Mender server authorization error: demo.crt is missing in iMX 6UL EVK Yocto build

General Discussions
, ,
1

I’m using mender demo server with iMX 6UL EVK (manually integrated mender). After mender setup, I cannot connect to the demo server.

When I debug the issue I found that /usr/share/doc/mender-client/examples/demo.crt is missing. And hence I opted for manual certificate generation but I could not pull it off.

The error is as follows,

root@imx6ulevk:~# systemctl stop mender; systemctl start mender
root@imx6ulevk:~# journalctl -u mender | tail
May 28 09:14:17 imx6ulevk mender[1877]: time="2020-05-28T09:14:17Z" level=info msg="State transition: authorize [Sync] -> authorize-wait [Idle]" module=mender
May 28 09:14:46 imx6ulevk mender[1877]: time="2020-05-28T09:14:46Z" level=info msg="State transition: authorize-wait [Idle] -> authorize [Sync]" module=mender
May 28 09:14:47 imx6ulevk mender[1877]: time="2020-05-28T09:14:47Z" level=error msg="Failure occurred while executing authorization request: &url.Error{Op:\"Post\", URL:\"https://docker.mender.io/api/devices/v1/authentication/auth_requests\", Err:x509.UnknownAuthorityError{Cert:(*x509.Certificate)(0x18b0000), hintErr:error(nil), hintCert:(*x509.Certificate)(nil)}}" module=client_auth
May 28 09:14:47 imx6ulevk mender[1877]: time="2020-05-28T09:14:47Z" level=error msg="Certificate is signed by unknown authority." module=client_auth
May 28 09:14:47 imx6ulevk mender[1877]: time="2020-05-28T09:14:47Z" level=error msg="If you are using a self-signed certificate, make sure it is available locally to the Mender client in /etc/mender/server.crt and is configured properly in /etc/mender/mender.conf." module=client_auth
May 28 09:14:47 imx6ulevk mender[1877]: time="2020-05-28T09:14:47Z" level=error msg="See https://docs.mender.io/troubleshooting/mender-client#certificate-signed-by-unknown-authority for more information." module=client_auth
May 28 09:14:47 imx6ulevk mender[1877]: time="2020-05-28T09:14:47Z" level=error msg="authorize failed: transient error: authorization request failed: certificate signed by unknown authority: Post https://docker.mender.io/api/devices/v1/authentication/auth_requests: x509: certificate signed by unknown authority" module=state

And my /etc/mender/mender.conf file is given below:

{
    "ClientProtocol": "https",
    "ArtifactVerifyKey": "",
    "HttpsClient": {
        "Certificate": "",
        "Key": "",
        "SkipVerify": false
    },
    "RootfsPartA": "/dev/mmcblk1p2",
    "RootfsPartB": "/dev/mmcblk1p3",
    "DeviceTypeFile": "/var/lib/mender/device_type",
    "UpdatePollIntervalSeconds": 5,
    "InventoryPollIntervalSeconds": 5,
    "RetryPollIntervalSeconds": 30,
    "StateScriptTimeoutSeconds": 0,
    "StateScriptRetryTimeoutSeconds": 0,
    "StateScriptRetryIntervalSeconds": 0,
    "ModuleTimeoutSeconds": 0,
    "ServerCertificate": "/usr/share/doc/mender-client/examples/demo.crt",
    "ServerURL": "",
    "UpdateLogPath": "",
    "TenantToken": "",
    "Servers": [
        {
            "ServerURL": "https://docker.mender.io"
        }
    ]
}

Full debug log is attached here: https://github.com/danie007/imx6/blob/master/warrior_mender_cert_error.log.txt

Any help would be very helpful. Thanks in advance.

2

You should get the demo certificate on the device if you are using, meta-mender-demo. Might depend on which Yocto version you are using, the path for the cert used to be /etc/mender/server.crt

3

Also you can find the cert here, https://github.com/mendersoftware/mender/blob/master/support/demo.crt

4

@mirzak appreciate for your swift reply!!

I got it resolved by replacing the certificates in both server & client following the documentation here: Certificates and keys | Mender documentation

By the way,

did not worked for me as I’ve used meta-mender-core in Yocto project.