balena preload failed with x509: certificate signed by unknown authority

Hello

I’ve got error making preload image with balena preload command.

Please refer to the output below

This command ended with error - x509: certificate signed by unknown authority

Of course, I register the ca.pem in my system(Mac).

Version (open balena)

3.8.0

Console outputs

$ balena preload ~/Downloads/raspberrypi4-64-2.107.10+rev3-v14.4.4.img --fleet admin/zigbangApp --commit  59655624a0df5e043d7661eb35269298
Building Docker preloader image. [========================] 100%
| Checking that the image is a writable file
| Finding a free tcp port
| Checking if the image is an edison zip archive
| Creating preloader container
\ Starting preloader container
- Fetching application admin/zigbangapp
- Reading image information
/ Fetching application 1
?
This fleet is set to track the latest release, and non-pinned devices
are automatically updated when a new release is available. This may lead to
unexpected behavior: The preloaded device will download and install the latest
release once it is online.

This prompt gives you the opportunity to disable automatic updates for
this fleet now. Note that this would result in the fleet being pinned to
the current latest release, rather than some other release that may have
been selected for preloading. The pinned released may be further managed
through the web dashboard or programatically through the balena API / SDK.
Documentation about release policies and pinning can be found at:
https://www.balena.io/docs/learn/deploy/release-strategy/release-policy/

Alternatively, the --pin-device-to-release flag may be used to pin only the
preloaded device to the selected release.

Would you like to disable automatic updates for this fleet now? Yes
- Estimating required additional space
| Resizing partitions and waiting for dockerd to start
- Cleaning up temporary files
(HTTP code 500) server error - Get https://registry.MYDOMAIN.net/v2/: x509: certificate signed by unknown authority

Additional information may be available with the `--debug` flag.

For further help or support, visit:
https://www.balena.io/docs/reference/balena-cli/#support-faq-and-troubleshooting

With —debug option

And when I tried that command with ‘–debug’ option. I read additional error message at the end of procedure.

(HTTP code 500) server error - Get https://registry.MYDOMAIN.net/v2/: x509: certificate signed by unknown authority

Error: (HTTP code 500) server error - Get https://registry.MYDOMAIN.net/v2/: x509: certificate signed by unknown authority
    at /usr/local/lib/balena-cli/node_modules/docker-modem/lib/modem.js:315:17
    at IncomingMessage.<anonymous> (/usr/local/lib/balena-cli/node_modules/docker-modem/lib/modem.js:342:9)
    at IncomingMessage.emit (events.js:326:22)
    at IncomingMessage.EventEmitter.emit (domain.js:483:12)
    at endReadableNT (_stream_readable.js:1241:12)
    at processTicksAndRejections (internal/process/task_queues.js:84:21)
From previous event:
    at processImmediate (internal/timers.js:461:21)
From previous event:
    at /usr/local/lib/balena-cli/node_modules/balena-preload/build/preload.js:791:28

For further help or support, visit:
https://www.balena.io/docs/reference/balena-cli/#support-faq-and-troubleshooting

Thank you
Chester

Hello @chester,

before trying to run the balena preload can you please check if a balena login and a balena whoami work properly?
Please make sure, that you have this certificate chain set for the node environment:

Please check if
curl -vI https://api.MYDOMAIN.net/ping returns a valid certificate?

You may also check your openBalena installation if it sends a valid certificate with this command:
openssl s_client -showcerts -connect api.mydomain.com:443

Please share what responses you get.

Best Regards
Harald

Hello @fisehara,

Thank you for your answer.

I verified all the commands you showed me to check. Please refer to it. I think all the command gave the answers without any error.

 cronglee@crongui-iMac  ~  balena login
 _            _
| |__   __ _ | |  ____  _ __    __ _
| '_ \ / _` || | / __ \| '_ \  / _` |
| |_) | (_) || ||  ___/| | | || (_) |
|_.__/ \__,_||_| \____/|_| |_| \__,_|


Logging in to openbalena-dev.MYDOMAIN.net
? How would you like to login? Credentials
? Email: chester@MYDOMAIN.net
? Password: [hidden]
Successfully logged in as: admin

Find out about the available commands by running:

