Failed to login to balena

Hi,

I installed openbalena on an aws instance and got this error at login.

| |__ __ _ | | ____ _ __ __ _
| '_ \ / || | / __ \| '_ \ / _ |
| |
) | () || || /| | | || () |
|
.
_/ _
,||| _/|| || _,_|

Logging in to x.y.z.com
? How would you like to login? Credentials
? Email:
? Password: [hidden]
FetchError: request to https://api.x.y.z.com/login_ failed, reason: self signed certificate in certificate chain
at ClientRequest. (/snapshot/versioned-source/node_modules/node-fetch/index.js:133:11)
at ClientRequest.emit (events.js:189:13)
at ClientRequest.EventEmitter.emit (domain.js:441:20)
at TLSSocket.socketErrorListener (_http_client.js:392:9)
at TLSSocket.emit (events.js:189:13)
at TLSSocket.EventEmitter.emit (domain.js:441:20)
at emitErrorNT (internal/streams/destroy.js:82:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:50:3)
at process._tickCallback (internal/process/next_tick.js:63:19)

I am running on CentOS 7 and I already updated the system to trust the self signed cert by using the following commands and restarted the docker:

export NODE_EXTRA_CA_CERTS=~/open-balena/config/certs/root/ca.crt
update-ca-trust force-enable
cp /root/open-balena/config/certs/root/ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

Any idea?
Thanks

Hey @pli

I’m assuming you’re using the quickstart script to get up and running.
As you’re using a custom domain name, I wonder if this was specified when you ran quickstart and if the certificates generated were copied to your client after that?

Hi @chrisys,

I used a registered domain name but self signed cert for testing at this moment. Yes, I am using quickstart to setup the instance.

Thanks

Hi @pli,
Can you show us the CLI command you run on your workstation? You mentioned you use the command export NODE_EXTRA_CA_CERTS=~/open-balena/config/certs/root/ca.crt and restarted docker. I’m not sure what you mean by that, but you need to add the envvar NODE_EXTRA_CA_CERTS to point to the ca.crt for the cli process.
Also to get to the bottom of this, maybe you can check what certificate is used for your api: curl -v https://api.x.y.z.com/login_.

@afitzek

I found out my problem is caused by the DNS pointing to the wrong server running openbalena. Thanks for your help!

Patrick