BananaPiM1Plus - Online (Heartbeat only) - Self Signed Cert Verify Failed

Hello,

I am trying to setup a brand new Banana Pi M1+ onto Balena. I have several Raspberry Pis in other fleets, on the same network, that are fully connected.

However the Banana Pi, connects, but never establishes its VPN into Balena.

Using the Local Balena SSH I was able to get in and run the systemctl status for openvpn, and see this error.

This appears to be even before any code or containers that I would be deploying to it, is there a problem with the certs? Is this something I can fix?

image1622×326 19.3 KB

EDIT:
Also just to clarify, I am not using openBalena or anything, this is the normal hosted Balena.
I did try re-flashing to a new SD card, but I only have one of the physical devices. Both instances only ever get to ‘Heartbeat’ only. If I deploy code, it runs just fine and I can locally get to it, but I cann ot use any of the functions that need the VPN, like the Public Device URL.

Hi, could you share the output of the commands journalctl -u openvpn -xef and openvpn --version on your bananaPi device? This is quite an old OS version and we have seen some issues with openvpn compatibility, before, but having some extra logs might help determine the cause.

Thank you Pipex,

for journalctl -u openvpn -xef , it seems to be a repeating

Jun 16 13:41:04 113162b openvpn[601]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 16 13:41:04 113162b openvpn[601]: TCP/UDP: Preserving recently used remote address: [AF_INET]34.226.166.12:443
Jun 16 13:41:04 113162b openvpn[601]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Jun 16 13:41:04 113162b openvpn[601]: Attempting to establish TCP connection with [AF_INET]34.226.166.12:443 [nonblock]
Jun 16 13:41:05 113162b openvpn[601]: TCP connection established with [AF_INET]34.226.166.12:443
Jun 16 13:41:05 113162b openvpn[601]: TCP_CLIENT link local: (not bound)
Jun 16 13:41:05 113162b openvpn[601]: TCP_CLIENT link remote: [AF_INET]34.226.166.12:443
Jun 16 13:41:44 113162b openvpn[601]: Connection reset, restarting [0]
Jun 16 13:41:44 113162b openvpn[601]: SIGUSR1[soft,connection-reset] received, process restarting
Jun 16 13:41:44 113162b openvpn[601]: Restart pause, 300 second(s)
Jun 16 13:46:44 113162b openvpn[601]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 16 13:46:44 113162b openvpn[601]: TCP/UDP: Preserving recently used remote address: [AF_INET]52.7.228.224:443
Jun 16 13:46:44 113162b openvpn[601]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Jun 16 13:46:44 113162b openvpn[601]: Attempting to establish TCP connection with [AF_INET]52.7.228.224:443 [nonblock]
Jun 16 13:46:45 113162b openvpn[601]: TCP connection established with [AF_INET]52.7.228.224:443
Jun 16 13:46:45 113162b openvpn[601]: TCP_CLIENT link local: (not bound)
Jun 16 13:46:45 113162b openvpn[601]: TCP_CLIENT link remote: [AF_INET]52.7.228.224:443
Jun 16 13:46:45 113162b openvpn[601]: TLS: Initial packet from [AF_INET]52.7.228.224:443, sid=5ae137d1 5d75e0db
Jun 16 13:46:45 113162b openvpn[601]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=WA, L=Seattle, O=balena.io, OU=balenaCloud, CN=open-balena-vpn-rootCA
Jun 16 13:46:45 113162b openvpn[601]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Jun 16 13:46:45 113162b openvpn[601]: TLS_ERROR: BIO read tls_read_plaintext error
Jun 16 13:46:45 113162b openvpn[601]: TLS Error: TLS object -> incoming plaintext read error
Jun 16 13:46:45 113162b openvpn[601]: TLS Error: TLS handshake failed
Jun 16 13:46:45 113162b openvpn[601]: Fatal TLS error (check_tls_errors_co), restarting
Jun 16 13:46:45 113162b openvpn[601]: SIGUSR1[soft,tls-error] received, process restarting
Jun 16 13:46:45 113162b openvpn[601]: Restart pause, 300 second(s)
Jun 16 13:51:45 113162b openvpn[601]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 16 13:51:45 113162b openvpn[601]: TCP/UDP: Preserving recently used remote address: [AF_INET6]2600:1f18:6600:7f01:dc24:54f2:d95f:abc0:443
Jun 16 13:51:45 113162b openvpn[601]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Jun 16 13:51:45 113162b openvpn[601]: Attempting to establish TCP connection with [AF_INET6]2600:1f18:6600:7f01:dc24:54f2:d95f:abc0:443 [nonblock]
Jun 16 13:51:45 113162b openvpn[601]: TCP: connect to [AF_INET6]2600:1f18:6600:7f01:dc24:54f2:d95f:abc0:443 failed: Network is unreachable
Jun 16 13:51:45 113162b openvpn[601]: SIGUSR1[connection failed(soft),init_instance] received, process restarting
Jun 16 13:51:45 113162b openvpn[601]: Restart pause, 300 second(s)