  $ balena help

For further help or support, visit:
https://www.balena.io/docs/reference/balena-cli/#support-faq-and-troubleshooting

 cronglee@crongui-iMac  ~  balena whoami
== ACCOUNT INFORMATION
USERNAME: admin
EMAIL:    chester@MYDOMAIN.net
URL:      openbalena-dev.MYDOMAIN.net
 cronglee@crongui-iMac  ~  curl -vI https://api.openbalena-dev.MYDOMAIN.net/ping
*   Trying 5x.xxx.xxx.2x:443...
* Connected to api.openbalena-dev.MYDOMAIN.net (5x.18x.xxx.21x) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=*.openbalena-dev.MYDOMAIN.net
*  start date: Jan 10 08:44:37 2023 GMT
*  expire date: Jan  9 08:44:37 2025 GMT
*  subjectAltName: host "api.openbalena-dev.MYDOMAIN.net" matched cert's "*.openbalena-dev.MYDOMAIN.net"
*  issuer: CN=ca.openbalena-dev.MYDOMAIN.net
*  SSL certificate verify ok.
> HEAD /ping HTTP/1.1
> Host: api.openbalena-dev.MYDOMAIN.net
> User-Agent: curl/7.85.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< X-Frame-Options: DENY
X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8
< Content-Length: 2
Content-Length: 2
< ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
< Date: Mon, 16 Jan 2023 23:24:09 GMT
Date: Mon, 16 Jan 2023 23:24:09 GMT
< Keep-Alive: timeout=5
Keep-Alive: timeout=5

