Open Balnea preload image error: x509: certificate signed by unknown authority

Trying to create a preload image with Open Balena deployed on AWS EC2 from the cli v9.6.0 with:
balena preload /resin.img --app myAppName --commit theCommitId

And getting the following error:

- Resizing partitions and waiting for dockerd to start

- Cleaning up temporary files

(HTTP code 500) server error - Get https://registry.MYDOMAIN.com/v2/: x509: certificate signed by unknown authority

Checking with:
curl -v https://registry.MYDOMAIN.com/v2

returns:
MYIP = the EC2 ip address
MYDOMAIN = my domain

*   Trying MYIP...
* TCP_NODELAY set
* Connected to registry.MYDOMAIN.com (MYIP) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.MYDOMAIN.com
*  start date: Dec 26 12:25:07 2018 GMT
*  expire date: Dec 25 12:25:07 2020 GMT
*  subjectAltName: host "registry.MYDOMAIN.com" matched cert's "*.MYDOMAIN.com"
*  issuer: CN=ca.MYDOMAIN.com
*  SSL certificate verify ok.
> GET /v2 HTTP/1.1
> Host: registry.MYDOMAIN.com
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Docker-Distribution-Api-Version: registry/2.0
< Location: /v2/
< Date: Wed, 26 Dec 2018 19:09:02 GMT
< Content-Length: 39
< Content-Type: text/html; charset=utf-8
< 
<a href="/v2/">Moved Permanently</a>.

* Connection #0 to host registry.MYDOMAIN.com left intact

Any ideas?

1 Like

Hi @patrick

I’m working on this atm. It’s definitely to do with the self signed certificates used by openbalena.

Whats odd is you would expect this issue to also occur when building and deploying applications using the same registry and docker instance (CA cert config etc) but in my experience the registry works fine in all other aspects accept this.

I’m working through CLI source to see exactly what it does/how to see why its appears to be using a different docker daemon config/instance.

Cheers
Chris

1 Like

So what it is doing I think is starting an instance of docker daemon to preload container images etc. with, this instance does not have the self signed CA certificate required for the registry. Tried all the CLI options for preload but cannot see anyway to specify registry CA I have posted issue on relevant github repo:

1 Like

@patrick, @dash preload should now work on Linux hosts.

1 Like

Awesome, thanks for letting us know.

Cheers
Chris

@dfunckt Should it work with the cli or balena-preload?
With the cli v9.9.2 on osx I am getting the same error.

I can’t get balena-preload to work at all.

@patrick what version of balena-preload is installed? You can check with npm ls balena-preload. You’re looking for at least version 8.1.0. You will need a fresh CLI install if it’s less than that.

Thanks for following up. All seem to be up to date.
$ npm list -g balena-preload
/Users/Patrick/.nvm/versions/node/v10.13.0/lib
└─┬ balena-cli@9.10.0
└── balena-preload@8.1.0

@patrick, as mentioned above, the current fix only applies to Linux. Running it inside a Linux VM (or another computer) where you’ve installed the certs and balena-cli into might be the only way forward currently.

1 Like

Thanks! Using Ubuntu worked.

I am facing the same issue on an ubuntu machine. I have installed balena cli (as a standalone installation) 10.13.6. Any hints?

Not sure if this is helpful for you, but the preload command now works on Mac.

Hey Patrick! I switched from Mac to Ubuntu as it was failing there also.

I just used it yesterday on a Mac with a BalenaCloud App.
balena-cli@10.13.6
balena-preload@8.1.4

balena preload PathToStarterImage --app NameOfTheBalenaApp --splash-image PathToSplashImage

Am using stand alone installation of balena cli (v10.13.15) on mac. Would it make sense to install npm way?

@ajay I assume you are trying to do preloading for an openBalena instance? where as @patrick is preloading from the balenaCloud instance. As far as I understand the preload with selfsigned certs is still a work in progress. I have asked the CLI team to prioritise a fix for this so hopefully we can get it working soon.

@shaunmulligan Yes, it’s an openBalena instance. Thanks!

@ajay
Preloading with custom certificates should work on Linux as long as you have these certificates in /ets/ssl/certs since this commit (balena-preload 8.1.0)

@zvin As per the getting started guide, I have the ca.crt in /etc/ssl/certs. Also am able to see the preload.js with the fix(mounting the same) inside the balena-preload module. Still not sure why it fails.

What is the error?