Open Balnea preload image error: x509: certificate signed by unknown authority


#1

Trying to create a preload image with Open Balena deployed on AWS EC2 from the cli v9.6.0 with:
balena preload /resin.img --app myAppName --commit theCommitId

And getting the following error:

- Resizing partitions and waiting for dockerd to start

- Cleaning up temporary files

(HTTP code 500) server error - Get https://registry.MYDOMAIN.com/v2/: x509: certificate signed by unknown authority

Checking with:
curl -v https://registry.MYDOMAIN.com/v2

returns:
MYIP = the EC2 ip address
MYDOMAIN = my domain

*   Trying MYIP...
* TCP_NODELAY set
* Connected to registry.MYDOMAIN.com (MYIP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.MYDOMAIN.com
*  start date: Dec 26 12:25:07 2018 GMT
*  expire date: Dec 25 12:25:07 2020 GMT
*  subjectAltName: host "registry.MYDOMAIN.com" matched cert's "*.MYDOMAIN.com"
*  issuer: CN=ca.MYDOMAIN.com
*  SSL certificate verify ok.
> GET /v2 HTTP/1.1
> Host: registry.MYDOMAIN.com
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Docker-Distribution-Api-Version: registry/2.0
< Location: /v2/
< Date: Wed, 26 Dec 2018 19:09:02 GMT
< Content-Length: 39
< Content-Type: text/html; charset=utf-8
< 
<a href="/v2/">Moved Permanently</a>.

* Connection #0 to host registry.MYDOMAIN.com left intact

Any ideas?


Automatic HTTPS with lets-encrypt?
#4

Hi @patrick

I’m working on this atm. It’s definitely to do with the self signed certificates used by openbalena.

Whats odd is you would expect this issue to also occur when building and deploying applications using the same registry and docker instance (CA cert config etc) but in my experience the registry works fine in all other aspects accept this.

I’m working through CLI source to see exactly what it does/how to see why its appears to be using a different docker daemon config/instance.

Cheers
Chris


#5

So what it is doing I think is starting an instance of docker daemon to preload container images etc. with, this instance does not have the self signed CA certificate required for the registry. Tried all the CLI options for preload but cannot see anyway to specify registry CA I have posted issue on relevant github repo:


#20

@patrick, @dash preload should now work on Linux hosts.


#21

Awesome, thanks for letting us know.

Cheers
Chris


#22

@dfunckt Should it work with the cli or balena-preload?
With the cli v9.9.2 on osx I am getting the same error.

I can’t get balena-preload to work at all.


#23

@patrick what version of balena-preload is installed? You can check with npm ls balena-preload. You’re looking for at least version 8.1.0. You will need a fresh CLI install if it’s less than that.


#24

Thanks for following up. All seem to be up to date.
$ npm list -g balena-preload
/Users/Patrick/.nvm/versions/node/v10.13.0/lib
└─┬ balena-cli@9.10.0
└── balena-preload@8.1.0


#25

@patrick, as mentioned above, the current fix only applies to Linux. Running it inside a Linux VM (or another computer) where you’ve installed the certs and balena-cli into might be the only way forward currently.


#26

Thanks! Using Ubuntu worked.