Secure mender-open source or on prim server

HI
I am using mender on prim server for testing,because it’s using a self signed so its not secured and want to test the preauthorization flow,is there any way i can secure the server only by replacing the certificate file.

Thanks
Arun

I’m not aware of how to do it by changing only the certificate on the server, In the past for testing a local server with the real certificates, I have added the real certificates to the mender server, and then added the domain registered in the certificate to the devices hosts file with its ip address and also made sure the devices mender.con server url is using the domain in the certificate.

HI @dellgreen

As you suggested i created one certificate and added it to make my production environment ready, but still i am getting invalid certificate .
I have proper domain and certificate ,can you please suggest how to check the server certificate .

Thanks
Arun

on the device that’s connecting to the server, have you added an entry to the /etc/hosts file temporarily?

i am referring to the below link to make the production ready :slight_smile:
https://docs.mender.io/2.3/administration/production-installation#verification

I am replacing the Server.crt files,with my CA certificate .

But still when i am running the server the certificate dispalyed is not match(showing the default certificate) ,hence geting certificate invalid and not secured.

So ,want to update the CA certificate and also possible can you sare the recommended SSL certificate.

Thanks
Arun

oh i see. so you saying that the certificate is not displaying the correct one in your web browser when you verify it?

Yes ,can you please suggest how can I troubleshoot or is there any further modification required to make it secure and production ready.

Thanks
Arun

ok, so if you have proper (non self-signed) certificate installed, in your web browser in the padlock, drill down into that certificate to double check that the information/domain/date in that certificate is correct and as expected, irrespective if the browser is flagged as invalid.

If that’s all correct then are you using the domain name in your web browser or are you using the ip address in the url?

You need to be using domain in the url in your web-browser so that the SSL/cert domain request checks match else it’ll be flagged as invalid. To do this on your local network, you will need to have a dns resolver somewhere that resolves the domain to your local server ip address. On you client PC if on linux you need to add an entry in your /etc/hosts file or add an entry to your DNS server whilst testing.

HI @dellgreen

I have the Proper certificate but the mender Server is still using the certificate generated by Keygen Script provided by mender.
I have a Proper URL,my server is running on the Same URL(also have the Proper certificate for URl in which mender is hosted) .
So Can you please tell me where is the path of mender Server certificate ,so i can make the Changes and put my certifiacte at the Proper place.

Thanks
Arun

My server was setup using the certificate and keys section in : https://docs.mender.io/2.4/administration/production-installation

├── keys-generated
│ ├── certs
│ │ ├── api-gateway
│ │ │ ├── cert.crt
│ │ │ └── private.key
│ │ └── server.crt
│ │ └── storage-proxy
│ │ ├── cert.crt
│ │ └── private.key
│ └── keys
│ ├── deviceauth
│ │ └── private.key
│ └── useradm
│ └── private.key
├── config/enterprise.yml.template
├── config/prod.yml
├── config/prod.yml.template
└── run

Have you replaced the necessary files above with your newly created files which includes your new certificate?

Yes, i replace the server.crt file,but still no change

i would also double-check your paths in production/config/prod.yml and check docker-compose section in production/run executable script is passing the prod.yml as arg. this is what mine looks like:

exec docker-compose \
     -p menderproduction \
     -f ../docker-compose.yml \
     -f ../docker-compose.storage.minio.yml \
     $ENTERPRISE_DOCKER_COMPOSE \
     -f ./config/prod.yml \
     $ENTERPRISE_PROD \
     "$@"

this may not apply to you, but as i’m using relative paths in the run script, make sure however you are starting the run executable, that the working directory is the production directory.

Hi @dellgreen

I replace the certificate in keys generated and also chek the prod.yml script.
now my mender-api-gateway_1 is restarting.
I am also attaching the logs and snapshot after running server.

Thanks Arun

I will have to defer this to the mender team as I have little docker experience. @mirzak

useradm is also restarting, and probably the log from this service is more interesting, since api-gateway seems to restart only because useradm is restarting.

Check your certificate format there seems to be errors saying your certificate is invalid format.

Thanks @dellgreen my server is working,there is no problem in the certificate issue actually my private key is Encrypted so i remove the encryption now server is working.

But what are the change required,at the client side .
I have made the required changes in hosts & change the server URL to my hosted URl but still getting issues .
Below attaching the logs for mender-client

mender-client.service - Mender OTA update service
Loaded: loaded (/lib/systemd/system/mender-client.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2020-07-31 12:41:50 UTC; 12min ago
Main PID: 13241 (mender)
Tasks: 8 (limit: 2232)
CGroup: /system.slice/mender-client.service
└─13241 /usr/bin/mender -daemon

Jul 31 12:53:50 Thing2 mender[13241]: time=“2020-07-31T12:53:50Z” level=error msg="See https://docs.mender.io/troubleshooting/mender-client#certificate-signed-by-unknow
Jul 31 12:53:50 Thing2 mender[13241]: time=“2020-07-31T12:53:50Z” level=error msg="authorize failed: transient error: authorization request failed: certificate signed b
Jul 31 12:53:50 Thing2 mender[13241]: time=“2020-07-31T12:53:50Z” level=info msg=“State transition: authorize [Sync] -> authorize-wait [Idle]” module=mender
Jul 31 12:54:20 Thing2 mender[13241]: time=“2020-07-31T12:54:20Z” level=info msg=“State transition: authorize-wait [Idle] -> authorize [Sync]” module=mender
Jul 31 12:54:20 Thing2 mender[13241]: time=“2020-07-31T12:54:20Z” level=error msg="Failure occurred while executing authorization request: &url.Error{Op:“Post”, URL:
Jul 31 12:54:20 Thing2 mender[13241]: time=“2020-07-31T12:54:20Z” level=error msg=“Certificate is signed by unknown authority.” module=client_auth
Jul 31 12:54:20 Thing2 mender[13241]: time=“2020-07-31T12:54:20Z” level=error msg="If you are using a self-signed certificate, make sure it is available locally to the
Jul 31 12:54:20 Thing2 mender[13241]: time=“2020-07-31T12:54:20Z” level=error msg="See https://docs.mender.io/troubleshooting/mender-client#certificate-signed-by-unknow
Jul 31 12:54:20 Thing2 mender[13241]: time=“2020-07-31T12:54:20Z” level=error msg="authorize failed: transient error: authorization request failed: certificate signed b
Jul 31 12:54:20 Thing2 mender[13241]: time=“2020-07-31T12:54:20Z” level=info msg=“State transition: authorize [Sync] -> authorize-wait [Idle]” module=mender

Assuming you have updated the server certificate crt file on your client device.
Its very likely that you don’t have the full chain of trust certificates in that file on the client device.
My IT department creates and supplies me the certificates, so i normally just ask them to send me the certificate authority certificates they used and then concatenate them together into a single file.
I have 3 certificate entries in my crt file to make it work for example.

or you can try adding the ca-certificates package/recipe to your image that may contain what you need

@dellgreen can you please give a clear idea, i am not getting the point and clear understanding to make the client work with my setup.

@drewmoseley Can you please help.

Thanks
Arun

@arun I’m not completely clear on what your issue is. Can you summarize?