Always getting Certificate Error

openBalena
1

Hi together,
i tried to install the openbalena Server according to the manual.
After installing certificates and looging in to balena cli i always get the message:
UNABLE_TO_GET_ISSUER_CERT_LOCALLY: request to https://api.mydomain.de/user/v1/whoami failed, reason: unable to get local issuer certificate

I tried a lot of things, but i’m not very familiar with certificates.

Thanks for your help!
Henrik

4

Hi - a couple of questions - are you using this along with a domain? Also - can you confirm if you restarted the docker daemon after configuring the certificates? If yes, can you let us know what local OS are you testing this ok so that we can try and reproduce the issue

7

Hi,
im using this with a domain, with subdomains as described in the installation guide.
I restarted docker. Tested Balena Cli on Ubuntu 18.04 and 20.10.
Thanks for your support

8

Just to confirm - you are still seeing issues with the certificates right?

10

Yes same issue.

11

Hi Henrik!

You mentioned that you installed openBalena by following the manual - just to confirm, I assume that you followed all the steps here?

I assume you are using a bash shell? Can you run echo $NODE_EXTRA_CA_CERTS and confirm that the returned value points to the local path of the installed root certificate?

Also, what version of balena CLI are you using?

Thank you, and kind regards
Alida

13

Also, just to double check as well, does the curl command here (modified to contain your domain name) return OK?

15

Hi,
yes i followed all steps.

balena version
12.44.3

Curl answers “ok”

export NODE_EXTRA_CA_CERTS='/home/henrik/ca.crt'
echo $NODE_EXTRA_CA_CERTS
output: /home/henrik/ca.crt

balena login --debug
[debug] new argv=[/home/henrik/tools/balena-cli/balena,/snapshot/versioned-source/bin/balena,login] length=3
_ _
| |__ __ _ | | ____ _ __ __ _
| '_ \ / || | / __ \| '_ \ / _ |
| |) | () || || /| | | || () |
|._/ _,||| _/|| || _,_|

Logging in to mydomain.de
? How would you like to login? Authentication token
? Session token or API key from the preferences page
UNABLE_TO_GET_ISSUER_CERT_LOCALLY: request to https://api.mydomain.de/user/v1/whoami failed, reason: unable to get local issuer certificate

FetchError: request to https://api.mydomain.de/user/v1/whoami failed, reason: unable to get local issuer certificate
at ClientRequest. (/snapshot/versioned-source/node_modules/fetch-ponyfill/node_modules/node-fetch/lib/index.js:1461:11)
at ClientRequest.emit (events.js:327:22)
at ClientRequest.EventEmitter.emit (domain.js:482:12)
at TLSSocket.socketErrorListener (_http_client.js:426:9)
at TLSSocket.emit (events.js:315:20)
at TLSSocket.EventEmitter.emit (domain.js:482:12)
at emitErrorNT (internal/streams/destroy.js:92:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
at processTicksAndRejections (internal/process/task_queues.js:84:21)

For further help or support, visit:

17

Hey, this seems like a general networking issue that we can confirm by removing the CLI. For example try:

openssl s_client -servername api.mydomain.de  -connect api.mydomain.de:443

I would expect this to fail, share the output please (remember to change api.mydomain.de to your domain). My suspicion is that while looking up the error “UNABLE_TO_GET_ISSUER_CERT_LOCALLY” which is not from our source code, others have mentioned their network has some deep packet inspection (firewall) which may be breaking things. If we can confirm that this is just an TLS issue then we can move on from troubleshooting the CLI and just focus on the TLS.

18

Hey

Output:

CONNECTED(00000003)
depth=2 C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = (STAGING) Let’s Encrypt, CN = (STAGING) Artificial Apricot R3
verify return:1
depth=0 CN = api.mydomain.de
verify return:1

