Issue with Mender Client Certificate/Mutual TLS tutorial or setup

General Discussions
1

Hi, I am following the steps necessary to get Mender working with client certificates and mutual TLS in this link https://docs.mender.io/server-integration/client-certificates, but I am running into issues on the step that requires you to start the edge proxy.:

docker run
-p 443:8080
-e MTLS_MENDER_USER=mtls@mender.io
-e MTLS_MENDER_PASS=password
-e MTLS_MENDER_BACKEND=https://hosted.mender.io
-e MTLS_DEBUG_LOG=true
-v $(pwd)/server-cert.pem:/etc/mtls/certs/server/server.crt
-v $(pwd)/server-private.key:/etc/mtls/certs/server/server.key
-v $(pwd)/ca-cert.pem:/etc/mtls/certs/tenant-ca/tenant.ca.pem
registry.mender.io/mendersoftware/mtls-ambassador:master

I replace the MTLS_MENDER_USER with my username for my free trial of Mender Enterprise, MTLS_MENDER_PASS with my password for my free trial of Mender Enterprise, and MTLS_MENDER_BACKEND with https://hosted.mender.io/ui/#/login since this is where I would log in to access my free Mender Enterprise account. The following volume tags are all left alone and point to the correct locations for the certificates on my system.

When I run the above docker command with the changed fields I get this error:

Unable to find image ā€˜registry.mender.io/mendersoftware/mtls-ambassador:masterā€™ locally
docker: Error response from daemon: Get https://registry.mender.io/v2/mendersoftware/mtls-ambassador/manifests/master: no basic auth credentials.
See ā€˜docker run --helpā€™.

As far as I can tell the issue might be a couple of things:

  1. I should somehow have this docker image already on my local system.
  2. The registry that currently stores the mender mtls-ambassador/manisfests:master image is currently down.
  3. My login credentials are incorrect and arenā€™t what are necessary to access this docker image.
  4. My server ā€œcommonNameā€ field in the server-cert.conf file is incorrect. (Itā€™s currently the default value of ā€œserver.comā€ that was present in the instructions. I wasnā€™t sure if I needed to change this since the instructions werenā€™t abundantly clear to me.

Any help is appreciated.
Thanks

2

MTLS_MENDER_BACKEND with Mender

This should be the same as the instructions -e MTLS_MENDER_BACKEND=https://hosted.mender.io. The mTLS ambassador users the server APIā€™s and will not login where a human would logon.

  1. My login credentials are incorrect and arenā€™t what are necessary to access this docker image.

I think this is the one. I believe that mtls-ambassador/manisfests:master resides in a private docker registry which requires separate credentials. @tranchitella can maybe shed some light on this.

I think as a follow up it would be good to send an email to support@mender.io, to start a process to get access to this component for evaluation.

1 Like
3

@tranchitella sorry for contacting you through here but I couldnā€™t figure out how to get in touch directly.

It turns out that there is actually a docker registry that I donā€™t have access to in order to download the image containing the edge proxy. Do you have any experience in accessing this registry or could you point me in the right direction?

Iā€™m currently waiting to hear back from support for this issue but my company is still very interested in testing out this feature so if you have any more information that might help me out it would be much appreciated.

4

Hello @mender_tester, I confirm you need access to our enterprise Docker repository to test the mTLS edge proxy. Let me ping the support team to provide you an answer.