cert-provider error maybe typo?

openBalena
1

Here is a fresh docker-compose up from a fresh cloned openBalena repo.

registry_1       | Systemd init system enabled.
vpn_1            | Systemd init system enabled.
s3_1             | Systemd init system enabled.
haproxy_1        | [WARNING] 313/120720 (19) : Server vpn-tunnel/balena_vpn is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
haproxy_1        | [ALERT] 313/120720 (19) : proxy 'vpn-tunnel' has no server available!
haproxy_1        | [WARNING] 313/120720 (19) : Server vpn-tunnel-tls/balena_vpn is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
haproxy_1        | [ALERT] 313/120720 (19) : proxy 'vpn-tunnel-tls' has no server available!
cert-provider_1  | [Info] (2/3) Connecting...
cert-provider_1  | [Info] (2/3) Failed. Retrying in 5 seconds...
cert-provider_1  | [Info] (3/3) Connecting...
cert-provider_1  | [Info] (3/3) Failed!
cert-provider_1  | [Info] Unable to access api.ob-test.redacted-domain.de on port 80. This is needed for certificate validation. Retrying in 30 seconds...
haproxy_1        | [WARNING] 313/120726 (19) : Server backend_api/balena_api_1 is UP, reason: Layer4 check passed, check duration: 0ms. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
haproxy_1        | [WARNING] 313/120738 (19) : Server vpn-tunnel/balena_vpn is UP, reason: Layer4 check passed, check duration: 0ms. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
haproxy_1        | [WARNING] 313/120738 (19) : Server vpn-tunnel-tls/balena_vpn is UP, reason: Layer4 check passed, check duration: 0ms. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
cert-provider_1  | [Info] Waiting for api.ob-test.redacted-domain.de to be available via HTTP...
cert-provider_1  | [Info] (1/3) Connecting...
cert-provider_1  | [Info] (1/3) Success!
cert-provider_1  | cat: can't open '/usr/src/app/certs/last_run_mode': No such file or directory
cert-provider_1  | [Info] Last acquired certificate for
cert-provider_1  | [Info] Using STAGING mode
cert-provider_1  | [Info] Waiting for api.ob-test.redacted-domain.de to be available via HTTP...
cert-provider_1  | [Info] (1/3) Connecting...
cert-provider_1  | [Info] (1/3) Success!
cert-provider_1  | [Info] Issuing certificates...
cert-provider_1  | [Wed Nov 10 12:07:56 UTC 2021] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
cert-provider_1  | [Wed Nov 10 12:07:57 UTC 2021] Standalone mode.
cert-provider_1  | [Wed Nov 10 12:07:57 UTC 2021] Standalone mode.
cert-provider_1  | [Wed Nov 10 12:07:57 UTC 2021] Standalone mode.
cert-provider_1  | [Wed Nov 10 12:07:57 UTC 2021] Standalone mode.
cert-provider_1  | [Wed Nov 10 12:07:57 UTC 2021] Standalone mode.
cert-provider_1  | [Wed Nov 10 12:07:57 UTC 2021] Create account key ok.
cert-provider_1  | [Wed Nov 10 12:07:57 UTC 2021] Registering account
cert-provider_1  | [Wed Nov 10 12:07:58 UTC 2021] Register account Error: {
cert-provider_1  |   "type": "urn:ietf:params:acme:error:malformed",
cert-provider_1  |   "detail": "JWS verification error",
cert-provider_1  |   "status": 400
cert-provider_1  | }
cert-provider_1  | [Wed Nov 10 12:07:58 UTC 2021] Please add '--debug' or '--log' to check more details.
cert-provider_1  | [Wed Nov 10 12:07:58 UTC 2021] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
cert-provider_1  | [Info] Installing certificates...
cert-provider_1  | [Wed Nov 10 12:07:58 UTC 2021] Installing cert to:/tmp/cert.pem
cert-provider_1  | cat: can't open '/usr/src/app/certs/api.ob-test.redacted-domain.de/api.ob-test.redacted-domain.de.cer': No such file or directory
cert-provider_1  | [Error] Unable to acquire a staging certificate. [Stopping]

The second last line is some bogus, any idea what went wrong?