Certificate chain
0 s:CN = api.mydomain.de
i:C = US, O = (STAGING) Let’s Encrypt, CN = (STAGING) Artificial Apricot R3
1 s:C = US, O = (STAGING) Let’s Encrypt, CN = (STAGING) Artificial Apricot R3
i:C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
2 s:C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
i:C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Doctored Durian Root CA X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIGDjCCBPagAwIBAgITAPq1zopr8C6yjhXB/LLxbjOPWzANBgkqhkiG9w0BAQsF
ADBZMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXKFNUQUdJTkcpIExldCdzIEVuY3J5
cHQxKDAmBgNVBAMTHyhTVEFHSU5HKSBBcnRpZmljaWFsIEFwcmljb3QgUjMwHhcN
MjEwNDA5MTUzMTA1WhcNMjEwNzA4MTUzMTA1WjAsMSowKAYDVQQDEyFhcGkuanVs
aWF1bmRqb2hhbm5hbXVlbGxlci1nYnIuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDezeJWBEmY4VFQpJqXMRn0QxJo7TiFC5O7Eei0PiHrn4yd0k3P
5cNEtNsfZ4rR75EE+caklsq+MQ18IarWzjRPRzYzY+w5ivkhNo3FwV8vmz1sGx9d
Jr7z6CRa9UA1LpEOjOsxlIPLCe1LLpCM3t1jTg2ZRLAvOR2jGXGggn+RyH9WKiSK
rEj8s0tl9NjT/6zRtIQUl7km/jVCRz5XAV7gM2RcHs0OgIWx7kpDRr6zstuxpw7J
iHW1vjKmtM+wDy4XACIHXGM2XmcLFD2P/7rDH4W7jagdM2niHlKc3pQj6c6TmDrl
O45NdGyGJ7MxUAZ5pt7a28gvrc8ltcKdAvN/AgMBAAGjggL6MIIC9jAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFB6Pn0YjEVTXuo3b11spUoCqk+vgMB8GA1UdIwQYMBaA
FN5yekjfMcOmUN+fhSPfVzdLXS5lMF0GCCsGAQUFBwEBBFEwTzAlBggrBgEFBQcw
AYYZaHR0cDovL3N0Zy1yMy5vLmxlbmNyLm9yZzAmBggrBgEFBQcwAoYaaHR0cDov
L3N0Zy1yMy5pLmxlbmNyLm9yZy8wgcEGA1UdEQSBuTCBtoIhYXBpLmp1bGlhdW5k
am9oYW5uYW11ZWxsZXItZ2JyLmRlgiZyZWdpc3RyeS5qdWxpYXVuZGpvaGFubmFt
dWVsbGVyLWdici5kZYIgczMuanVsaWF1bmRqb2hhbm5hbXVlbGxlci1nYnIuZGWC
JHR1bm5lbC5qdWxpYXVuZGpvaGFubmFtdWVsbGVyLWdici5kZYIhdnBuLmp1bGlh
dW5kam9oYW5uYW11ZWxsZXItZ2JyLmRlMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcG
CysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5
cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAsMyD5aX5fWuvfAnMKEkE
hyrH6IsTLGNQt8b9JuFsbHcAAAF4t3kIuQAABAMARjBEAiBvKx8DZV8W4L8lSGSl
ZI3kpRo1uZkm5/bZgCMFb2CAlQIgURvWdRkjEQDIGTLQsPvK1PLZ63IYmdj3RYY/
BG13xXQAdwDdmTT8peckgMlWaH2BNJkISbJJ97Vp2Me8qz9cwfNuZAAAAXi3eRB9
AAAEAwBIMEYCIQDSFkLpnQLLmVLI4HhzQIqAFLkNVWeKixx/lBn0T82qsQIhAJdj
DDJSQ0SHuexg8XyGyOGtXb1bFYTRPI011DgayEU6MA0GCSqGSIb3DQEBCwUAA4IB
AQCc3QRF0YS3jS6iN0TDu+cfBX/h4HwKojG7TjJOkl29edEFJXUuJ+Ji2Ker5eMg
NGtmY9R4IATnEyTDLKJJavlG6V3dmrQwWtgWCI1w6HBx8Q0yfAZZlL+Ht0rol7xg
JnwxQGmlE/qdbcif/buMjZ6ZOLGBKOeYBo4VFLat3DBDeAK9JJeTu2a/PxFDblj1
mQiaUrn4QYaQtcwt4QioCNfVUSrWQ5G2DpOC/VUnMDss6L5Ef4sA7wl3nuUMtCBC
au9QiJCtv5PZVtp7k/7GGfjObq5eUzAVAyYysEdTGUQb5Buf5A+yBf/EB0jv5/o8
9LXZhmdUwhb4S9hxBCcpXpcZ
-----END CERTIFICATE-----
subject=CN = api.mydomain.de

issuer=C = US, O = (STAGING) Let’s Encrypt, CN = (STAGING) Artificial Apricot R3

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 4867 bytes and written 405 bytes
Verification error: unable to get local issuer certificate