<
* Connection #0 to host api.openbalena-dev.MYDOMAIN.net left intact
 cronglee@crongui-iMac  ~  openssl s_client -showcerts -connect  api.openbalena-dev.MYDOMAIN.net:443
CONNECTED(00000005)
depth=1 CN = ca.openbalena-dev.MYDOMAIN.net
verify error:num=19:self signed certificate in certificate chain
verify return:0
write W BLOCK
---
Certificate chain
 0 s:/CN=*.openbalena-dev.MYDOMAIN.net
   i:/CN=ca.openbalena-dev.MYDOMAIN.net
-----BEGIN CERTIFICATE-----
MIIFtzCCA5+gAwIBAgIQD/oQ5MoycA8AQHrZS/0zrzANBgkqhkiG9w0BAQsFADAo
MSYwJAYDVQQDDB1jYS5vcGVuYmFsZW5hLWRldi56aWdiYW5nLm5ldDAeFw0yMzAx
MTAwODQ0MzdaFw0yNTAxMDkwODQ0MzdaMCcxJTAjBgNVBAMMHCoub3BlbmJhbGVu
YS1kZXYuemlnYmFuZy5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQCgneP0JC2L9jVo+2kMtkC3KP63oBtLypRTPiuchJjR+hnf2m0uFPlJX1pFp/Tx
Fxrs302YXX7WRKnTnRZh4+pp1Qpf6NgK6TzYuaGOnAwIXtn7UIBkID7sv4IeetAI
qxyFeJqLzR2EnWqbl3aqtDC1eRbdhJ2yWkcqA42u6on7CtkYmOuLagAfyzQ8Gzd4
o79uRIWA57brQR4PdiDeW/n3W3g1bJG4tlBTmPhFjyCz+qyXtD5GH0Nd7I1ouIpd
hsXz7MCblhM2jdP2YHEPvNAShxovAFUFzOdJSrSkgiQIy0qQNgZd4nMkOrCh5Ni7
CM5htfNIa4Uj8FKJXV3f4PTjaiC0eDHVQr71ZF69F/5D5D8qh+dUavKiyqDJcghh
tUf/Pejmh9EkQZcHSZH2ldISD9pZo25zdzGIg0lKAoHTk10p/+TssWXTqyDyamuF
aZ2cHo4CQ12pzDDK2MvCr9Du7+ur2V8GsqX1jbTH+Y+RRDTRPTSUP35NHE4neEC3
y7sCj4WR0sjV+NfXs9YC9B6o9G3kUBJ9Bbd9tzK7Kfsb6XEYvLtwZJkQlwGw+LYA
P/HD6r42HRN6pWLym+eQrUnqOCT24xssmdbFSAjKynbd8sZCFixDkm7UmJMeNeZ6
ydLJbH3qJSam0sdYBm07BEgi6wbGYYJ61i1dhSCW19bnXQIDAQABo4HdMIHaMAkG
A1UdEwQCMAAwHQYDVR0OBBYEFAmErY172rmDpdQsmnovb10ZuVYBMGMGA1UdIwRc
MFqAFH1dmnbaJdVM7217Lg8w2cjosHo5oSykKjAoMSYwJAYDVQQDDB1jYS5vcGVu
YmFsZW5hLWRldi56aWdiYW5nLm5ldIIUbLk0fKZPXjGSRO8YfeXCHZr6pJowEwYD
VR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMCcGA1UdEQQgMB6CHCoub3Bl
bmJhbGVuYS1kZXYuemlnYmFuZy5uZXQwDQYJKoZIhvcNAQELBQADggIBADBe7b6A
BGcXaCqFZu55oTsvE5/P8ckOypXYNQlqxunC4uVqbcf9hHPVK3HY6b20Z0MngXlF
Wba3ZOCMhyzDfPH6u53uADvI2EIMlUG1VitVbifFjxLDCQVKBL7Rnby9U7oT5jUv
BCsR+ku/fFglNIUudc12wjRupPirZpv9rfZEsranYs5dsZ8GLs2s86zLK80B3SnW
LeKN0d17cYFY9LErjdIo4zDdQD0mLrJoevmtNu/vuZ6YeikElL8+i49nq6Fy5Mbn
0YAOsttFihIPW2i43mefqkQb6xRDLaQLjHRIP5633MWpCzjgbY88EvZAOgDIqs5C
zqRxsR3vCAf7WAlojXStZf0BR8bZV3IY5kPT5lnp+S2lBtSoxZpKJ3rjFtSnMrax
FA3q0OtwaJXFYar5NM9uUxBsrZBLp52wJOYMHh3ledod07O8g3HBjb/Dw3V5J6oG
FsJYyvU9xbgbPP/a1lw5TqFGEREfZXULr0V4SnqxYwLjNDxSC3lOET9S02SGtekd
nLGcXosaSQWiTW+2kURA0C8xYUaTQ/vZnbmxmYNmoVZ8xLXpXvhW5+KxknJF4xLn
Wd+0G2/mREMMYIkGXphkVuveHl8bAujnH1qXKnv0p0GhLIQwSBN7FG1tpURUAF6d
hLfRxhhBnnBlW/J3AIeFhconsEPUAB61KUE4
-----END CERTIFICATE-----
 1 s:/CN=ca.openbalena-dev.MYDOMAIN.net
   i:/CN=ca.openbalena-dev.MYDOMAIN.net
-----BEGIN CERTIFICATE-----
MIIFgTCCA2mgAwIBAgIUbLk0fKZPXjGSRO8YfeXCHZr6pJowDQYJKoZIhvcNAQEL
BQAwKDEmMCQGA1UEAwwdY2Eub3BlbmJhbGVuYS1kZXYuemlnYmFuZy5uZXQwHhcN
MjMwMTEwMDg0NDM1WhcNMzMwMTA3MDg0NDM1WjAoMSYwJAYDVQQDDB1jYS5vcGVu
YmFsZW5hLWRldi56aWdiYW5nLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBAM58Dvrmx10GXabIVT5MEj3F7OSa2l5VyOjZr8anSEfyOD5U8sVyLtQr
2Ut/AptSWcJ7FghNejOKEpTgjh8xbztMymafaX4obFFQbQVaXhsA6uUFgx1rjuzR
s3ba8DJgfDpxyfxBYAqDH1xeFpPOaqOMZ3lb5UR7giSGWkA2qYEkdo0SOTDYlIgA
QlhBecFNkjyvjOwYOtiNUyt6Sm6VM5pLgL1DB98BsJT8A/ROLML95gZFBiLq6xIs
kkoYM+p/LxW3fZCTFpu+0zYn7JtCRYkhfcriV9iA2tkoz+ApUZ4xuJ0O/VD1N2cU
gxadbtSZ5UsmCNkthILgvY764BdsmFTs4ZKF9lR4/ohyL02WcaP0gDSwfXaNmxHR
+36zy1L349WxsQVmG+rKa4JBBzlVQysSY/4FcBQYJ41LbowvXpcXBXnmuy2hYozV
TphxyfIiX0Ao/e71/Xvq1z02rp8mjoMNKn7OsreAb8Jukj+lTviBUqOqctMKz6yz
wnnLd1JcVuv0kBL8rUdnWzIBjHC7DE9OoKpjeAfspNmtozg4UL6jd8IR7SoR6+pb
Y7cNJk47IZHFHvNtzBWmzSB6+llsFRThM96vdu02MYdz6rGWQwNbjNkwsng/SSzK
IYXM03kyQ57Nofq+NhQTQJSMolZ8eHdjR4gf+IQoR/oJepOJP+x7AgMBAAGjgaIw
gZ8wHQYDVR0OBBYEFH1dmnbaJdVM7217Lg8w2cjosHo5MGMGA1UdIwRcMFqAFH1d
mnbaJdVM7217Lg8w2cjosHo5oSykKjAoMSYwJAYDVQQDDB1jYS5vcGVuYmFsZW5h
LWRldi56aWdiYW5nLm5ldIIUbLk0fKZPXjGSRO8YfeXCHZr6pJowDAYDVR0TBAUw
AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAKNjniz/elTGFxac
caBlw52pzKI9gYZiGJpXm4AgYIimxbK7PEDlYi9YozA3AiIFNuIRHyIlGKQTSgn5
I87Wm6lRg8/TgjS/Z8/K7IdN15VQr5PSDuDEQ+5uJB/5Rf2//wUsmEdfFvywRKEG
/7nvfiH+Ti0nPEZUf5DZYmXgGVR/ExJtLGnOv0fPU6ux8N7Z4yyDoDvrFym9poSP
kOy4mPOpOmIZpelrr0txeubnND7KIAbj5ljfrV8KjdCdLx+SyYzgzVgLNr8ufIiU
KSEUpNbk1ZwT6o6qRZtq+91dt4nRWyy71PHGBOC9OJgLsGiD/kifHvxUPsMmIC6h
iwYpG7QqdeAvq85RsrPMVtM+aYTHsiK4SVq3zLCX2wUp1NHSuerw9qa1kM7GIipd
9BTa6rwgZQh0loKXXVB9pF79y/ZanSHdSHxodGbv2T7xKiB5sD0YF4JvWkndF+wo
+zHjDPfXH8rGv5j9rrDfqfGBLocFEk9abdxaYXWQbJpeim+PiAF0Y+p+bhddMVHH
j3Hdba+vX5N7aj/PU4AaWibxEhHyRKY0DswDKAXnazs0dHA9PeUjqfvheJp5ZgVA
yjCCCfZ46Xs5ZQUC+CK3j4422jkZCgTZto6NE3OYO5ZT+t7bPJxdfW5+CQnyddtd
LWL3NeFOS52jhs4I479MVaH45ACR
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.openbalena-dev.MYDOMAIN.net
issuer=/CN=ca.openbalena-dev.MYDOMAIN.net
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 3697 bytes and written 367 bytes
---
New, TLSv1/SSLv3, Cipher is AEAD-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : AEAD-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1673911481
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
read R BLOCK
read R BLOCK
read:errno=0