2

Hi there, :frowning_face:
So this is probably my last attempt to get help or information in the openBalena Forums. :zzz:

I always get this error, the deployment is based on a KVM-VM with a public Ip address and DNS entries set for :

The Docker Compose Up runs smoothly, with no errors or warnings that arenā€™t expected so far.

Is there a fix for this misbehavior? Because obviously, that .crt file is not in place, and I would figure that it is most likely the acme that is failing, if I wouldnā€™t get an ā€œOKā€ on the API endpoint:

Screenshot 2021-11-16 085216
Screenshot 2021-11-16 085216581Ɨ609 27.2 KB

I already asked a question related to the balena-CLI which ultimately leads to this error because there is obviously a self-signed certificate installed, even though I used the ā€œ-cā€ for acme in the installation process:

./scripts/quickstart -c -p -d ob-test.redacted-domainname.de -U ******** -P **********

Here is a link to my other Thread about the CLI problem: (it is still unanswered anyways)

Please donā€™t get me wrong or anything, I like the idea of how balena wants to solve IOT related situations, we in general here at our company really would love to test compatibility to maybe even switch completely with 300+ Devices to balenaCloud, but as long as I can tell, support is most likely the only way to get help from balena. This is not what I was expecting, especially because other threads, with sometimes really easy beginner issues get an answer and help. Whereas myself was greatly ignored for issued by now.

Have a good one, I would love to hear at least a ā€œhiā€ or ā€œwe donā€™t have a clue eitherā€ or ā€œplease give more informationā€
:grinning_face_with_smiling_eyes:

3

Even with ā€˜domainā€¦ā€™ in the quickstart command it is not working

4

Even with a fresh deploy after a docker system prune no change in progress, Iā€™m no looking into the repo another time

6

Hello,

My colleague has responded in your original thread, so we can continue our support there.

1 Like
8

@Mawiguk0 The version of the acme.sh pulled by the current open-balena is still the original version added by @richbayliss in 2019. Since letsencrypt.org stopped supporting ACMEv1, it cannot work anymore and open-balena needs an update. See Cert Provider - Cannot issue a production certificate Ā· Issue #108 Ā· balena-io/open-balena Ā· GitHub for reference.

@richbayliss @builder555 This PR should fix it: Get cert-provider working again by danzel Ā· Pull Request #131 Ā· balena-io/open-balena Ā· GitHub

But in my case, this is not enough, below are my results with the fix of PR131:

It seems my VPS is rather slow and it needs a restart, these are the logs from ā€œscripts/compose up -dā€
Creating openbalena_db_1 ā€¦ done
Creating openbalena_redis_1 ā€¦ done
Creating openbalena_s3_1 ā€¦ done
Creating openbalena_cert-provider_1 ā€¦ done
Creating openbalena_api_1 ā€¦ done
Creating openbalena_registry_1 ā€¦ done
Creating openbalena_vpn_1 ā€¦ done
Creating openbalena_haproxy_1 ā€¦ done
ā€¦
./scripts/compose logs
cert-provider_1 | [Info] VALIDATION not set. Using default: http-01
cert-provider_1 | [Info] Waiting for api.openbalena. to be available via HTTPā€¦
cert-provider_1 | [Info] (1/3) Connectingā€¦
cert-provider_1 | [Info] (1/3) Failed. Retrying in 5 secondsā€¦
cert-provider_1 | [Info] (2/3) Connectingā€¦
cert-provider_1 | [Info] (2/3) Failed. Retrying in 5 secondsā€¦
cert-provider_1 | [Info] (3/3) Connectingā€¦
cert-provider_1 | [Info] (3/3) Failed!
cert-provider_1 | [Info] Unable to access api.openbalena. on port 80. This is needed for certificate validation. Retrying in 30 secondsā€¦
cert-provider_1 | [Info] Waiting for api.openbalena. to be available via HTTPā€¦
cert-provider_1 | [Info] (1/3) Connectingā€¦
cert-provider_1 | [Info] (1/3) Failed. Retrying in 5 secondsā€¦
cert-provider_1 | [Info] (2/3) Connectingā€¦
cert-provider_1 | [Info] (2/3) Failed. Retrying in 5 secondsā€¦
cert-provider_1 | [Info] (3/3) Connectingā€¦
cert-provider_1 | [Info] (3/3) Failed!
cert-provider_1 | [Info] Unable to access api.openbalena. on port 80. This is needed for certificate validation. Retrying in 30 secondsā€¦

