Ports and certificates for Hosted Mender


I reviewed the documentation and read that I need both ports 443 and 9000 opened for Mender. Looks like port 9000 is used for the proxy storage element, which I be used for a Mender server deployment. If I am using Hosted Mender, do I need to have port 9000 opened? If not, the would the only port that needs to be open be 443?

For Hosted Mender, is there a process to cover certificate rotation? If so, is there a frequency?

Finally, just wanted to confirm the process for revoking a certificate on hosted Mender is as simple as rejecting the key for the device in the Hosted Mender portal.

Thanks much

For your clients there are no open ports. It’s only on the server side. As long as your client devices can make an outbound connection to ports 443 and 9000 you are in good shape.

There is nothing specific built into the Mender client integration to rotate certificates although it has been discussed. Device rejection is based on the inventory so if a specific device attempts to connect again, even if the certificate has changed it will be denied access. The mender client will automatically regenerate the certificate if it is removed or corrupted. In this case you will see additional auth-sets against the same device.

Thanks @drewmoseley ! I hope I’m not asking a redundant question, but I just need to verify port 9000 needs to be opened when using the Hosted Mender option. I have not seen it get used in my testing (perhaps I missed it). If port 9000 is needed when using the Hosted Mender option, is there anything documented about its use? I’m wrapping a requirements document that that would be helpful to know. From my research it looks like it for a “minio server” service, which may apply to self-built Mender servers. Thanks much and apologies if this is a repeat.

Hi @tmrskos, actually for hosted mender the artifacts are stored directly in Amazon S3 and not minio so there is no need for port 9000. The URLs provided to the clients point directly at Amazon servers.

Great, thanks for the info, much appreciated. :+1: