Balena deploy Progress Error

rlev · January 7, 2019, 7:18pm

Executing :
balena deploy myApp --logs --source . --emulated --build

…
…
Build] main Removing intermediate container a3778f868bbf
[Build] main Successfully built fd674f7f39fe
[Build] main Successfully tagged test_app_main:latest
[Info] Creating release… |
[Info] Creating release… /
[Info] Creating release… -
[Info] Creating release…
[Info] Creating release… |
[Info] Creating release…
[Info] Pushing images to registry…
Progress error: Get https://registry.mydomain.com/v2/: x509: certificate signed by unknown authority
[Info] Saving release… /
[Info] Saving release…
[Success] Deploy succeeded!
[Success] Release: aa374c54885aac3bd8fa0ad3c379cb8b

		    \
		     \
		      \\
		       \\
		        >\/7
		    _.-(6'  \
		   (=___._/` \
		        )  \ |
		       /   / |
		      /    > /
		     j    < _\
		 _.-' :      ``.
		 \ r=._\        `.
		<`\\_  \         .`-.
		 \ r-7  `-. ._  ' .  `\
		  \`,      `-.`7  7)   )
		   \/         \|  \'  / `-._
		              ||    .'
		               \\  (
		                >\  >
		            ,.-' >.'
		           <.'_.''
		             <'

Although the command says the “Deploy succeeded” the devices connected to the openbalena backend does not get updated.

Does anyone has an idea of Progress error: Get https://registry.mydomain.com/v2/: x509: certificate signed by unknown authority ERROR message?

dash · January 7, 2019, 10:48pm

Hi @rlev

I got this one when I first started. Adding the CA cert to node trusted certs fixed for me.

See: https://www.balena.io/open/docs/getting-started/#Install-self-signed-certificates

Note you will need to add NODE_EXTRA_CA_CERTS to your shell environment permanently or it will be reset every time you logout/reboot.

Cheers
Chris

richbayliss · January 8, 2019, 8:16am

I think this is actually an issue with the self-signed certificate not being present in the trusted roots of the development machine.

I am running macOS, but the principle is the same on all systems, but you should add your /config/certs/root/ca.cert to your system trusted root certificate store and then restart the Docker service. This will allow your machine to push to the hosted registry within OpenBalena.

You should have the NODE_EXTRA_CA_CERTS set anyway for balena login to work to get this far, so I don’t think it is that, but if not then you should have it set to the cert path too.

rlev · January 8, 2019, 11:51am

Thanks @richbayliss and @dash,

I will make sure the env var NODE_EXTRA_CA_CERTS is set.

In the other hand Where can I find information about using real signed certificates instead self-signed certs with openbalena?

richbayliss · January 17, 2019, 9:51am

At the moment this is not an easy step to enable, but rest assured that we are working on it actively. In the meantime, I think the best way to use a “real”, publicly trusted certificate is as follows:

Setup openBalena in the normal way, using the domain you will have a cert for.
Once the stack is up and running, you will be given a self-signed CA and server certs, as per the guide
Edit the haproxy container source, provided in the repo:
- you will want to include your cert/ca/key in a PEM file
- you need the Dockerfile to copy it into the container image somewhere
- you will want to change the line (https://github.com/balena-io/open-balena/blob/52fb6532231a954f5d887b253c83e305f53fde39/haproxy/haproxy.cfg#L45) to point to this certificate
Rebuild the haproxy container; dc build haproxy
Restart the stack; dc down && dc up -d

This is obviously very involved and messy at this point. Myself and others are working on making this easier and more intuitive, but at this time I cannot say when it will be ready, sorry.

rlev · January 29, 2019, 1:04pm

Thank you for such detailed info @richbayliss