Deploy failed unauthorized: authentication required

I’m trying to deploy my first app to openBalena however I am getting the below error. Adding an application and provisioning of devices etc works OK.

balena deploy myapp --logs --source . --emulated
[Info] Everything is up to date (use --build to force a rebuild)
[Info] Creating release…
[Info] Pushing images to registry…
Retrying “registry.mydomain.com/v2/d5876ca8376bc70a3fb5470403891a6d:latest” after 2.00s (1 of 3) due to: Error: unauthorized: authentication required
Retrying “registry.mydomain.com/v2/0ca99811e63dcb58134c435ff515d0d3:latest” after 2.00s (1 of 3) due to: Error: unauthorized: authentication required
Retrying “registry.mydomain.com/v2/d5876ca8376bc70a3fb5470403891a6d:latest” after 2.80s (2 of 3) due to: Error: unauthorized: authentication required
Retrying “registry.mydomain.com/v2/0ca99811e63dcb58134c435ff515d0d3:latest” after 2.80s (2 of 3) due to: Error: unauthorized: authentication required
[Info] Saving release…
[Error] Deploy failed
unauthorized: authentication required

Additional information may be available with the --debug flag.
For help, visit our support forums: https://forums.balena.io
For bug reports or feature requests, see: https://github.com/balena-io/balena-cli/issues/

is there anywhere I can look to get any additional logs? I’m using registry v2.13.11 and CLI v12.23.4
Not sure if it makes any difference but I am using a let’s encrypt SSL certificate.

Hi

Can you update to the later versions of OpenBalena and the CLI
We have successfully tested openBalena v3 with CLI v12.25.6 and things work as expected on that front.

If things still don’t work after you update we can dive deeper into this. Also - shouldn’t mydomain.com point to what you are actually using as a domain? Or did you just change the domain to that for privacy reasons?

domain name is actually different, just changed it not to expose the name (at least for now :wink:) I’ve upgraded to 12.29.1 (everything seems to be working) but I still get the same issue with the deploy

The error is hinting that the credentials provided to the registry cannot be validated by the API; the API is the hub which all other services use for authentication/source of truth. Is there anything in the registry / API logs to indicate an error somewhere?

In the registry this is what I see

Dec 08 23:14:31 408abd5cf33c registry[743]: time=“2020-12-08T23:14:31.399569983Z” level=warning msg=“error authorizing context: invalid token” go.version=go1.11.2 http.request.host=registry.my-domain.cloud http.request.id=9e468fe3-0fd7-41f3-85bf-b931b32020c6 http.request.method=POST http.request.remoteaddr=XXX.X.72.XX http.request.uri="/v2/v2/0f0b8e0f64c4b764840918b6caf10c42/blobs/uploads/" http.request.useragent=“docker/19.03.14 go/go1.13.15 git-commit/5eb3275d40 kernel/5.4.0-56-generic os/linux arch/amd64” vars.name=“v2/0f0b8e0f64c4b764840918b6caf10c42”

Do you have anything corresponding in the API logs?

Attached. Looks like the issue is being caused when performing a aselect on the permissions table. registry.log (148.5 KB)

Just few more questions, are you using open-balena 3.1.1 without modifying any of the versions of the services? Is this a new setup of you upgraded from an earlier open-balena version? I assume creating apps, provisioning a device, etc. all worked? The reason I’m asking is we’ve made sure that the specified versions in open balena work and there are many users who are using it successfully, so I’m wondering what is different in your setup that causes issues.

No modifications whatsoever. Registration, deleting etc is ok. Just deploy is an issue. Yes i upgraded recently but had never tried deploy before.

Hi. Could you double check that all of these subdomains point to your openBalena server:

where mydomain.com is the domain you are using for your server.

Since you have never pushed a release before would it be possible to reinstall openBalena from scratch by following the guide all the way to end? In particular, if deploy works using the self-signed certificates that the quickstart script generates.

I can confirm that they all point to my server. Not sure if it makes a difference but in reality everything is using sever.domain.com not domain.com like I have said before. So logs etc actually say api.server.domain.com etc (have replaced the whole subdomain when a TLD domain when masking the logs)

I have gone trough the setup again however the issue still persists and data and SSL certificate where
retained

can I try calling the API methods trough postman to be able to at least identify what is wrong?

Hi there, if it’s not a problem for you, could you please wipe your openBalena instance entirely (including SSL certs and data, docker volumes, etc) and try going through the fresh instance setup from the top down. If that results in a broken environment again, please let us know and we’ll attempt to replicate this issue in-house.

Oh, also - what base server are you using for this? We’ve tested openBalena on Ubuntu 18.04 LTS x64…

I was running on Amazon Linux 2, tried setting up on a new instance but still got the same issue. I’ve now spawned a new instance using Ubuntu 18.04 LTS and worked flawlessly! :slight_smile: