Mender client rejects the server certificate of mTLS ambassador with Error: "certificate signed by unknown authority, openssl verify rc: 20"

Hello everyone,

I am testing the mTLS feature with following use case:

  1. using https://hosted.mender.io as mender server
  2. hosting mTLS ambassador locally in virtual machine with ip address 192.168.3.30 and domain name my-server.com
  3. mender-client running on raspberrypi4 and can connect to my-server.com with ping my-server.com and have internet access.

The mTLS ambassador connects with https://hosted.mender.io successfully with the credentials of the hosted mender.

I followed the section mutual-tls-authentication creates CA certificate, server certificate with commenName my-servver.com and device certificate. The server certificate and device certificate are signed by the CA certificate.

After starting the mender client, I got the following error:

raspberrypi mender[23544]: time="2022-11-17T23:25:25+01:00" level=error msg="Failure occurred while executing authorization request: Method: Post, URL: https://my-server.com/api/devices/v1/authentication/auth_requests"
raspberrypi mender[23544]: time="2022-11-17T23:25:25+01:00" level=error msg="Failed to authorize with \"https://my-server.com\": Unknown url.Error type: certificate signed by unknown authority, openssl verify rc: 20 server cert file:"

It seems that client device rejects the server certificate. I checked the Troubleshooting section of mender client and did the following things:

  1. add server certificate of mTLS ambassador to client by specifying “ServerCertificate” in mender.conf → still the same error but with server cert file path:

    raspberrypi mender[23544]: time="2022-11-17T23:25:25+01:00" level=error msg="Failed to authorize with \"https://my-server.com\": Unknown url.Error type: certificate signed by unknown authority, openssl verify rc: 20 server cert file: /home/pi/server-cert.crt"
    
  2. checking the public certificate of my-server.com and comparing it with `home/pi/server-cert.crt" by following commands:

    cat /home/pi/server-cert.crt
    openssl s_client -showcerts -connect mender.example.com:443 < /dev/null 2>/dev/null | openssl x509
    

    Results: The certificate on the client and the certificate from my-server.com are the same.

  3. I added ca-certificate which is used to sign the server and device certificates to the path of client /usr/share/ca-certificates/ → still the same error.

Here is my understanding of mender mTLS ambassador:

The client device should connect to mTLS ambassador and they verify each other’s certificates. When the verification is successful, mTLS will preauthorize the device in the https://hosted.mender.io.

My question is:

  1. Is my understanding of mender mTLS wrong?
  2. Which steps should I follow to debug this error?

Thanks a lot for reading and answering my question!

Best regards.