Hi All,
I have mender integrated board i.MX8QM. I would like to test Mutual TLS for Device authentication.
Can you please tell me what are the steps to be followed ?
Mender version - 2.4.1
yocto - zeus
Thanks & Regards,
Chaithanya
Mutual TLS is available in 2.6 and our hosted platform so you will need to upgrade to one of those versions first and then follow the instructions here.
Drew
Hi drewmoseley,
Thank you for your response.
Can you please tell me how keys and certificates are managed in mutual tls?
Regards,
Chaithanya
What is missing in the documentation that I linked to? Do you have specific questions?
Hi,
When I run docker run to start edge proxy, I get below error:
Unable to find image âregistry.mender.io/mendersoftware/mtls-ambassador:mender-2.6.0â locally
docker: Error response from daemon: Head https://registry.mender.io/v2/mendersoftware/mtls-ambassador/manifests/mender-2.6.0: no basic auth credentials.
See âdocker run --helpâ.
To use docker enterprise,
I donât have Docker EE repository URL associated with my trial account.
How can I get access to Docker Enterprise Edition for Ubuntu?
Looking forward for your response.
Thanks & Regards,
Chaithanya
Hi @chaithanya ,
This is not because of docker licensing, but because youâre trying to use Mender Enterprise and donât have credentials to download it, it seems.
I think youâve already figured it out now, but for future reference, simply fill out the Contact form to request credentials: Contact us | Mender
Hi eystein,
Thank you for your response.
To access mender enterprise, I need to get access to docker enterprise is it?
I have received credentials for mender enterprise, but when I try to run docker run command I get the same issue as I mentioned above.
Can you please tell me about the requirements and what steps to be followed?
Thanks & Regards,
Chaithanya
Hello @chaithanya ,
Have you followed the Production installation documentation? Production installation | Mender documentation
In particular youâll need to follow the Enterprise specific steps (Production installation | Mender documentation), and use âdocker login registry.mender.ioâ with your credentials.
If this is what you did, perhaps you could share the exact steps you carried out, what you expected to happen and what actually happened?
Hi eystein,
I am following below link to test mutual tls,
https://docs.mender.io/server-integration/mutual-tls-authentication
I have generated certificates in my host pc as described in above link. I got stuck in âSet up the mTLS edge proxy to authenticate devices using mTLSâ section. I am facing issue while starting edge proxy in my host pc where I have generated the certificates.
I am new to mender. Could you please guide me with exact procedure
Thanks & Regards,
Chaithanya
Hi @chaithanya the docs link should be the correct procedure here. Perhaps it is missing something and needs an update though. Can you provide details of the issue you are having starting the proxy?
Drew
Hi drewmoseley,
What value should be given to the field commonName while generating server-cert.conf. It is said that it should be matching edge proxyâs domain name, where we can find this domain name?
Once after creating certificates, we can start edge proxy in the same pc where docker is running is it?
Thanks & Regards,
Chaithanya
Issue faced while starting edge proxy,
$ sudo docker run -p 8080:80 -e MTLS_MENDER_USER=************* -e MTLS_MENDER_PASS=" **************** " -e MTLS_MENDER_BACKEND=https://hosted.mender.io -e MTLS_DEBUG_LOG=true -v $(pwd)/server-cert.pem:/etc/mtls/certs/server/server.crt -v $(pwd)/server-private.key:/etc/mtls/certs/server/server.key -v $(pwd)/ca-cert.pem:/etc/mtls/certs/tenant-ca/tenant.ca.pem registry.mender.io/mendersoftware/mtls-ambassador:mender-2.6.0
-----------------------------------------------------------------------------------------------------------------------------------------
time="2021-03-19T10:21:42Z" level=info msg="starting mtls-ambassador" file=main.go func=main.doMain line=36
time="2021-03-19T10:21:42Z" level=info msg="loading config /etc/mtls/config.yaml" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg="loading config: ok" file=main.go func=main.doMain.func1 line=64
time="2021-03-19T10:21:42Z" level=info msg="config values:" file=main.go func=main.dumpConfig line=194
time="2021-03-19T10:21:42Z" level=info msg=" mender_backend: https://hosted.mender.io" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg=" mender_user: chaithanya.padmashali@iwavesystems.com" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg=" mender_pass: not empty" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg=" server_cert: /etc/mtls/certs/server/server.crt" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg=" server_key: /etc/mtls/certs/server/server.key" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg=" server_key: /etc/mtls/certs/tenant-ca/tenant.ca.pem" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg=" listen: 8080" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg=" debug_log: true" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg=" insecure_skip_verify: false" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg=" blacklist_path: " file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg="validating config" file=main.go func=main.validateConfig line=176
time="2021-03-19T10:21:42Z" level=info msg="validating config: ok" file=main.go func=main.validateConfig line=189
time="2021-03-19T10:21:42Z" level=info msg="creating proxy with url https://hosted.mender.io, insecure skip verify: false" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg="proxy scheme: https, host: hosted.mender.io" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg="creating proxy: ok" file=proxy.go func=http.NewProxy line=77
time="2021-03-19T10:21:42Z" level=info msg="created client with base url https://hosted.mender.io, insecure skip verify: false" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=info msg="logging in with user chaithanya.padmashali@iwavesystems.com" file=entry.go func="logrus.(*Entry).Infof" line=346
time="2021-03-19T10:21:42Z" level=error msg="failed to get request id from context: context request id is not a string, proceeding" file=entry.go func="logrus.(*Entry).Errorf" line=362
time="2021-03-19T10:21:43Z" level=fatal msg=unauthorized file=main.go func=main.cmdServer line=107
Used mender provided enterprise credentials in place of MTLS_MENDER_USER and MTLS_MENDER_PASS
edit: @drewmoseley added formatting
@tranchitella can you help further here?
As for the question about the CN, that is the Common Name used in the certificates. More detail can be found here.
Drew
The CN for the service certificate must match the DNS name you are using to connect to the mTLS ambassador from your devices. Regarding the error, it seems the user/password you provided in the MTLS_MENDER_USER and MTLS_MENDER_PASSWORD env variables are not correct. The mTLS ambassador needs to log in to the Hosted Mender backend in order to perform authorization of devices, thus you have to provide a valid credentials set.
You can create a new user in Hosted Mender dedicated to the mTLS ambassador and use those credentials.
Thank you for your response.
I had created new user in Hosted Mender and used those credentials, I could able to start the proxy server.
But now I am facing issue while copying key and certificate to disk image using mender-artifact tool.
Attached snapshot of the issue for your reference.
Looking forward to your response.
Regards,
Chaithanya
@kacf @oleorhagen @lluiscampos any idea?
@chaithanya which version of mender-artifact are you using?
And is this all the text returned? What is the error code youâre getting?
mender-artifact version is 3.5.0
I didnât get any error code
Thanks & Regards,
Chaithanya
@chaithanya can you run:
fdisk -l <image> and paste the output here please? 
