Certificates of openBalena

Hi all,

I’ve been busy with openBalena for a while and this time I have a question about the certificates of openBalena.
When creating an openBalena instance using ./scripts/quickstart, some certificates are being generated. These are used in the following environment variables (afaik):

OPENBALENA_ROOT_CA
OPENBALENA_ROOT_CRT
OPENBALENA_ROOT_KEY

OPENBALENA_VPN_CA
OPENBALENA_VPN_CA_CHAIN
OPENBALENA_VPN_SERVER_CRT
OPENBALENA_VPN_SERVER_KEY
OPENBALENA_VPN_SERVER_DH

I have limited knowledge about certificates and I’d like to know more about the openBalena certificates. I’ve only worked with SSL certificates for HTTPS connections. Now, I know that openBalena uses HTTPS, and I use Let’s Encrypt for the HTTPS endpoints instead of the generated certificates, so I don’t get any errors while trying to connect. However, the VPN endpoint and VPN certificates don’t use Let’s Encrypt, because these are other certificates.

As far as I know, certificates have an expiry date. Let’s Encrypt uses 90 days by default and other SSL providers use 1 year. But what’s the expiry date on the openBalena certificates, like the VPN? And if they expire, what happens next? And is there a way to create new certificates for devices or something?

I’m asking this because I don’t want to know about the expiry after they’ve expired :slight_smile:.

Thanks in advance!

Hey Bart, let me double-check with the team just so I don’t give you inaccurate information and we’ll get back to you.

1 Like

Hi Bart,

So the defaults for the certificate generation are found here: https://github.com/balena-io/open-balena/blob/709d00b898dc7503baf1275c58ae4d0e95544d66/scripts/ssl-common.sh#L23-L25; The CA is 10 years and the individual certificates are 2 years.

The VPN configuration is sent to the device from the API via the /os/v1/config endpoint (here is the balenaCloud one https://api.balena-cloud.com/os/v1/config) and the value in that JSON are coming from the environment variables that the API instance is running with. As long as the CA certificate which signed the VPN’s server certificate (set via an env var on the VPN service) matches the one delivered by the API then it should be good.

To answer your question about renewals, right now openBalena doesn’t renew the VPN or API certs, but the Let’s Encrypt certs DO get renewed via the CertProvider service.

Hi Rich,

Thanks for your answer. So in other words, the VPN certificate does expire, but it’s not really a problem because they’ll match and thus trust each other?

And openBalena doesn’t autorenew it’s certificates (except the Let’s Encrypt certs), but it is possible to renew them manually and inform the devices about it?

Thanks!

Hey Bart,
We generate a CA and certs for the VPN & VPN Server, and these are set in environment vars for the API and VPN services. The CA should last a long time, and the server cert is signed by that CA cert so if it expired then you would make a new one and update the ENV vars.

Hope this answers your question.
Please let me know if you need any further help,
Georgia

On a similar topic of certs, I downloaded the generated ca.crt to my device, then set the NODE_EXTRA_CA_CERTS env variable.

I can use balena login fine, but when I try a balena deploy myapp, it ends up failing with:

[Error]   Deploy failed
Get "https://registry.balena.${domain}/v2/": x509: certificate signed by unknown authority

From looking at the output of curl, things seem to be correct:

* Server certificate:
*  subject: CN=*.balena.${domain}
*  start date: Nov 13 02:15:59 2020 GMT
*  expire date: Nov 13 02:15:59 2022 GMT
*  issuer: CN=ca.balena.${domain}

All the *.balena.${domain} names a CNAMEs back to balena.${domain}

Is there something else required with certs?

edit:

$ balena --version
12.27.4

edit 2:
Looks like I had to copy across the ca.crt into /etc/pki/tls/certs/ and then restart docker via systemctl restart docker.

Now I get a different problem:

[Info]    Everything is up to date (use --build to force a rebuild)
[Info]    Creating release...
[Info]    Pushing images to registry...
Retrying "registry.balena.${domain}/v2/a0bd40c79a2756d16cd89b7b80959903:latest" after 2.00s (1 of 3) due to: Error: unauthorized: authentication required

I might open a new thread as to not pollute this one furter.