Mender client rejects the server certificate of mTLS ambassador with Error: "certificate signed by unknown authority, openssl verify rc: 20"

Hello everyone,

I am testing the mTLS feature with following use case:

1. using https://hosted.mender.io as mender server
2. hosting mTLS ambassador locally in virtual machine with ip address 192.168.3.30 and domain name my-server.com
3. mender-client running on raspberrypi4 and can connect to my-server.com with ping my-server.com and have internet access.

The mTLS ambassador connects with https://hosted.mender.io successfully with the credentials of the hosted mender.

I followed the section mutual-tls-authentication creates CA certificate, server certificate with commenName my-servver.com and device certificate. The server certificate and device certificate are signed by the CA certificate.

After starting the mender client, I got the following error:

raspberrypi mender[23544]: time="2022-11-17T23:25:25+01:00" level=error msg="Failure occurred while executing authorization request: Method: Post, URL: https://my-server.com/api/devices/v1/authentication/auth_requests"
raspberrypi mender[23544]: time="2022-11-17T23:25:25+01:00" level=error msg="Failed to authorize with \"https://my-server.com\": Unknown url.Error type: certificate signed by unknown authority, openssl verify rc: 20 server cert file:"

It seems that client device rejects the server certificate. I checked the Troubleshooting section of mender client and did the following things:

1. add server certificate of mTLS ambassador to client by specifying “ServerCertificate” in mender.conf → still the same error but with server cert file path:

   raspberrypi mender[23544]: time="2022-11-17T23:25:25+01:00" level=error msg="Failed to authorize with \"https://my-server.com\": Unknown url.Error type: certificate signed by unknown authority, openssl verify rc: 20 server cert file: /home/pi/server-cert.crt"
   

2. checking the public certificate of my-server.com and comparing it with `home/pi/server-cert.crt" by following commands:

   cat /home/pi/server-cert.crt
   openssl s_client -showcerts -connect mender.example.com:443 < /dev/null 2>/dev/null | openssl x509
   

   Results: The certificate on the client and the certificate from my-server.com are the same.

3. I added ca-certificate which is used to sign the server and device certificates to the path of client /usr/share/ca-certificates/ → still the same error.

Here is my understanding of mender mTLS ambassador:

The client device should connect to mTLS ambassador and they verify each other’s certificates. When the verification is successful, mTLS will preauthorize the device in the https://hosted.mender.io.

My question is:

1. Is my understanding of mender mTLS wrong?
2. Which steps should I follow to debug this error?

Thanks a lot for reading and answering my question!

Best regards.

facing same issue, what is the solution ?

Hi,

I am currently experiencing the same issue.
I specified the server certificate in mender conf and confirmed that the certs in the server and the one in the device are the same, based on the instructions from the Troubleshooting

Is there a resolution to this?

Cheers!

I was able to make this work.
It seems that the mender-client in the device also verifies the integrity of the server certificate.
In the ServerCertificate parameter in mender.conf, I placed the location of the ca.crt instead and it worked. Even though that’s the case, I emailed Mender support to verify this workflow.

I have confirmed with Mender support that this approach is valid.
It is either:

1. Specify the self-signed certificate of the CA in mender.conf in the device to verify the server/mTLS proxy or,
2. Add the server certificate to the list of trusted certificates on the system:

scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -P 8822 ca.crt root@$CONTAINER_IP:/usr/local/share/ca-certificates/mender/ca.crt
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 8822 root@$CONTAINER_IP update-ca-certificates