Raspberry Pi 4 - Hosted Mender / TLS Certificate warning?

General Discussions
1

Hello,

We’re investigating Mender as a management system for Raspberry Pi 4’s

We’ve been through the documentation and set a couple up with the provided image, and all looks to be working they come through on the hosted dashboard and we’ve been pushing updates to them successfully

I was SSH’d into one of the units today and decided to check the system logs on a whim and noticed a bunch of errors from mender-client about TLS certificates

Jun 09 18:16:45 gateway mender[887]: time="2021-06-09T18:16:45+01:00" level=error msg="Failed to Load the Server certificate. Err SSL errors: "
Jun 09 18:16:45 gateway mender[887]: time="2021-06-09T18:16:45+01:00" level=warning msg="Failed to load the server TLS certificate settings: SSL errors: "

Is there anything we can do to resolve these errors?

We’ve made no modifications to the base image outside of removing the pi user and adding a few of our own scripts / applications.

Our mender config is as follows which is the default production .conf, the same messages are seen on the demo .conf too:

    "ClientProtocol": "https",
    "ArtifactVerifyKey": "",
    "HttpsClient": {
        "Certificate": "",
        "Key": "",
        "SSLEngine": ""
    },
    "Security": {
        "AuthPrivateKey": "",
        "SSLEngine": ""
    },
    "RootfsPartA": "/dev/mmcblk0p2",
    "RootfsPartB": "/dev/mmcblk0p3",
    "DeviceTypeFile": "/var/lib/mender/device_type",
    "DBus": {
        "Enabled": true
    },
    "UpdatePollIntervalSeconds": 1800,
    "InventoryPollIntervalSeconds": 28800,
    "SkipVerify": false,
    "RetryPollIntervalSeconds": 300,
    "StateScriptTimeoutSeconds": 0,
    "StateScriptRetryTimeoutSeconds": 0,
    "StateScriptRetryIntervalSeconds": 0,
    "ModuleTimeoutSeconds": 0,
    "ServerCertificate": "",
    "ServerURL": "",
    "UpdateLogPath": "",
    "TenantToken": "<snip>",
    "Servers": [
        {
            "ServerURL": "https://hosted.mender.io"
        }
    ]
}

Any assistance would be appreciated
Thanks

2

Hi @AlexC

I’m not sure what specifically would cause those errors in the prebuilt images but you should be aware that those images are not intended as starting points for your design but rather just a quick way to start working with Mender to understand the workflow. Once you are past that point you should investigate using your own customized image and running it through our mender-convert tool: System updates: Debian family | Mender documentation

As for the cert errors, perhaps @oleorhagen or @lluiscampos know more.

Drew

3

Thanks for the reply,

I was under the impression that the provided mender image was just a stock raspi-os lite image that had been converted to mender?

Will have a read up on mender-convert, can always convert raspi-os lite myself if needed

4

Hi @AlexC

The error is a little misleading. The errors stems from an empty Server certificate in the config, ServerCertificate: "".

The client works however, since it falls back to the system ca-certs, in which the server certificate is now installed.