BananaPiM1Plus - Online (Heartbeat only) - Self Signed Cert Verify Failed

Product support
#1

Hello,

I am trying to setup a brand new Banana Pi M1+ onto Balena. I have several Raspberry Pis in other fleets, on the same network, that are fully connected.

However the Banana Pi, connects, but never establishes its VPN into Balena.

Using the Local Balena SSH I was able to get in and run the systemctl status for openvpn, and see this error.

This appears to be even before any code or containers that I would be deploying to it, is there a problem with the certs? Is this something I can fix?

image
image1622×326 19.3 KB

EDIT:
Also just to clarify, I am not using openBalena or anything, this is the normal hosted Balena.
I did try re-flashing to a new SD card, but I only have one of the physical devices. Both instances only ever get to ‘Heartbeat’ only. If I deploy code, it runs just fine and I can locally get to it, but I cann ot use any of the functions that need the VPN, like the Public Device URL.

#7

Hi, could you share the output of the commands journalctl -u openvpn -xef and openvpn --version on your bananaPi device? This is quite an old OS version and we have seen some issues with openvpn compatibility, before, but having some extra logs might help determine the cause.

1 Like
#10

Thank you Pipex,

for journalctl -u openvpn -xef , it seems to be a repeating


Jun 16 13:41:04 113162b openvpn[601]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 16 13:41:04 113162b openvpn[601]: TCP/UDP: Preserving recently used remote address: [AF_INET]34.226.166.12:443
Jun 16 13:41:04 113162b openvpn[601]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Jun 16 13:41:04 113162b openvpn[601]: Attempting to establish TCP connection with [AF_INET]34.226.166.12:443 [nonblock]
Jun 16 13:41:05 113162b openvpn[601]: TCP connection established with [AF_INET]34.226.166.12:443
Jun 16 13:41:05 113162b openvpn[601]: TCP_CLIENT link local: (not bound)
Jun 16 13:41:05 113162b openvpn[601]: TCP_CLIENT link remote: [AF_INET]34.226.166.12:443
Jun 16 13:41:44 113162b openvpn[601]: Connection reset, restarting [0]
Jun 16 13:41:44 113162b openvpn[601]: SIGUSR1[soft,connection-reset] received, process restarting
Jun 16 13:41:44 113162b openvpn[601]: Restart pause, 300 second(s)
Jun 16 13:46:44 113162b openvpn[601]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 16 13:46:44 113162b openvpn[601]: TCP/UDP: Preserving recently used remote address: [AF_INET]52.7.228.224:443
Jun 16 13:46:44 113162b openvpn[601]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Jun 16 13:46:44 113162b openvpn[601]: Attempting to establish TCP connection with [AF_INET]52.7.228.224:443 [nonblock]
Jun 16 13:46:45 113162b openvpn[601]: TCP connection established with [AF_INET]52.7.228.224:443
Jun 16 13:46:45 113162b openvpn[601]: TCP_CLIENT link local: (not bound)
Jun 16 13:46:45 113162b openvpn[601]: TCP_CLIENT link remote: [AF_INET]52.7.228.224:443
Jun 16 13:46:45 113162b openvpn[601]: TLS: Initial packet from [AF_INET]52.7.228.224:443, sid=5ae137d1 5d75e0db
Jun 16 13:46:45 113162b openvpn[601]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=WA, L=Seattle, O=balena.io, OU=balenaCloud, CN=open-balena-vpn-rootCA
Jun 16 13:46:45 113162b openvpn[601]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Jun 16 13:46:45 113162b openvpn[601]: TLS_ERROR: BIO read tls_read_plaintext error
Jun 16 13:46:45 113162b openvpn[601]: TLS Error: TLS object -> incoming plaintext read error
Jun 16 13:46:45 113162b openvpn[601]: TLS Error: TLS handshake failed
Jun 16 13:46:45 113162b openvpn[601]: Fatal TLS error (check_tls_errors_co), restarting
Jun 16 13:46:45 113162b openvpn[601]: SIGUSR1[soft,tls-error] received, process restarting
Jun 16 13:46:45 113162b openvpn[601]: Restart pause, 300 second(s)
Jun 16 13:51:45 113162b openvpn[601]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 16 13:51:45 113162b openvpn[601]: TCP/UDP: Preserving recently used remote address: [AF_INET6]2600:1f18:6600:7f01:dc24:54f2:d95f:abc0:443
Jun 16 13:51:45 113162b openvpn[601]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Jun 16 13:51:45 113162b openvpn[601]: Attempting to establish TCP connection with [AF_INET6]2600:1f18:6600:7f01:dc24:54f2:d95f:abc0:443 [nonblock]
Jun 16 13:51:45 113162b openvpn[601]: TCP: connect to [AF_INET6]2600:1f18:6600:7f01:dc24:54f2:d95f:abc0:443 failed: Network is unreachable
Jun 16 13:51:45 113162b openvpn[601]: SIGUSR1[connection failed(soft),init_instance] received, process restarting
Jun 16 13:51:45 113162b openvpn[601]: Restart pause, 300 second(s)

For openvpn --version

root@113162b:~# openvpn --version
OpenVPN 2.4.3 arm-poky-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 13 2018
library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=no enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_broken_putenv=no with_crypto_library=openssl with_gnu_ld=yes with_libtool_sysroot=/yocto/resin-board/build/tmp/work/armv7vehf-neon-poky-linux-gnueabi/openvpn/2.4.3-r0/recipe-sysroot with_mem_check=no
#11

If you guys need me to open this one up for Remote Support somehow, I am more than willing to. I understand that the nature of the problem is that its not hitting the VPN, so I can setup another device on the same network that IS (like a Raspberry Pi) and allow you guys to get in that way if needed.

#12

Sorry for hijacking the thread, but I’m also having issues with BananaPI. I’m trying to use the supervisor API, but since Banana’s supervisor is still in version 7, it won’t work with my script. The OS is still 2.12.

Any chance of updating the releases?

#13

Hi @stokes776 and @brunovianna

I cannot see anything obvious that explains the problem on the logs. My first instinct is that this could be a time synchronization issue, but we would need more testing to confirm.

One thing you could both try is the following.

We publish our test images in our staging site balena-staging.com and I see there are newer OS images (2.46.1) for the bananaPI M1+. You can download one of the images from that site and then configure it to run against balena-cloud using the balena os configure command from our CLI.

If the VPN / missing supervisor endpoints persist, we can take it from there.

I also wanted to let you know that we are working on improvements to our OS deployment process so soon device type images will be created much faster after a OS changes are published. We have no hard ETA on this feature, but the improvements are being actively worked on.