Open Balnea preload image error: x509: certificate signed by unknown authority

patrick · December 26, 2018, 7:29pm

Trying to create a preload image with Open Balena deployed on AWS EC2 from the cli v9.6.0 with:
balena preload /resin.img --app myAppName --commit theCommitId

And getting the following error:

- Resizing partitions and waiting for dockerd to start

- Cleaning up temporary files

(HTTP code 500) server error - Get https://registry.MYDOMAIN.com/v2/: x509: certificate signed by unknown authority

Checking with:
curl -v https://registry.MYDOMAIN.com/v2

returns:
MYIP = the EC2 ip address
MYDOMAIN = my domain

*   Trying MYIP...
* TCP_NODELAY set
* Connected to registry.MYDOMAIN.com (MYIP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.MYDOMAIN.com
*  start date: Dec 26 12:25:07 2018 GMT
*  expire date: Dec 25 12:25:07 2020 GMT
*  subjectAltName: host "registry.MYDOMAIN.com" matched cert's "*.MYDOMAIN.com"
*  issuer: CN=ca.MYDOMAIN.com
*  SSL certificate verify ok.
> GET /v2 HTTP/1.1
> Host: registry.MYDOMAIN.com
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Docker-Distribution-Api-Version: registry/2.0
< Location: /v2/
< Date: Wed, 26 Dec 2018 19:09:02 GMT
< Content-Length: 39
< Content-Type: text/html; charset=utf-8
< 
<a href="/v2/">Moved Permanently</a>.

* Connection #0 to host registry.MYDOMAIN.com left intact

Any ideas?

dash · December 28, 2018, 1:53am

Hi @patrick

I’m working on this atm. It’s definitely to do with the self signed certificates used by openbalena.

Whats odd is you would expect this issue to also occur when building and deploying applications using the same registry and docker instance (CA cert config etc) but in my experience the registry works fine in all other aspects accept this.

I’m working through CLI source to see exactly what it does/how to see why its appears to be using a different docker daemon config/instance.

Cheers
Chris

dash · December 28, 2018, 2:29am

So what it is doing I think is starting an instance of docker daemon to preload container images etc. with, this instance does not have the self signed CA certificate required for the registry. Tried all the CLI options for preload but cannot see anyway to specify registry CA I have posted issue on relevant github repo:

dfunckt · January 10, 2019, 12:32pm

@patrick, @dash preload should now work on Linux hosts.

dash · January 10, 2019, 11:33pm

Awesome, thanks for letting us know.

Cheers
Chris

patrick · January 12, 2019, 4:27pm

@dfunckt Should it work with the cli or balena-preload?
With the cli v9.9.2 on osx I am getting the same error.

I can’t get balena-preload to work at all.

dfunckt · January 14, 2019, 11:51am

@patrick what version of balena-preload is installed? You can check with npm ls balena-preload. You’re looking for at least version 8.1.0. You will need a fresh CLI install if it’s less than that.

patrick · January 15, 2019, 12:39am

Thanks for following up. All seem to be up to date.
$ npm list -g balena-preload
/Users/Patrick/.nvm/versions/node/v10.13.0/lib
└─┬ balena-cli@9.10.0
└── balena-preload@8.1.0

dfunckt · January 22, 2019, 1:20pm

@patrick, as mentioned above, the current fix only applies to Linux. Running it inside a Linux VM (or another computer) where you’ve installed the certs and balena-cli into might be the only way forward currently.

patrick · January 24, 2019, 1:45pm

Thanks! Using Ubuntu worked.

ajay · May 24, 2019, 7:05am

I am facing the same issue on an ubuntu machine. I have installed balena cli (as a standalone installation) 10.13.6. Any hints?

patrick · May 24, 2019, 8:00am

Not sure if this is helpful for you, but the preload command now works on Mac.

ajay · May 24, 2019, 8:15am

Hey Patrick! I switched from Mac to Ubuntu as it was failing there also.

patrick · May 24, 2019, 8:26am

I just used it yesterday on a Mac with a BalenaCloud App.
balena-cli@10.13.6
balena-preload@8.1.4

balena preload PathToStarterImage --app NameOfTheBalenaApp --splash-image PathToSplashImage

ajay · May 24, 2019, 8:34am

Am using stand alone installation of balena cli (v10.13.15) on mac. Would it make sense to install npm way?

shaunmulligan · May 24, 2019, 8:43am

@ajay I assume you are trying to do preloading for an openBalena instance? where as @patrick is preloading from the balenaCloud instance. As far as I understand the preload with selfsigned certs is still a work in progress. I have asked the CLI team to prioritise a fix for this so hopefully we can get it working soon.

ajay · May 24, 2019, 8:52am

@shaunmulligan Yes, it’s an openBalena instance. Thanks!

zvin · May 24, 2019, 10:08am

@ajay
Preloading with custom certificates should work on Linux as long as you have these certificates in /ets/ssl/certs since this commit (balena-preload 8.1.0)

ajay · May 24, 2019, 10:16am

@zvin As per the getting started guide, I have the ca.crt in /etc/ssl/certs. Also am able to see the preload.js with the fix(mounting the same) inside the balena-preload module. Still not sure why it fails.

zvin · May 24, 2019, 10:20am

What is the error?