Open Balnea preload image error: x509: certificate signed by unknown authority

ajay · May 24, 2019, 10:24am

 Error: (HTTP code 500) server error - Get https://registry.openbalena.local/v2/: x509: certificate signed by unknown authority
at /home/user/.nvm/versions/node/v10.15.3/lib/node_modules/balena-cli/node_modules/docker-modem/lib/modem.js:257:17
at IncomingMessage.<anonymous> (~/.nvm/versions/node/v10.15.3/lib/node_modules/balena-cli/node_modules/docker-modem/lib/modem.js:284:9)
at IncomingMessage.emit (events.js:194:15)
at endReadableNT (_stream_readable.js:1125:12)
at process._tickCallback (internal/process/next_tick.js:63:19) reason: 'server error', statusCode: 500, json: null

zvin · May 24, 2019, 12:08pm

Can you try pinging registry.openbalena.local from the host computer:

ping registry.openbalena.local

And also this:

wget -O - https://registry.openbalena.local/v2/

ajay · May 24, 2019, 12:24pm

For the ping am able to see packet transfers.
For the wget I get a 401 unauthorized as response.

zvin · May 24, 2019, 12:35pm

What about

docker run --rm -v /etc/ssl/certs:/etc/ssl/certs balena/balena-preload wget -O - https://registry.openbalena.local/v2/

and

docker run --rm -v /etc/ssl/certs:/etc/ssl/certs balena/balena-preload ls /etc/ssl/certs

?

ajay · May 24, 2019, 12:41pm

I get wget: bad address 'registry.openbalena.local'

I get a list of files, but ca.crt is missing in this list.

zvin · May 24, 2019, 12:44pm

Are you sure you have ca.crt in the host’s /etc/ssl/certs ?

ajay · May 24, 2019, 12:46pm

$ ls -ltr /etc/ssl/certs/ca.crt
-rw------- 1 root root 1899 May 24 13:40 /etc/ssl/certs/ca.crt

zvin · May 24, 2019, 12:51pm

This is weird.
Does any bind mount work?

docker run --rm -v /any/file/on/the/host:/whatever balena/balena-preload ls -ltr /whatever

ajay · May 24, 2019, 1:02pm

mounting a user directory works, but as said earlier, mounted certs dir doesn’t have ca.crt.

zvin · May 24, 2019, 1:22pm

docker run --rm -v /etc/ssl/certs/ca.crt:/etc/ssl/certs/ca.crt balena/balena-preload ls -lah /etc/ssl/certs/ca.crt

?

ajay · May 27, 2019, 4:08am

docker: Error response from daemon: error while creating mount source path '/etc/ssl/certs/ca.crt': mkdir /etc/ssl/certs/ca.crt: read-only file system.

mounting the dir alone and executing ls gives No such file or directory.
On a side note, my peer here suggested that it is the ca-certificates.crt that should of our concern, which by the way exists on the mounted volume.

UPDATE:
I copied the contents of /etc/ssl/certs to another directory and modified preload.js to use that path and it works.

zvin · May 27, 2019, 4:24pm

Thanks for your feedback @ajay
We need to add an option to pass the certificate file path to balena preload direclty.
I have no ETA yet, I’ll ping you when it’s ready.

zvin · May 29, 2019, 3:14pm

Starting from balena-cli 10.17.0, you can use the --add-certificate option that will copy the provided certificate to the container’s /etc/ssl/certs folder. You can repeat the option to add multiple certificates.

sei1 · July 17, 2019, 1:32pm

Hi @zvin,

Sorry to dig up this thread - wasn’t sure if I should start a new one…
I’m experiencing the same problem with the certificates, but nothing seems to fix it!