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 78568B384A1D228F6EF3609402760E9940178D18DAC755A8C2E328AD13D0FE95
Session-ID-ctx:
Resumption PSK: 8E0DD9D29AF60C0FC547572F53E64E15611FDBF770159BCD9A103A3B8C28338CCE76718C71F3D7618B0856BC0A802E1D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 44 5b ce 2c 42 39 22 94-2e 56 6d 41 d2 e9 6e d7 D[.,B9"…VmA…n.
0010 - 38 ee c9 d3 90 22 f9 24-63 fb 08 18 cc 7d b5 a9 8…“.$c…}…
0020 - 45 61 c8 5e ea 6a 34 f3-45 73 cf 90 89 30 e5 7f Ea.^.j4.Es…0…
0030 - 2d 29 fd 1d 84 22 7d 04-0a c6 66 7b 7f 9d 7a ac -)…”}…f{…z.
0040 - cf 81 b1 ee e8 ce 4f 01-4a 7c 5e 1a 2a de 66 5e …O.J|^..f^
0050 - e9 97 e1 34 41 a6 3d ed-b6 15 a8 a5 4e 7d 61 f1 …4A.=…N}a.
0060 - 91 1e 1e 23 e8 53 8d 31-6a 38 b4 56 60 e9 05 49 …#.S.1j8.V`…I
0070 - d9 b1 06 0e 72 65 d4 5e-c0 6c 62 f5 53 fd e7 b1 …re.^.lb.S…
0080 - 0d ae f5 ba ee 61 0c 2a-d1 54 da 76 21 89 e5 c5 …a..T.v!..
0090 - cd d6 40 c0 76 54 96 bc-ba ac 77 b2 ff fd 42 00 …@.vT…w…B.
00a0 - 47 be 89 c3 28 60 73 4b-3c d3 ef d6 db 03 d7 01 G…(`sK<…
00b0 - 18 00 84 64 df 73 78 2b-25 9b 2e cf ca 7e 4b 60 …d.sx+%…~K`
00c0 - d9 df b7 5c 3a e6 90 0a-31 e4 57 09 25 ac 48 97 …:…1.W.%.H.
00d0 - 84 d3 41 c5 a5 9c 37 d1-cb cd 0b 4d d8 21 7c f2 …A…7…M.!|.
00e0 - 73 58 8e 3d c2 14 66 2a-ee c1 df 59 c7 44 e3 a9 sX.=…f*…Y.D…

Start Time: 1617987174
Timeout   : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0

read R BLOCK

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: CE117FE4E179B8C4CF7FE65BE7720BE1E25633E4A443558498B8E20F4F248CCF
Session-ID-ctx:
Resumption PSK: A19DF9649D396137BEB20F95C3D363CD58D585C60B9F87EC7B69DC9C12C1F359258A0799CC029FCE2D423BF01DEEC112
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 44 5b ce 2c 42 39 22 94-2e 56 6d 41 d2 e9 6e d7 D[.,B9"…VmA…n.
0010 - ca 9a 60 57 b6 0c 36 ce-13 96 8d 4d c5 7b 9f 22 …W..6....M.{." 0020 - 2b d5 a3 d5 79 05 11 9f-5c 77 65 f5 49 f6 95 d5 +...y...\we.I... 0030 - a2 a8 c1 13 25 9b 4c 14-20 f3 b5 3e b0 f6 48 25 ....%.L. ..>..H% 0040 - 4d f0 4b ad 84 da 9c 07-9d 6e 7b 14 e4 6c 99 e0 M.K......n{..l.. 0050 - 8a c5 66 da 05 3c 71 ce-07 07 21 6a ea ee 76 d5 ..f..<q...!j..v. 0060 - 18 bd ba 7b 6c 4c 67 0c-e4 c4 5c 28 50 eb 4d 87 ...{lLg...\(P.M. 0070 - 52 86 86 26 61 d9 e7 dd-a9 6b 93 6a 02 5c 37 27 R..&a....k.j.\7' 0080 - b5 b6 f1 e1 b8 78 7c 53-b8 78 f4 cb a7 d8 d2 93 .....x|S.x...... 0090 - dd 62 00 89 8e ca b6 02-17 85 aa a9 a7 21 e2 7e .b...........!.~ 00a0 - 9e 2b 61 d9 11 81 02 c5-f6 44 b0 18 8d 26 d0 6a .+a......D...&.j 00b0 - 7a 5c 3e f4 4a 20 e7 a2-6e 6a c3 29 a4 46 43 57 z\>.J ..nj.).FCW 00c0 - 96 60 03 8a ac fb a3 20-0f b0 11 73 38 7c 63 16 .… …s8|c.
00d0 - c6 81 d6 f5 9d bd b0 56-33 d6 a3 03 18 ed 98 1c …V3…
00e0 - b5 a5 b9 89 de 62 cd fb-e7 47 1c 56 3d e7 4b 86 …b…G.V=.K.

Start Time: 1617987174
Timeout   : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0

read R BLOCK

19

Another thing i found:
./scripts/compose up

outputs

cert-provider_1 | [Error] ACTIVE variable is not enabled. Value should be “true” or “yes” to continue.
cert-provider_1 | [Error] Unable to continue due to misconfiguration. See errors above. [Stopping]

20

The output contains this message which confirms it’s not a CLI issue and just something with the TLS certs. I found this node.js - OpenSSL error - unable to get local issuer certificate - Stack Overflow which does a wicked job explaining the error but it’s still pretty in depth so hard to extract a next step for us to resolve this.

The issue you found seems to be the next thing we should focus on. I saw some other threads where people had reported that error as well Facing issue in openbalena configuration - #7 by Sharvin26. Do you want to take a look through that and see if it has any steps you can check.

21

I agree on that.
I also get the issuer warning when i open the api with firefox.

That Thread is about DNS misconfiguration. My DNS should be configured correct.
I will go through other Threads about this issue.

23

Finally got it :partying_face:
Reinstalled Twice…

24

Glad to hear it is working now Henrik, and sorry for the troubles along the way.