mTLS: Fails to authorize client automatically with Error "Unknown url.Error type: Host validation error"

shaomai · November 16, 2022, 7:23pm

Hi Everyone,

I am testing the mTLS feature with hosted mender. According to the section “Mutual TLS authentication” I did the following configurations:

Generating ca-private.key, ca-cert.pem, server-private.key, server-cert.pem, device-private.key, device-cert.pem, where server-cert.pem and device-cert.pem are signed by the generated CA certificate. The commonName of server-cert.conf is set as my-tls.com, which is used as the domain name of local hosted mTLS ambassador.
Starting the mTLS ambassador in a virtual machine. The ambasaddor connects to the hosted mender server successfully. Setting a bridge network adapter of the virtual machine, so that the mTLS ambassador can be accessed by an ip address. For example, now the device in the same network can access mTLS ambassador by the ip address 192.168.3.30.
Copying device-private.key and device-cert.pem to the device which runs mender-client.

Configuring ServerURL, TenantToken and HttpsClient of /etc/mender/mender.conf in the device as:

{
  "ServerURL": "https://my-tls.com",
  "TenantToken": "TENANT_TOKEN_FROM_HOSTED_MENDER",
  "HttpsClient": {
    "Certificate": "/home/pi/device-cert.pem",
    "Key": "/home/pi/device-private.pem"
  }
}

Since the device needs to connect to mTLS ambassador, I added following line to /etc/hosts in the device:

192.168.3.30    my-tls.com

Now run ping my-tls.com on the device → No packet loss. So the device can now access my-tls.com

Run sudo systemctl restart mender-client.service on the device. And checking the log by journalctl -u mender-client -f I got the following error:

raspberrypi mender[5425]: time="2022-11-16T20:01:31+01:00" level=error msg="Failure occurred while executing authorization request: Method: Post, URL: https://my-tls.com/api/devices/v1/authentication/auth_requests"
raspberrypi mender[5425]: time="2022-11-16T20:01:31+01:00" level=error msg="Failed to authorize with \"https://my-tls.com\": Unknown url.Error type: Host validation error"

It seems that the mender-client cannot access my-tls.com. Then I did the following checks:

Checking the log of ambassador in the virtual machine → no request info of the device. So the ambassador does not get the request from device.
Changing the ServerURL in mender.cnf to https://hosted.mender.io → The device is shown as pending device in hosted mender server.

My question is:
Which step is wrong?

Thanks a lot for reading the problem and answering my question!

shaomai · November 17, 2022, 9:48pm

After regenerating the certificate configuration, I found a typo in server.conf: the commenName is my-mtls.com. That’s the reason for the Error “Unknown url.Error type: Host validation error”.

Although there is following error:

Unknown url.Error type: certificate signed by unknown authority, openssl verify rc: 20 server cert file:

I would close this topic and start a new one regarding to configuration of local hosted mTLS ambassador and hosted.mender.io

TheYoctoJester · November 21, 2022, 8:09am

Thanks for reporting back @shaomai, then I’ll close the topic as noted.

Greetz,
Josef

Topic		Replies	Views
Mender client rejects the server certificate of mTLS ambassador with Error: "certificate signed by unknown authority, openssl verify rc: 20" General Discussions mtls , ambassador	4	446	April 26, 2024
Issue with Mender Client Certificate/Mutual TLS tutorial or setup General Discussions	3	901	November 18, 2020
Setting up mTLS, running docker image errors with "no basic auth credentials" General Discussions	0	588	June 30, 2022
Understanding mutual TLS General Discussions	4	595	November 17, 2022
Does a device log failed attempts to add itself to Pending Devices? General Discussions	26	992	February 19, 2021

mTLS: Fails to authorize client automatically with Error "Unknown url.Error type: Host validation error"

Related topics