Hi all,
The core issue was likely that I hadn’t added the self-signed certificate to the trusted certificate store. I don’t recall doing this initially, which probably led me to skip it.
Here are the commands for adding it:
sudo mkdir -p /etc/docker/certs.d/registry2.other-domain.local/
sudo cp /path/to/your/certificate.crt /etc/docker/certs.d/registry2.other-domain.local/ca.crt
sudo systemctl restart docker
Initially, I suspected the problem stemmed from how I’d generated the self-signed certificate (thinking it didn’t support multiple domains). So, I regenerated the certificate for the first server and then moved it to the second. It was at that point I realized the issue persisted, and ultimately, I resolved it as described above.
Since I’m still not entirely sure if the root cause was solely the missing certificate in Docker’s trust store or if it also related to the certificate generation process, I’ll document how I created the multi-domain certificate. I had a tough time finding clear information online and only succeeded after multiple attempts.
Creating a Multi-Domain Self-Signed Certificate
First, create a SAN (Subject Alternative Name) file as follows:
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
default_md = sha256[req_distinguished_name]
countryName = IT
stateOrProvinceName= Parma
localityName = Parma
organizationName = MyCompany
commonName = mydomain.local[req_ext]
subjectAltName = @alt_names[alt_names]
#---- Wildcard covers only one level
DNS.1 = *.one.mydomain.local
DNS.2 = *.two.mydomain.local
DNS.3 = *.other-domain.local
Next, generate the certificate pair using this command:
openssl req -x509 -newkey rsa:2048 -keyout multiple-domain-wildcard_private_key.pem -out multiple-domain-wildcard_certificate.crt -days 10000 -config openssl-domain-san.cnf -extensions req_ext -nodes
Then, proceed with the standard installation procedure on both servers. They will now share the same certificate despite using different domains. In my specific case, these were subdomains, but the process works identically for completely unrelated domains.
Anyway, I haven’t been able to fully resolve the problem, as I wrote in this other thread:
which is:
Jun 10 10:44:23 89a1389 balena-supervisor[3973]: [event] Event: Image downloaded {“image”:{“name”:“registry2.new-domain.local/v2/5cd9eb7b19e96f6658726f26fe30f14c@sha256:6878587e36cfd28bc337c2fe9a19eff1ef9d9ee823cf81d351910a8b70695738”,“appId”:1,“appUuid”:“1f5dce674dbb47f49f987a60365a885e”,“serviceId”:1,“serviceName”:“main”,“imageId”:11,“releaseId”:11,“commit”:“c09a84612c324396c2cb981f7beaf57d”}}
Jun 10 10:44:23 89a1389 balena-supervisor[3973]: [event] Event: Take update locks {“appId”:“1”,“force”:false,“services”:[“main”]}
Jun 10 10:44:24 89a1389 balena-supervisor[3973]: [event] Event: Service install {“service”:{“appId”:1,“serviceId”:1,“serviceName”:“main”,“commit”:“c09a84612c324396c2cb981f7beaf57d”,“releaseId”:11}}
Jun 10 10:44:24 89a1389 balena-supervisor[3973]: [error] Scheduling another update attempt in 600000ms due to failure: Error: Failed to apply state transition steps. (HTTP code 400) bad parameter - No command specified Steps:[“start”]
Thank you in advance
Andrea