Deploying app to registry in Open Balena getting x509 error


#1

Hello,
I hope you are well. I followed the OpenBalena quickstart guide to get up and running. I was able to get everything running and get Balena-CLI to login to OpenBalena and configure my OS. However, when I went to deploy my application I got an x509 error for the registry. " Get [https://registry/v2/: x509: certificate signed by unknown authority"

Not really sure what the problem is, so I thought I would get your thoughts on the matter.

Kind Regards,
Jock


#3

@JockDaRock

Indeed that does sound unusual since the containers are populated with the generated CA cert when the install is created.

Could you provide a bit of information about your host system, OS, docker version etc? Thanks!


#4

Thank you for the reply.

So, part of this might be the way I am deploying it. I kind of hacked something together quickly so I can deploy it easily and fast, but all the while still using the quick start guide. I am actually running OpenBalena quick start in a Kubernetes container. Basically docker-compose inside the kubernetes container on my GKE cluster. so it is running Docker in Docker (DinD). I probably need to just convert your docker-compose structure to a set of kubernetes yamls and place the certs in a secrets vault. This all might be what I get for being clever.

on a different note I was able to get the BalenaCLI to actually push to the registry by replacing the root ca certs with ones generated by LetsEncrypt. Anyway, probably more of me not using best practices and me not digging into the strucuture a bit more.

Here is some information about my systems.

Development Machine:
Device: Mac OS (Just upgraded to Mojave)
Docker Version: 18.09

Host Device with BalenaOS:
Device: Intel-Nuc
Memory: 8 GB RAM
CPU: i5 Processor
Connectivity: Ethernet

Open-Balena Instance on GKE:
Container OS: Ubuntu 18.04
Docker Version: 18.06


#5

@JockDaRock, I ran into this last night, and did the same LetsEncrypt shenanigans you did… before I nuked it and followed the getting started guide again, assuming I had messed something up.

Nope! Turns out you need to restart docker on Mojave for it to reload your new CA.


#6

@kazazes yes, you need to restart the Docker engine from the top menu to reload your system certs.

@JockDaRock that’s indeed an unusual setup, but it might interest you to know that we are planning K8s support in the future, so that would probably be your best route. In the meantime, converting the compose to K8s would be my advice to you.

Something I have done personally is put a reverse proxy in front of the containers which does my LetsEncrypt cert acquisition and then forwards the requests to the backend HAproxy service we expose on port 80.


#7

This is super good to know… and I guess that makes since as well. Figures it was something small. Thank you for your feedback.


#8

Yeah, I will look into just converting the process to k8s. I just wanted to test it and be able to repeat it and scale it. I have been way more familiar with k8s for sometime now. I was trying to just put together some testing super quick, not anything super formal or production ready. I knew I could write something in a few minutes using your Quickstart guide that could have me up and running on my k8s cluster.

That said, it ended up being the needing to restart the docker daemon on my development machine. Can I suggest you add a section in the quickstart guide that at least makes note of that, like… “You may need to restart the Docker daemon on your development machine for the Docker daemon to use your certs.” Or something like that :slight_smile: