"ServerCertificate" key not set by mender-convert --server-cert

General Discussions
1

Hi,

I have been following this guide to setup the (production equivalent of ) mender server.

All went well and I had used freshly prepared self signed certificates for the server (as mentioned in the docs) and also prepared a RPi 3B device by converting 2019-04-08-raspbian-stretch-lite.img via mender-convert 1.1.1 branch.

Command used -

./docker-mender-convert from-raw-disk-image
–raw-disk-image $RAW_DISK_IMAGE
–mender-disk-image $MENDER_DISK_IMAGE
–device-type $DEVICE_TYPE
–artifact-name $ARTIFACT_NAME
–bootloader-toolchain arm-buildroot-linux-gnueabihf
–server-url $SERVER_URL
–server-cert $SERVER_CERT

Although the option --server-cert successfully copied the generated server.crt file to the final sdimg, the “/etc/mender/mender.conf” did not contain the “ServerCertificate” key, and thus the copied certificate was not being used while the client tried to communicate to the server.

Ofcourse, I had no idea why I was still getting SSL errors (via journalctl -u mender) as the following documentations did not provide any hint that the mender.conf had to be updated with “ServerCertificate” key -
https://docs.mender.io/2.1/administration/production-installation

Only when I found out the Installation note here the client finally worked.

Note: A lot of time was wasted, even after following the guide.

So here are my two humble requests -

A) Can the mender-convert utility also add the “ServerCertificate” key to “/etc/mender/mender.conf” when “–server-cert” is specified as a command line option ?

B) Can the documentation be updated to point out that “ServerCertificate” needs to be set in the client in case of self-signed certificates.

This will help people who are new to mender to easily try out mender. Thanks!

2

Thank you for your feedback @gswebspace.

A) Can the mender-convert utility also add the “ServerCertificate” key to “/etc/mender/mender.conf” when “–server-cert” is specified as a command line option ?

This was actually a bug. The --server-cert should add the file and add the entry to `/etc/mender/mender.conf. But this should have been resolved already. I will investigate why you came across this using the linked tutorial.

B) Can the documentation be updated to point out that “ServerCertificate” needs to be set in the client in case of self-signed certificates.

So in the mender-convert case, this should have been handled already by tool. But will look in to this

3

Looking at the 1.1.1 code for mender-convert, it seems jq_inplace was never called here.

Hope this helps ! Thanks for your quick reply!

4

But the linked tutorial,

is using 1.2.x branch. So that explains the problems you where having if you are using 1.1.1, where this bug was present.

I would recommend you to update to 1.2.x

Edit: 1.1.x should also work as it contains the fix

5

I had to switch to 1.1.1 because I was facing (the known) HDMI yellow overlay issue while using the buster-lite image and then stretch-lite image with probably unsupported changes to the Rpi system.

I’ll try again with stretch-lite and 1.2.x. Will update this thread if I get stuck.

Thanks!

6

mender-convert branch 1.2.x worked with raspbian stretch lite :+1: