Ignore certificate validation

Hi all,

I’ve installed the Mender demo server on my own on a host and the client (dunfell branch, based on Yocto) on a Beaglebone Black board, both conntected to my local network and want to test the device binding.
In my LAN, there’s no way to run a domain name server (I’m not the admin ^^).

I have two questions:

  1. Is there a way to configure them to use with ip addresses?
  2. And a way or any chance to ignore certificate validation for testing purposes?

One option is to temporarily add the domain and IP address to the local lookup system of the device/pc that wants to contact the server.

So on Linux that would your /etc/hosts file

Then you can contact the server using the domain name embedding in your certificate.

The entry in the /etc/hosts file doesn’t work. But I’ll test it again.

Client’s log:

Failure occurred while executing authorization request: &url.Error{Op:\"Post\", URL:\"https://myserver/api/devices/v1/authentication/auth_requests\", Err:(*net.OpError)(0x85a870)}

Authorization request error: dial tcp 192.168.50.32:443: connect: connection refused

Authorize failed: transient error: authorization request failed: generic error occurred while executing authorization request: Post \"https://myserver/api/device

Sorry, can’t fit all the message lines.

to my eyes it looks like it cannot open port 443 on 192.168.50.32.

can you telnet to that address and port to confirm that you can open a socket on that port?

telnet 192.168.50.32 443

you should get the following to indicate that you have opened a socket successfully

Trying 192.168.50.32...
Connected to 192.168.50.32.
Escape character is '^]'

Yes, it works.

Oh sorry, I forgot to run “./demo up” on the server. Now there are other logs. Just a sec…

you may be able to get more insight into the underlying issue by doing

cat /var/log/kern.log | grep mender

see discussion here: Mender client testing on solidrun with Mender demo server

“kern.log” doesn’t exist, but “messages”.
The logs:

Sep 14 11:31:57 beaglebone-yocto user.err mender[171]: time="2020-09-14T11:31:57+02:00" level=error msg="Failure occurred while executing authorization request: &url.Error{Op:\"Post\", URL:\"https://myserver/api/devices/v1/authentication/auth_requests\", Err:x509.HostnameError
Sep 14 11:31:57 beaglebone-yocto user.err mender[171]: time="2020-09-14T11:31:57+02:00" level=error msg="Authorization request error: x509: certificate is valid for docker.mender.io, not myserver"
Sep 14 11:31:57 beaglebone-yocto user.err mender[171]: time="2020-09-14T11:31:57+02:00" level=error msg="Authorize failed: transient error: authorization request failed: generic error occurred while executing authorization request: Post \"https://myserver/api/devices/v1/authen

the backend looks like its not configured with your own certificate and is expecting to be contacted on docker.mender.io domain and failing the domain name check.

Just like in the link i mentioned above. Double check the process for whether you are using demo setup or production setup.

you could just use docker.mender.io domain instead of myserver in you hosts file and mender config for the time being if its just a test.

It is the demo mode, https://192.168.50.32/ui/#/ told me. I’ll create a new certificate for “myserver”…

I ran

CERT_API_CN=myserver CERT_STORAGE_CN=myserver ./keygen

in Mender’s root directory and restarted the server with

./demo up

The messages on the client are the same as before. How can I tell the server to use “myserver” instead of “docker.mender.io”?

by adding your own certificate I believe you are now crossing over into the production-ready configuration of the mender server and would need to most likely follow these instructions.

if you still want to use in demo mode then below are instructions for that.