@richbayliss, glad to hear that. I’m looking forward to test it. We are on they way to implement an industrial IoT fleet management. The open source approach is definitely a very good reason to go with balena. It’s not that much about the costs. It about not beeing vendor locked-in.
Some updates were released on openBalena (V0.1.1).
Just for my and everyone’s knowledge a few questions:
- Is V0.1.1 the update that resolves the issue regarding the false “offline” state?
- If this is the update that resolves the issue, or when the issue is released, do we only have to update our openBalena instance, or do we also have to reflash the devices?
Thanks in advance!
No this update wasn’t relevant to the offline state, but here is the commit which is https://github.com/balena-io/open-balena/commit/b2ec80fbdba81a71a7dc30e6b9a52dfb6aca4a8c
You should update your local repo with the
master branch, and then re-run the quickstart to get the correct config. This will mean re-provisioning your devices as the certs will be regenerated. Alternatively, wait a while and we are hoping to release another update this week which will use existing certs and just update the config; this would mean a simple update, re-run of quickstart, and then a
./scripts/compose pull && ./scripts/compose/up -d
@vedicium I was too quick to reply - that patch is live now too, https://github.com/balena-io/open-balena/commit/cec371f0b87d90eaf15462f6a8e961461a14405a
Please report back if you have any issues.
Device failing to download images - Error processing tar file(exit status 1): unexpected EOF'
Awesome! I will test that now!
I’ve tweaked my OpenBalena a bit, and used Let’s Encrypt certificates like I mentioned before. I didn’t replace the root certificate with the Let’s Encrypt certificate, but just edited the config file from haproxy to use the Let’s Encrypt certificate. I think this is going to create some issues, am I right?
It’s no problem for me to just re-run the quickstart and start again with a clean openBalena system. So I’ll do that if necessary.
But can you explain how the SSL certificates work? Because whenever I change the certificate, for example I want to use a Let’s Encrypt certificate or another signed-certificate, is it just okay to change that at the openBalena server-side and everything just works? Or is it required to always use the certificate that was generated at quickstart and the OS is configured with?
Thanks in advance! I’ll let you know if it works on my side!
I can confirm my device is online! It now says: ‘true’, like it’s supposed to do. Awesome!
I’ve backupped my old openBalena config, pulled the master branch again and executed the quickstart. After rebooting the device, it shows that it is online!
The only thing is, when I browse to my openBalena domain, like https://api.openbalenadomain.com/, it still says that the certificate is the Let’s Encrypt certificate. But I pulled a new master branch and started that branch, so that’s weird, isn’t it? Don’t get me wrong, if it works with Let’s Encrypt, that’s awesome! But I want to be sure that’s the case.
All in all, awesome work from you guys! We really appreciate it and are looking forward to work with it!
@vedicium awesome! and the reason your certs are fine is because you didn’t have to change the activate file; this is where the certs are base64’d and kept as environment variables.
I presume you did the following?
./scripts/pull && ./scripts/up -d
For our info, which OS release is your device running at the moment?
I’ve moved the
~/open-balena folder to
~/open-balena.bak and did a new
git pull from the master branch, so I have a fresh
~/open-balena directory. I then did the
~/scripts/quickstart again and the
~/scripts/compose up -d. That works fine, but it still uses the Let’s Encrypt certificate. I didn’t change any root certificates or anything, I just edited the
./haproxy/ files, so it uses another SSL certificate in the previous open-balena directory, so now the
Probably a little bit difficult to follow, I’m happy to explain this further in a private message or chat or something. But the devices are intact, so it still uses the “old” database. This is correct?
And at this time I’m using the Raspberry Pi 3B BalenaOS 2.27.0+rev1 version. We will be using Raspberry Pi’s and UP Boards. I’m happy to test other versions with openBalena on raspberry pi’s and UP Squared boards!
@vedicium ah OK this makes sense - the HAproxy container is built and if you changed the config to use something which hasn’t changed then the
up -d command isn’t going to rebuild it, so it uses the existing image.
I am looking at ways to make it easy and straightforward to use LE certs in OpenBalena - we have ways to do this but it is finding the nicest approach.
Regarding devices, we would be very grateful if you test anything else to just update us on here. It’s always good to hear success stories and it helps other in the community too.
For now, congrats on being the first person outside Balena to have your instance with working VPN, you can consider it an early Christmas gift There will be more to come, probably early in the new year so I hope you have a great holiday season and I look forward to hearing how your progress with OpenBalena is coming along.
Awesome Christmas gift!
I’ve tried to ssh into my online devices, but i get the following message:
bash: enter: command not found
Is this an issue that I can fix or is this an openBalena issue?
Actually this is a Balena CLI issue which is currently being worked on by the team. It should be a simple case of
npm install balena-cli -g again to update it when it’s released.
That’s too bad, but thanks for the heads-up!
I will post my findings in this topic regarding the combination of BalenaOS and openBalena!
Have a great holiday and keep up the awesome work!
How did you get it to work with LE.
I am currently trying to get it to work with the docker-compose-letsencrypt-nginx-proxy-companion.
That would be the easiest solution I think
It never worked with the self signed certificates correct?
@Torben I have previously put a container in front of HAproxy but this will break the VPN and the device will stay “offline”. This is because of the way we have HAproxy configured.
The best way would be to get your certificate & key and combine them into the
activate file as the current process does with the self-signed ones. I would leave the VPN ones alone though.
Rest assured though, we are working on making this process much easier. So if you don’t manage to get it working, then we will hopefully have something in the new year.
Any update on resolution to this issue?
@vedicium I’m trying to follow exactly what you did to resolve this but have been unable to replicate. Any chance you could post a general list of steps you took?
Never mind. Finally cracked it. Fixed with balenaOS 2.29.0. I was previously using 2.27.0 as it was the only version which Intel link works for off the homepage.
I setup an app in balena cloud and downloaded 2.29.0 from there and used ‘balena configure’ to setup with my open balena instance.
Reset my open balena instance to default self signed certs and voila, it works. This is enough for me to continue testing with. I would like to change it to a proper signed cert at a later date though.
Thank you to everyone in this post who has contributed their tests/attempts/findings which helped me work through it.
Yes, the balenaOS-side fixes required for the devices appearing offline issue landed on 2.29.0+rev1 and that is currently the minimum required OS version for openBalena.