Pre-authorized clients do not get accepted automatically

General Discussions
,
1

I’m using only the ‘single-file’ module with the mender-client on my target at the moment. This works fine; the client connects to hosted.mender.io and manual accept makes client show up under “Devices” in Mender-UI. I can then deploy SW-update to given devices.

However, I want to use pre-authorization so that clients automatically get accepted (i.e. ‘authorized’).

I have so far been unsuccesful in my attempts; the errors in the logfile gives my not much clue about what is wrong (except it says that authorization is unsuccesful, of course …), and the documentation for the client is not very helpful I’m afraid. I’m not sure if my PEM-file(s) are OK, or if my “mender.conf” file is correct or not - or a erratic combination thereof.

A common denominator in the logs are the line:

Failed to load the client TLS certificate settings: SSL errors: PEM routines:get_name:no start line

My “/etc/mender/mender.conf” file:

{
    "DeviceTypeFile": "/var/lib/mender/device_type",
    "SkipVerify": false,
    "ServerCertificate": "/etc/mender/mender_rsa_public.pem",
    "Security": {
        "AuthPrivateKey": "/etc/mender/mender_rsa_private.pem"
    },
    "InventoryPollIntervalSeconds": 28800,
    "RetryPollIntervalSeconds": 300,
    "ServerURL": "https://hosted.mender.io",
    "TenantToken": "<organization token read from Mender-UI>",
    "UpdatePollIntervalSeconds": 60
}

I have tried to excahnge the “Security”-entry with “HttpsClient” ditto - to no avail:

"HttpsClient": {
        "Certificate": "/etc/mender/mender_rsa_public.pem",
        "Key": "/etc/mender/mender_rsa_private.pem"
    },

Any ideas, anyone??

A complete ‘mender-client’ log from start up to initial request:

Feb 01 13:02:44 dev_sys systemd[1]: Started Mender OTA update service.
Feb 01 13:02:44 dev_sys mender[1622]: time=“2021-02-01T13:02:44Z” level=info msg=“Loaded configuration file: /etc/mender/mender.conf”
Feb 01 13:02:44 dev_sys mender[1622]: time=“2021-02-01T13:02:44Z” level=info msg=“No dual rootfs configuration present”
Feb 01 13:02:44 dev_sys mender[1622]: time=“2021-02-01T13:02:44Z” level=error msg="Failed to Load the Server certificate. Err SSL errors: "
Feb 01 13:02:44 dev_sys mender[1622]: time=“2021-02-01T13:02:44Z” level=warning msg="Failed to load the server TLS certificate settings: SSL errors: "
Feb 01 13:02:44 dev_sys mender[1622]: time=“2021-02-01T13:02:44Z” level=warning msg=“Failed to load the client TLS certificate settings: SSL errors: PEM routines:get_name:no start line”
Feb 01 13:02:44 dev_sys mender[1622]: time=“2021-02-01T13:02:44Z” level=info msg=“State transition: init [none] → init [none]”
Feb 01 13:02:44 dev_sys mender[1622]: time=“2021-02-01T13:02:44Z” level=info msg=“State transition: init [none] → idle [Idle]”
Feb 01 13:02:44 dev_sys mender[1622]: time=“2021-02-01T13:02:44Z” level=info msg=“State transition: idle [Idle] → authorize-wait [Idle]”
Feb 01 13:02:44 dev_sys mender[1622]: time=“2021-02-01T13:02:44Z” level=info msg=“State transition: authorize-wait [Idle] → authorize [Sync]”

@drewmoseley - edited formatting.

2

Hi @mortela4, welcome to Mender Hub.

The “Security” settings you are modifying have to do with hardware based security keys and not necessarily preauthorization. Are you using a hardware security key?

The preauthorization APIs need to be called with the appropriate identity and public key information of the devices in question. Normally that is not run from the device itself but rather from a CI system or other piece of infrastructure or your build system. The full details on the API calls are here. Are you calling those APIs?

Drew

.

1 Like