mTLS: Fails to authorize client automatically with Error "Unknown url.Error type: Host validation error"

General Discussions
,
1

Hi Everyone,

I am testing the mTLS feature with hosted mender. According to the section “Mutual TLS authentication” I did the following configurations:

  1. Generating ca-private.key, ca-cert.pem, server-private.key, server-cert.pem, device-private.key, device-cert.pem, where server-cert.pem and device-cert.pem are signed by the generated CA certificate. The commonName of server-cert.conf is set as my-tls.com, which is used as the domain name of local hosted mTLS ambassador.
  2. Starting the mTLS ambassador in a virtual machine. The ambasaddor connects to the hosted mender server successfully. Setting a bridge network adapter of the virtual machine, so that the mTLS ambassador can be accessed by an ip address. For example, now the device in the same network can access mTLS ambassador by the ip address 192.168.3.30.
  3. Copying device-private.key and device-cert.pem to the device which runs mender-client.
  4. Configuring ServerURL, TenantToken and HttpsClient of /etc/mender/mender.conf in the device as:
    {
  "ServerURL": "https://my-tls.com",
  "TenantToken": "TENANT_TOKEN_FROM_HOSTED_MENDER",
  "HttpsClient": {
    "Certificate": "/home/pi/device-cert.pem",
    "Key": "/home/pi/device-private.pem"
  }
}
    Since the device needs to connect to mTLS ambassador, I added following line to /etc/hosts in the device:
    192.168.3.30    my-tls.com
  5. Now run ping my-tls.com on the device → No packet loss. So the device can now access my-tls.com
  6. Run sudo systemctl restart mender-client.service on the device. And checking the log by journalctl -u mender-client -f I got the following error:
    raspberrypi mender[5425]: time="2022-11-16T20:01:31+01:00" level=error msg="Failure occurred while executing authorization request: Method: Post, URL: https://my-tls.com/api/devices/v1/authentication/auth_requests"
raspberrypi mender[5425]: time="2022-11-16T20:01:31+01:00" level=error msg="Failed to authorize with \"https://my-tls.com\": Unknown url.Error type: Host validation error"

It seems that the mender-client cannot access my-tls.com. Then I did the following checks:

  1. Checking the log of ambassador in the virtual machine → no request info of the device. So the ambassador does not get the request from device.
  2. Changing the ServerURL in mender.cnf to https://hosted.mender.io → The device is shown as pending device in hosted mender server.

My question is:
Which step is wrong?

Thanks a lot for reading the problem and answering my question!

2

After regenerating the certificate configuration, I found a typo in server.conf: the commenName is my-mtls.com. That’s the reason for the Error “Unknown url.Error type: Host validation error”.

Although there is following error:

Unknown url.Error type: certificate signed by unknown authority, openssl verify rc: 20 server cert file:

I would close this topic and start a new one regarding to configuration of local hosted mTLS ambassador and hosted.mender.io

1 Like
3

Thanks for reporting back @shaomai, then I’ll close the topic as noted.

Greetz,
Josef