Failing registering device with balenaos-in-container

Another thing i noticed is that the value you have for the apiEndpoint doesn’t look like a real domain (https://api.domain.org). Is that something you sanitised before posting to us for security? Or is that what is on your copy of the config.json file?

Hi
to generate the config file I did:

balena os configure image_nuc.img --app myAppforNuc

and went inside the image file to copy the config.json

Yes, i have a real domain, and so the api.domain.org is sanitised.

Hi there, what do you mean you went inside the image file to copy the config.json? You don’t need to manually copy the config.json, balena os configure does that for you. Can you try following https://www.balena.io/open/docs/getting-started step by step and see if the issue gets resolved? If you are still having issues, we can see why that’s happening.

I don’t think I’ve explained well my problem.

I am not trying to configure a local image of the intel-nuc, but one I’ve pull from the dockerHub, and use it through the balena-os-container project so, I think I just need a config.json file.

By following that tutorial I would get a local image of the intel-nuc with inside the config.json, isn’t it?

Yes, that’s true, I missed that point. Can you then try using https://www.balena.io/docs/reference/balena-cli/#config-generate to generate the config.json, and then use that when you are running ./balenaos-in-container.sh? Let me know if that works and I can look into it further if it doesnt.

this are my steps:

balena app create myApp

and choose intel-nuc

balena config generate --version 2.50.1_rev1.dev-intel-nuc  --device-type intel-nuc --app myApp --output config.json

chooose ethernet and 10 minutes for updates

./balenaos-in-container.sh --image resin/resinos:2.50.1_rev1.dev-intel-nuc --id test -c "config.json" --detach

docker exec -ti <uuid> /bin/bash

balena ps

balena logs <uuid-supervisor>

and I get this, I think relevant logs:

[error]   LogBackend: unexpected error: Error: self signed certificate in certificate chain
[error]         at TLSSocket.onConnectSecure (_tls_wrap.js:1474:34)
[error]       at TLSSocket.emit (events.js:310:20)
[error]       at TLSSocket._finishInit (_tls_wrap.js:917:8)
[error]       at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:687:12)

[info]    New device detected. Provisioning...
[event]   Event: Device bootstrap failed, retrying {"delay":30000,"error":{"message":""}}

what could be the problem then?

thanks again for the help

Hi @matteopeluso, taking a step back here. Could you please verify that openBalena works fine?

[error]   LogBackend: unexpected error: Error: self signed certificate in certificate chain
[error]         at TLSSocket.onConnectSecure (_tls_wrap.js:1474:34)
[error]       at TLSSocket.emit (events.js:310:20)
[error]       at TLSSocket._finishInit (_tls_wrap.js:917:8)
[error]       at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:687:12)

This error you posted points to misconfigured certification. Could you check that you have completed the install self signed cert section?

Specifically making sure you have set export NODE_EXTRA_CA_CERTS='/path/to/ca.crt' correctly?

Perhaps recreating the certificate will address this issue already. If not, let us know so we could dive into further debugging.

Yes, I have completed the installation of the self signed cert, and I’ve been using Balena for some months already without any problem.

But I am not able to generate a new certificate because I am not the “owner” of this openBalena server.

Any idea on what else I could try? Maybe changing the device? I’ve just created another physical device, a raspberrypi3, and I didn’t have any problem with my certification in this case.

Thanks

Is this error relevant?

Failed to find module ‘autofs4’

Failed to create symlink /sys/fs/cgroup/net_prio: File exists

Failed to create symlink /sys/fs/cgroup/net_cls: File exists

Failed to create symlink /sys/fs/cgroup/cpuacct: File exists

Failed to create symlink /sys/fs/cgroup/cpu: File exists

Interesting to note that the pi3 image did work, I’ll ask our OS colleagues what the difference in between the NUC and pi3 image is.

Because the self-signed certificate is failing, my advice would be to resolve that first. We have had users report various issues before that were related to certificates not working correctly.

Hi, we have found out that openBalena has incompatibilities with balenaOS. Could you try the NUC with a balenaOS version that is lower than 2.49.0? We are actively working on resolving these issues, so a fix should arrive soon. Until then let’s confirm that this also resolves your issue.

I have tried this image resin/resinos:2.46.0_rev1.dev-intel-nuc

balena config generate --version v2.46.0+rev1.dev --device-type intel-nuc --app app --output config.json
./balenaos-in-container.sh --image resin/resinos:2.46.0_rev1.dev-intel-nuc --id test -c "path/config.json" --detach

without success, i have got the following log that I am attachingbalenaOsContainer.log (5.3 KB)

Hi,

Thanks for the logs, something jumped out at me:

[error]   LogBackend: unexpected error: Error: self signed certificate in certificate chain
[error]         at TLSSocket.onConnectSecure (_tls_wrap.js:1474:34)
[error]       at TLSSocket.emit (events.js:310:20)
[error]       at TLSSocket._finishInit (_tls_wrap.js:917:8)
[error]       at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:687:12)
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
Warning: Ignoring extra certs from `/etc/ssl/certs/balenaRootCA.pem`, load failed: error:02001002:system library:fopen:No such file or directory

It looks like the root CA is not populated, and this would be coming from your config.json. Could you share the config.json you’re using and just obfuscate the URL and API keys?

Thanks.

I can see you have a valid base64 encoded PEM for the root CA so I am not sure why this isn’t being populated into /etc/ssl/certs/balenaRootCA.pem – I wonder if this is something relevant to how it runs in a container but I haven’t tried this myself. I see that the domain in the cert is a .local domain so I presume you have openBalena running on your LAN somewhere?

I’m sorry, but I am not sure I got your question.

what are you referring to?

The certificate which is in your config.json looks like it’s the one built for openbalena.local which is the default domain used when creating an openBalena instance. I was just confirming that your openBalena instance is somewhere within your LAN since .local domains are resolved via mDNS and this doesn’t propogate through gateways/routers normally.

Hey.

By any chance, did you have luck figuring out the configuration with regards to your openBalena setup?

I am still not completely sure about the question, but yes, I am trying to create a docker container with balenaOs + IntelNuc within my LAN.

I didn’t changed any openBalena setups from the tutorial installation.

But I managed to run an intel-nuc image ( balenaOS 2.46.0+rev1) with the same application on a Virtual Machine

Thanks for the information and we continue to try to improve the experience from openBalena.

Hi. Just to let you know, today we released a new major version of openBalena adding support to the later versions of balenaOS.
Feel free to check it out. However, please note that to take advantage of the full functionality at least balenaOS v2.58.3 is recommended.

1 Like