For openvpn --version

root@113162b:~# openvpn --version
OpenVPN 2.4.3 arm-poky-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 13 2018
library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=no enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=no enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_broken_putenv=no with_crypto_library=openssl with_gnu_ld=yes with_libtool_sysroot=/yocto/resin-board/build/tmp/work/armv7vehf-neon-poky-linux-gnueabi/openvpn/2.4.3-r0/recipe-sysroot with_mem_check=no

If you guys need me to open this one up for Remote Support somehow, I am more than willing to. I understand that the nature of the problem is that its not hitting the VPN, so I can setup another device on the same network that IS (like a Raspberry Pi) and allow you guys to get in that way if needed.

Sorry for hijacking the thread, but I’m also having issues with BananaPI. I’m trying to use the supervisor API, but since Banana’s supervisor is still in version 7, it won’t work with my script. The OS is still 2.12.

Any chance of updating the releases?

Hi @stokes776 and @brunovianna

I cannot see anything obvious that explains the problem on the logs. My first instinct is that this could be a time synchronization issue, but we would need more testing to confirm.

One thing you could both try is the following.

We publish our test images in our staging site balena-staging.com and I see there are newer OS images (2.46.1) for the bananaPI M1+. You can download one of the images from that site and then configure it to run against balena-cloud using the balena os configure command from our CLI.

If the VPN / missing supervisor endpoints persist, we can take it from there.

I also wanted to let you know that we are working on improvements to our OS deployment process so soon device type images will be created much faster after a OS changes are published. We have no hard ETA on this feature, but the improvements are being actively worked on.

Hello, I am afraid im not familiar with the balena-staging.com site. That site directly doesnt seem to load, but balena-staging.io does. I tried signing up at the io version, but never got the verification email.

I tried looking on the github page for the balena account, but dont see anything specific to staging. Looking at other forum posts it does look like there is a staging side of Balena you are supposed to be able to sign up for?

I checked the spam filter a few times but no go, perhaps im just not being patient enough.

Hello @stokes776 i’m going to share your staging activation link over DM.

In the staging environment the Banana Pi M1+ Connected right away, using balenaOS 2.46.1+rev2

I have not tried pushing my code to the staging, but I would expect it should work fine, this hurdle was getting over the no vpn.

Is there any other information I can provide to you guys to see about getting this OS available in Prod?

image2147×270 30.3 KB

Hello @stokes776 I spoke with the balena devices team.

It looks like the OS available on staging (2.46.1+rev2) is not going to be released on production. The current draft image in production is based on 2.99.26, so it’s pretty old compared with the current one.

At balena we are trying to automatize all the new OS releases with all the device types. Sadly the bananaPi M1+ does not have an automated testing. At the moment, the recommendation here is to support this device yourself until we have customers requesting for us to support it or a community member want to support it themselves in production.

Click here to see the process Customer Board Support - Balena Documentation

Hi @mpous,
I’m also in the same situation as @stokes776.
Can you also send me the activation link over DM?
Best regards,
Fernando

Hello @fjuliofontes welcome to the balena community!

We do not recommend to use staging environment unless you have to test an OS version that will go to production. Why would you like to use the staging version?

Hello,
For the same reason as @stokes776. I’m currently testing the BananaPi-M1+ and I’m having the exact same issue. Impossible to have an ssh connection over the balena dashboard.

Best regards,

@fjuliofontes sorry for replying too late. Sadly as we said above the OS version is very old and there are some incompatibilities with the current VPN version we are running.

Currently the only possibility is that you can support your own OS following the balena instructions, as the focus of the balenaOS team is on OS automatization right now.

I know it’s not the best solution for you, but we can’t do much more here. Let us know if you need support we will be happy to help

I just purchased 5 of the Banana PI without realising that the balena OS is outdated.

I would appreciate if you could you send me a link to the staging images.
Thanks

The staging env works
Just need to register an account here.

Hope to see this device in the automated production builds at some point

Hi, we are currently deciding whether adding the bananaPi to the automated CI/CD pipeline is feasible or we will be forced to deprecate the device type support.