mTLS: Fails to authorize client automatically with Error "Unknown url.Error type: Host validation error"

shaomai · November 16, 2022, 7:23pm

Hi Everyone,

I am testing the mTLS feature with hosted mender. According to the section “Mutual TLS authentication” I did the following configurations:

Generating ca-private.key, ca-cert.pem, server-private.key, server-cert.pem, device-private.key, device-cert.pem, where server-cert.pem and device-cert.pem are signed by the generated CA certificate. The commonName of server-cert.conf is set as my-tls.com, which is used as the domain name of local hosted mTLS ambassador.
Starting the mTLS ambassador in a virtual machine. The ambasaddor connects to the hosted mender server successfully. Setting a bridge network adapter of the virtual machine, so that the mTLS ambassador can be accessed by an ip address. For example, now the device in the same network can access mTLS ambassador by the ip address 192.168.3.30.
Copying device-private.key and device-cert.pem to the device which runs mender-client.

Configuring ServerURL, TenantToken and HttpsClient of /etc/mender/mender.conf in the device as:

{
  "ServerURL": "https://my-tls.com",
  "TenantToken": "TENANT_TOKEN_FROM_HOSTED_MENDER",
  "HttpsClient": {
    "Certificate": "/home/pi/device-cert.pem",
    "Key": "/home/pi/device-private.pem"
  }
}

Since the device needs to connect to mTLS ambassador, I added following line to /etc/hosts in the device:

192.168.3.30    my-tls.com

Now run ping my-tls.com on the device → No packet loss. So the device can now access my-tls.com

Run sudo systemctl restart mender-client.service on the device. And checking the log by journalctl -u mender-client -f I got the following error:

raspberrypi mender[5425]: time="2022-11-16T20:01:31+01:00" level=error msg="Failure occurred while executing authorization request: Method: Post, URL: https://my-tls.com/api/devices/v1/authentication/auth_requests"
raspberrypi mender[5425]: time="2022-11-16T20:01:31+01:00" level=error msg="Failed to authorize with \"https://my-tls.com\": Unknown url.Error type: Host validation error"

It seems that the mender-client cannot access my-tls.com. Then I did the following checks:

Checking the log of ambassador in the virtual machine → no request info of the device. So the ambassador does not get the request from device.
Changing the ServerURL in mender.cnf to https://hosted.mender.io → The device is shown as pending device in hosted mender server.

My question is:
Which step is wrong?

Thanks a lot for reading the problem and answering my question!

shaomai · November 17, 2022, 9:48pm

After regenerating the certificate configuration, I found a typo in server.conf: the commenName is my-mtls.com. That’s the reason for the Error “Unknown url.Error type: Host validation error”.

Although there is following error:

Unknown url.Error type: certificate signed by unknown authority, openssl verify rc: 20 server cert file:

I would close this topic and start a new one regarding to configuration of local hosted mTLS ambassador and hosted.mender.io

TheYoctoJester · November 21, 2022, 8:09am

Thanks for reporting back @shaomai, then I’ll close the topic as noted.

Greetz,
Josef

Topic		Replies	Views
Authorization request error: Host validation error General Discussions	3	1599	March 9, 2021
Mender client rejects the server certificate of mTLS ambassador with Error: "certificate signed by unknown authority, openssl verify rc: 20" General Discussions mtls , ambassador	4	467	April 26, 2024
Authorization request error: x509 because it doesn't contain any IP SANs General Discussions yocto , sumo	2	3511	December 5, 2019
Still x509 error while executing authorization request General Discussions	2	424	November 6, 2020
Issue with Mender Client Certificate/Mutual TLS tutorial or setup General Discussions	3	922	November 18, 2020

mTLS: Fails to authorize client automatically with Error "Unknown url.Error type: Host validation error"

Related topics