We are hoping to get a production setup running that will allow us to ensure our raspberrypi4 devices can connect to our server and do some simple protoype testing. I was able to get the demo version working but not the production one.
We are intending to use Mender on its own (no kubernetes, no yocto) so I installed the mender server 3.7.7 on my desktop machine using the installation instructions from the v2.7 docs and was able to get it up and running at http://192.168.2.114. However, after installing the client on the raspberrypi4 from the apt repository (deb bookworm on raspian os) and configuring the setup parameters, Iâm unable to get the device to connect. Iâve also tried installing the client from source and using the express-install method as well.
Did the mender-setup as follows:
Enter a name for the device type (e.g. raspberrypi3): [raspberrypi4]
Demo server uses a self-signed certifcate for âdocker.mender.ioâ and modifies deviceâs /etc/hosts with the serverâs IP address (Required if using Mender demo server.)
Do you want to configure the client for a demo server? [Y/n] n
Set the location of the certificate of the server; leave blank if using http (not recommended) or a certificate from a known authority (filepath, for example /etc/mender/server.crt):
Demo intervals uses short poll and retry intervals (Recommended for testing.)
Do you want to run the client in demo mode? [Y/n] y
Mender setup successfully.
I attempted to look into the logs but journalctl -u mender-client returns: â-- No entries --â.
I also tried to view the current status with journalctl -u mender-client -f but it just hangs and returns nothing.
systemctl status mender-client returns: âUnit mender-client.service could not be found.â
How can I troubleshoot this issue?
EDIT: I was able to see the output of mender-connect service:
Oct 28 17:40:31 raspberrypi systemd[1]: Started mender-connect.service - Mender Connect service.
Oct 28 17:40:31 raspberrypi mender-connect[6944]: time=â2024-10-28T17:40:31Zâ level=info msg=âLoaded configuration file: /etc/mender/mender-connect.confâ
Oct 28 17:40:31 raspberrypi mender-connect[6944]: time=â2024-10-28T17:40:31Zâ level=warning msg=âShellArguments is empty, defaulting to [âlogin]â
Oct 28 17:40:31 raspberrypi mender-connect[6944]: time=â2024-10-28T17:40:31Zâ level=warning msg="call to GetJWTToken on the Mender D-Bus API failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name io.mender.AuthenticationManager was not provided by any .service f
and here is the output of mender-updated:
Oct 28 19:35:46 raspberrypi mender-update[7785]: record_id=5 severity=error time=â2024-Oct-28 19:35:46.396187â name=âGlobalâ msg=âFailed to submit inventory: Unauthorized error: Cannot submit API requestâ
Oct 28 19:35:46 raspberrypi mender-update[7785]: record_id=6 severity=error time=â2024-Oct-28 19:35:46.666987â name=âGlobalâ msg=âFailed to set new authentication data on HTTP requestâ
Oct 28 19:35:46 raspberrypi mender-update[7785]: record_id=7 severity=error time=â2024-Oct-28 19:35:46.667108â name=âGlobalâ msg=âRequest to check new deployments failed: Cannot submit API requestâ
Can you check the logs of mender-authd? That one is the service which handles authentication with the server and provides the connection to mender-updated and mender-connect.
Oct 31 20:03:54 client mender-auth[66451]: record_id=53 severity=error time=â2024-Oct-31 20:03:54.550750â name=âGlobalâ msg=âFailed to fetch new token: Authentication error: No more servers to try for authenticationâ
Oct 31 20:03:55 client mender-auth[67207]: using interface /sys/class/net/eth0
Nov 04 08:51:20 client mender-auth[2338]: record_id=1043 severity=error time=â2024-Nov-04 08:51:20.505988â name=âGlobalâ msg=âFailed to fetch new token: Authentication error: No more servers to try for authenticationâ
I tried running the curl command on the server to check API access:
The Mender Client canât check the certificate of 192.168.2.114, and hence it rejects the server. As you wonât be able to get LetsEncrypt on a local IP, the correct approach is to add the certificate to the device and configure the Client accordingly, see Configuration options | Mender documentation.
For the curl check, it shows that the server is alive and responding, I think thatâs good enough as we already know https is the area you need to look into.
Iâm about 99% sure that there is something off with your certificate setup. Things to watch out for:
device RTC time vs. certificate date and expiry
certificate file permissions
hostname matches
For a very brutal test, you can add this to /etc/mender/mender.conf, adhering to JSON syntax:
"SkipVerify": true
If the client connects successfully then, both server and client are functional, but the certificate chain is not. That this is not production ready should be very obvious.
Hey @TheYoctoJester , thanks for the suggestions. This helped me pinpoint the cause of the issue.
The SAN field in my certificate was set to DNS:192.168.2.114 and DNS:*.192.168.2.114 and this was causing issues because these entries were being interpreted as DNS names rather than IP address. My solution was to create a configuration file (san.cnf):