When I do a "docker restart <container-id-if-openbalena_cert-provider>, I get:
ā€¦
Info] Installing certificatesā€¦
[Fri Jan 14 15:20:19 UTC 2022] Installing cert to: /tmp/cert.pem
[Fri Jan 14 15:20:19 UTC 2022] Installing key to: /tmp/key.pem
[Fri Jan 14 15:20:19 UTC 2022] Installing full chain to: /tmp/fullchain.pem
[Fri Jan 14 15:20:19 UTC 2022] Run reload cmd: cat /tmp/fullchain.pem /tmp/key.pem > /certs/open-balena.pem
[Fri Jan 14 15:20:19 UTC 2022] Reload success
[Info] Waiting for api.openbalena.teamo.at to use a staging certificateā€¦
[Info] (1/3) Connectingā€¦
[Info] (1/3) Failed. Retrying in 5 secondsā€¦
[Info] (2/3) Connectingā€¦
[Info] (2/3) Failed. Retrying in 5 secondsā€¦
[Info] (3/3) Connectingā€¦
[Info] (3/3) Failed!
[Error] Unable to detect certificate change over. Cannot issue a production certificate. [Stopping]
[Info] VALIDATION not set. Using default: http-01
[Info] Waiting for api.openbalena.teamo.at to be available via HTTPā€¦
[Info] (1/3) Connectingā€¦
[Info] (1/3) Success!
[Info] Last acquired certificate for STAGING
[Info] Using STAGING mode
[Info] Waiting for api.openbalena.teamo.at to be available via HTTPā€¦
[Info] (1/3) Connectingā€¦
[Info] (1/3) Success!
[Info] Issuing certificatesā€¦
[Fri Jan 14 15:24:55 UTC 2022] Domains not changed.
[Fri Jan 14 15:24:55 UTC 2022] Skip, Next renewal time is: Tue Mar 15 15:20:19 UTC 2022
[Fri Jan 14 15:24:55 UTC 2022] Add ā€˜ā€“forceā€™ to force to renew.
[Info] Installing certificatesā€¦
[Fri Jan 14 15:24:56 UTC 2022] Installing cert to: /tmp/cert.pem
[Fri Jan 14 15:24:56 UTC 2022] Installing key to: /tmp/key.pem
[Fri Jan 14 15:24:56 UTC 2022] Installing full chain to: /tmp/fullchain.pem
[Fri Jan 14 15:24:56 UTC 2022] Run reload cmd: cat /tmp/fullchain.pem /tmp/key.pem > /certs/open-balena.pem
[Fri Jan 14 15:24:56 UTC 2022] Reload success
[Info] Waiting for api.openbalena.teamo.at to use a staging certificateā€¦
[Info] (1/3) Connectingā€¦
[Info] (1/3) Failed. Retrying in 5 secondsā€¦
[Info] (2/3) Connectingā€¦
[Info] (2/3) Failed. Retrying in 5 secondsā€¦
[Info] (3/3) Connectingā€¦
[Info] (3/3) Failed!
[Error] Unable to detect certificate change over. Cannot issue a production certificate. [Stopping]

PR: RFC: cert-provider: skip staging and issue a production certificate directly by bernhardkaindl Ā· Pull Request #134 Ā· balena-io/open-balena Ā· GitHub

1 Like
9

Sad to see that such problems stay as long as months in the codebaseā€¦

Hope this will get better in the future

10

For now, I stopped evaluating openBalena because of missing features and lack of time. I will freeze this account and will continue to participate with @Markus.Kohn.GWA which is my account when it comes to the company I work for.

11

@mawiguk0 we have a draft PR open against openBalena, which aims to address a lot of existing concerns. It is blocked on internal tech-debt, but hopefully, once that is cleared, weā€™ll have openBalena published to balenaHub with a much easier interface.

1 Like
13

Thanks for the update @ab77,

I will close the Topic as soon as the PR is closed.

Regards,
Markus