I can successfully build and deploy an app to my openBalena server (running on a VirtualBox ubuntu server). But when I try to preload it onto my img file I get the error:

NODE_EXTRA_CA_CERTS=~/open-balena/open-balena.crt DEBUG=1 balena preload ./balena.img -p --app myapp --add-certificate ./open-balena.crt -c current

Debug: original argv0=“node” argv=[/home/sm/.nvm/versions/node/v12.4.0/bin/node,/home/sm/.nvm/versions/node/v12.4.0/bin/balena,preload,./balena.img,-p,–app,myapp,–add-certificate,./open-balena.crt,-c,current] length=11
Building Docker preloader image. [=== ] 12%
Step 1/7 : FROM docker:17.10.0-ce-dind
Building Docker preloader image. [====== ] 25%
Step 2/7 : RUN apk update && apk add --no-cache python3 parted btrfs-progs docker util-linux sfdisk file coreutils sgdisk
—> Using cache
Building Docker preloader image. [========= ] 37%
Step 3/7 : COPY ./requirements.txt /tmp/
—> Using cache
Building Docker preloader image. [============ ] 50%
Step 4/7 : RUN pip3 install -r /tmp/requirements.txt
—> Using cache
Building Docker preloader image. [=============== ] 62%
Step 5/7 : COPY ./src /usr/src/app
—> Using cache
Building Docker preloader image. [================== ] 75%
Step 6/7 : WORKDIR /usr/src/app
—> Using cache
Building Docker preloader image. [===================== ] 87%
Step 7/7 : CMD [“python3”, “/usr/src/app/preload.py”]
—> Using cache
—> 50d466c4ad23
Successfully built 50d466c4ad23
Building Docker preloader image. [========================] 100%

/ Creating preloader container
- Starting preloader container
| Fetching application myapp
\ Reading image informationWaiting for Docker to start…
| Reading image informationDocker started
| Reading image information
\ Resizing partitions and waiting for dockerd to startThis is a flasher image, preloading to /tmpwy901ufp/opt/resin-image-beaglebone-green.resinos-img on partition n°2 of /img/balena.img
Leaving splash image alone
| Resizing partitions and waiting for dockerd to startWaiting for Docker to start…
- Resizing partitions and waiting for dockerd to startDocker started

/ Cleaning up temporary files
Error: (HTTP code 500) server error - Get https://registry.open-balena.mydomain/v2/: x509: certificate signed by unknown authority
at /home/sm/.nvm/versions/node/v12.4.0/lib/node_modules/balena-cli/node_modules/docker-modem/lib/modem.js:257:17
at IncomingMessage. (/home/sm/.nvm/versions/node/v12.4.0/lib/node_modules/balena-cli/node_modules/docker-modem/lib/modem.js:284:9)
at IncomingMessage.emit (events.js:205:15)
at IncomingMessage.EventEmitter.emit (domain.js:471:20)
at endReadableNT (_stream_readable.js:1154:12)
at processTicksAndRejections (internal/process/task_queues.js:84:9)

If you need help, don’t hesitate in contacting our support forums at
https://forums.balena.io

For bug reports or feature requests, have a look at the GitHub issues or
create a new one at: Issues · balena-io/balena-cli · GitHub

(node:7218) [DEP0066] DeprecationWarning: OutgoingMessage.prototype._headers is deprecated

I’ve rebooted my machine and the VM to make sure that docker has picked up on the CA certificate.

I’ve tried:

openssl s_client -showcerts -connect registry.open-balena.mydomain:443

which shows:

verify return:1

I stopped the preload command while it was “Reading image information” and checked in the preload container, and can see my certificate file in there:

docker exec -it hopeful_fermi ls -l /etc/ssl/certs | grep open
lrwxrwxrwx 1 root root 15 Jul 17 13:24 04d11387.0 → open-balena.crt
-rw------- 1 1000 1000 1935 Dec 20 2018 open-balena.crt

I even tried running a shell on this container, installing openssl and running the connect command. This also verifies ok.

I’m struggling to figure out which part is now still unaware of the CA!

Cheers.

zvin · July 18, 2019, 2:50pm

Hi @sei1 , thanks for reporting this.
This should be fixed in balena-cli v11.7.2

sei1 · July 23, 2019, 8:56am

All working now.
Thanks @zvin

Topic		Replies	Views
balena preload failed with x509: certificate signed by unknown authority openBalena	7	537	January 26, 2023
x509 certificate issue, building on BalenaOS device, pushing to registry hosted in EC2 openBalena support	13	1547	January 15, 2020
Balena deploy -> Error: Get https://registry.iot.domain.edu/v2/: x509: certificate signed by unknown authority openBalena summary	4	1396	July 3, 2019
Balena deploy Progress Error openBalena	5	1013	January 29, 2019
certificate error with alternative container engines openBalena	0	559	June 8, 2023

Open Balnea preload image error: x509: certificate signed by unknown authority

Related topics