Failing to add device

Hello,
I have restarted by openBalena journey with local openBalena installation in Vagrant provisioned VM
and with balenaOS 2.29 dev image.
Vagrantfile made new start super easy. Also happy to have updated device OS (2.29) from https://www.balena.io/os/.

I am trying to join platform via
NODE_EXTRA_CA_CERTS=~/w/ob1/ob.crt RESINRC_RESIN_URL=openbalena.local balena join
which offers my app1 and local device and it reports success.

However “balena devices” does not show my new device

a/ VPN reports auth failure
Jan 03 16:54:55 balena openvpn[3622]: Thu Jan 3 16:54:55 2019 Attempting to establish TCP connection with [AF_INET]172.27.234.101:443 [nonblock]
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 TCP connection established with [AF_INET]172.27.234.101:443
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 TCP_CLIENT link local: (not bound)
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 TCP_CLIENT link remote: [AF_INET]172.27.234.101:443
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 TLS: Initial packet from [AF_INET]172.27.234.101:443, sid=2f0b59d7 8d63a581
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 VERIFY OK: depth=2, CN=ca.openbalena.local
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 VERIFY OK: depth=1, CN=vpn-ca.openbalena.local
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 VERIFY KU OK
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 Validating certificate extended key usage
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 VERIFY EKU OK
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 VERIFY OK: depth=0, CN=vpn.openbalena.local
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Jan 03 16:54:56 balena openvpn[3622]: Thu Jan 3 16:54:56 2019 [vpn.openbalena.local] Peer Connection Initiated with [AF_INET]172.27.234.101:443
Jan 03 16:54:58 balena openvpn[3622]: Thu Jan 3 16:54:57 2019 SENT CONTROL [vpn.openbalena.local]: ‘PUSH_REQUEST’ (status=1)
Jan 03 16:54:58 balena openvpn[3622]: Thu Jan 3 16:54:58 2019 AUTH: Received control message: AUTH_FAILED
Jan 03 16:54:58 balena openvpn[3622]: Thu Jan 3 16:54:58 2019 SIGTERM[soft,auth-failure] received, process exiting
Jan 03 16:55:08 balena systemd[1]: openvpn.service: Service hold-off time over, scheduling restart.
Jan 03 16:55:08 balena systemd[1]: openvpn.service: Scheduled restart job, restart counter is at 68.
Jan 03 16:55:08 balena systemd[1]: Stopped OpenVPN.

b/ supervisor also fails
Jan 03 16:25:24 balena resin-supervisor[998]: [2019-01-03T16:25:24.209Z] New device detected. Provisioning…
Jan 03 16:25:24 balena resin-supervisor[998]: [2019-01-03T16:25:24.424Z] Event: Device bootstrap failed, retrying {“delay”:30000,“error”:{“message”:""}}
Jan 03 16:25:54 balena resin-supervisor[998]: [2019-01-03T16:25:54.448Z] Event: Device bootstrap {}
Jan 03 16:25:54 balena resin-supervisor[998]: [2019-01-03T16:25:54.497Z] New device detected. Provisioning…
Jan 03 16:25:54 balena resin-supervisor[998]: [2019-01-03T16:25:54.656Z] Event: Device bootstrap failed, retrying {“delay”:30000,“error”:{“message”:""}}
Jan 03 16:26:24 balena resin-supervisor[998]: [2019-01-03T16:26:24.673Z] Event: Device bootstrap {}
Jan 03 16:26:24 balena resin-supervisor[998]: [2019-01-03T16:26:24.738Z] New device detected. Provisioning…
Jan 03 16:26:24 balena resin-supervisor[998]: [2019-01-03T16:26:24.880Z] Event: Device bootstrap failed, retrying {“delay”:30000,“error”:{“message”:""}}

What is recommended way to provision device to openBalena platform?

What troubleshooting steps do you recommend?

Checklist:

  • device resolves all x.openbalena.local names to local IP
  • this IP is reachable with full IP connectivity
  • I was able to login with balena CLI, so I assume certificate is correct

Thank you
Martin

@mko it looks like you have most things plumbed together OK, but the supervisor isn’t having much luck in registering itself with your app.

I would start by pulling the SD card and re-configuring it for the app and seeing if it will register then; maybe something went awry.

If that doesn’t work, then I would jump onto the Pi and get into the supervisor container to confirm that your api.openbalena.local is pingable, and you can curl -ik https://api.openbalena.local/ping and get OK

Hi I’m having a similar issue and I’m almost certain its a problem with the certificates. I SSH’d into the device I’m trying to deliver to my openbalena and checked the openvpn service logs and saw a few auth failure errors.

Somewhere else in the forums someone suggested to try fresh again with a new balena configure, reflash, and power back up. Same problem exists.

Is the balenaRootCa in the img config.json file supposed to match the ca.crt file created during openbalena quickstart instructions? That ca.crt is copied to the local machine and used to connect the cli to openbalena. I checked mine and they do not match, but I wasn’t sure if it should.

Thanks for getting in touch, @barryjump. This thread investigates a similar issue and might be worth looking at. The most notable point being:

“As long as the CA certificate which signed the VPN’s server certificate (set via an env var on the VPN service) matches the one delivered by the API then it should be good.”

Please try this out and let us know the results! If there was any context we’ve missed or helpful info you want to add to this thread, feel free as well!

Thanks @andrewnhem it actually turns out that in my case, at least for the post on this thread, I was trying to onboard a Pi Zero W which unfortunately only offers OS 2.54.2 as the latest, which is not compatible with openbalena. I tried again with a pi4 which has a newer OS and it works fine.

Any idea when openbalena users might be able to use Pi zeros?

We don’t have a deadline for the Pi Zero and openBalena, but that doesn’t mean we won’t release it. However, hopefully, someone in the community makes a contribution and releases a compatible version. Keep tuned!

1 Like

Cool thanks. I asked this elsewhere I think but does that also mean the Fin wont work in openbalena as well?

Hi

For the time being it won’t. We noticed an issue with some newer versions of the balenaFin - and have pulled them from our releases so that folks won’t run into the said issue. This is temporary and we should be releasing newer os versions of the Fin with the fix soon. After that OpenBalena should work just fine for balenaFin.

@andrewnhem @anujdeshpande @mko What was the resolution to this issue? I am seeing this same error on raspberry pi 3-64 bit os. I verified that the device could curl my open balena server, I read this thread but did not find anything useful. Any help would be greatly appreciated.

Hey @mchonaker - we have new versions of balenaOS - 2.65 for example - that should work fine with OpenBalena. Were you able to find those?

Check here

Also - you are using a RPi3 right? Or are you using a balenaFin?

I was able to fix this by using the arm version of the raspberry pi image.

@mchonaker Great news, glad to hear you fixed it, and thanks for letting us know!