Can you elaborate on what you are trying to accomplish that is different from the default behavior?
Drew
I know, we just want to change “the device connects for first time” into the above state(the preauthorizing devices be transformed into a real device and automatically accepted).can it be done?
Assuming you don’t want to boot the device in manufacturing to do it, I guess you could call the Authorize Device API from a scripting setup. That would require that you have the ID key-value pairs and the certificate for the device but presumably you already have them to be able to issue the pre-authorize API.
Drew