Thank you Harald

Best Regards
Chester

Hello Chester,

can you please run the commands also for your registry domain registry.MYDOMAIN.net and share the output?

Best Regards
Harald

Hello Harald,

Find the output for registyr.MYDOAMIN.net below

 cronglee@crongui-iMac  ~  curl -vI https://registry.MYDOMAIN.net/ping
*   Trying 54.180.159.214:443...
* Connected to registry.MYDOMAIN.net (5x.xxx.1xx.2xx) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=*.openbalena-dev.zigbang.net
*  start date: Jan 10 08:44:37 2023 GMT
*  expire date: Jan  9 08:44:37 2025 GMT
*  subjectAltName: host "registry.openbalena-dev.zigbang.net" matched cert's "*.openbalena-dev.zigbang.net"
*  issuer: CN=ca.openbalena-dev.zigbang.net
*  SSL certificate verify ok.
> HEAD /ping HTTP/1.1
> Host: registry.openbalena-dev.zigbang.net
> User-Agent: curl/7.85.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
Docker-Distribution-Api-Version: registry/2.0
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Date: Tue, 17 Jan 2023 14:08:20 GMT
Date: Tue, 17 Jan 2023 14:08:20 GMT
< Content-Length: 19
Content-Length: 19

<
* Connection #0 to host registry.MYDOMAIN.net left intact

:slight_smile:
Thank you for your support

Best Regards
Chester

Hello @fisehara

Do you have any updates for this?

Best Regards
Chester

Hello Chester,

everything looks correct. Can you please check this with the latest balena cli release: Release v15.0.3 · balena-io/balena-cli · GitHub
In addition, can you please check the balena preload command directly after the balena login again and paste your findings?

Best Regards
Harald

Hey Harald,

I updated balena cli to 15.0.3 and ran the commands again like you requested. The same error occurred again. Please refer to the command outputs.

$ balena login
 _            _
| |__   __ _ | |  ____  _ __    __ _
| '_ \ / _` || | / __ \| '_ \  / _` |
| |_) | (_) || ||  ___/| | | || (_) |
|_.__/ \__,_||_| \____/|_| |_| \__,_|


Logging in to MYDOMAIN.net
? How would you like to login? Credentials
? Email: chester@xxxx.com
? Password: [hidden]
Successfully logged in as: admin

Find out about the available commands by running:

  $ balena help

For further help or support, visit:
https://www.balena.io/docs/reference/balena-cli/#support-faq-and-troubleshooting

$ balena preload ~/Downloads/raspberrypi4-64-2.107.10+rev3-v14.4.4.img --fleet zigbangApp --commit 3afee65dc7641fc9c4ef4fd3f4e7ae7c
Building Docker preloader image. [========================] 100%
| Checking that the image is a writable file
| Finding a free tcp port
| Creating preloader container
\ Starting preloader container
| Fetching application admin/zigbangapp
/ Reading image information
| Fetching application 1
| Estimating required additional space
\ Resizing partitions and waiting for dockerd to start
- Cleaning up temporary files
(HTTP code 500) server error - Get https://registry.MYDOMAIN.net/v2/: x509: certificate signed by unknown authority

Additional information may be available with the `--debug` flag.

For further help or support, visit:
https://www.balena.io/docs/reference/balena-cli/#support-faq-and-troubleshooting


$ balena --version
15.0.3

Best Regards
Chester