openBalena quickstart -c but still cant balena login without SELF_SIGNED_CERT_IN_CHAIN error

Mawiguk0 · October 13, 2021, 2:17pm

Hi, I used the getting started guide on a freshly installed box.

I used the -c option on the quickstart script, everything ran without any errors.
I thought -c would use letsencrypt + acme to get a cert.

I’m kind of new to openBalena but would really like to get more into it.

fisehara · December 22, 2021, 1:49pm

Hello,

Can you please share the output of the quickstart script?
I’ve just checked the openBalena quickstart script for the -c argument. It tries to perform an actual domain name resolving for the specified api. that is specified with the -d argument.
It fails and informs about it when the domain cannot be resolved. This could be most likely the case for local test instances which may have issues with registering the local domain name to the DNS services.

Here is the output of my test command when the TLD cannot be resolved:

$ ./scripts/quickstart -c -U openb@openb.com -P openb -d openb.com   
[INFO] ACME Certificate request is ENABLED.
[WARN] Unable to resolve "api.openb.com"!
[WARN] This might mean that you cannot use an ACME issued certificate.
...

Best Regards,
Harald

fisehara · December 22, 2021, 1:53pm

Can you also share why you choose the -c option for this quickstart. You could also run the quickstart without the -c option and generate self-signed certificates for local development and trust these certificates after they have been generated.

Mawiguk0 · March 2, 2022, 10:11pm

Hi @fisehara

I mostly used the -c option because I don’t want to issue self-signed certs and as well wanted the deployment to handle the certificate issuing via acme. In another post of mine, there are already 2 PR that address this problem.

Thank you for you reply!

fisehara · May 20, 2022, 9:36pm

Hello @Mawiguk0

I’ve checked also your other threads and one PR got recently merged and closed this issue:

github.com/balena-io/open-balena

Cert Provider - Cannot issue a production certificate

opened 10:37PM - 26 Feb 21 UTC

closed 02:11PM - 22 Mar 22 UTC

assky

Hi, I have installed open balena on my server and I'm not able to acquire LE cer…ts. I have performed clean instalation 3 times but cert provider always fails on: `[Error] Unable to detect certificate change over. Cannot issue a production certificate. [Stopping]`. When I try to manually execute command (used to check staging cert) from `cert-provider.sh` script: `echo "" | openssl s_client -host "api.{DOMAIN}" -port 443 -showcerts 2>/dev/null | awk '/BEGIN CERT/ {p=1} ; p==1; /END CERT/ {p=0}' | openssl verify -CAfile /usr/src/app/fake-le-bundle.pem /dev/null 2>&1` it throws error: `140406427946312:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE` I have installed many open balena servers and this is the first time I have encountered this issue . Here is complete log of cert provider container: ``` [Info] VALIDATION not set. Using default: http-01 [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Failed. Retrying in 5 seconds... [Info] (2/3) Connecting... [Info] (2/3) Failed. Retrying in 5 seconds... [Info] (3/3) Connecting... [Info] (3/3) Failed! [Info] Unable to access api.{DOMAIN} on port 80. This is needed for certificate validation. Retrying in 30 seconds... [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Success! cat: can't open '/usr/src/app/certs/last_run_mode': No such file or directory [Info] Last acquired certificate for [Info] Using STAGING mode [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Success! [Info] Issuing certificates... [Fri Feb 26 20:52:33 UTC 2021] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory [Fri Feb 26 20:52:34 UTC 2021] Standalone mode. [Fri Feb 26 20:52:34 UTC 2021] Standalone mode. [Fri Feb 26 20:52:34 UTC 2021] Standalone mode. [Fri Feb 26 20:52:34 UTC 2021] Standalone mode. [Fri Feb 26 20:52:34 UTC 2021] Create account key ok. [Fri Feb 26 20:52:34 UTC 2021] Registering account [Fri Feb 26 20:52:36 UTC 2021] Registered [Fri Feb 26 20:52:36 UTC 2021] ACCOUNT_THUMBPRINT='...' [Fri Feb 26 20:52:36 UTC 2021] Creating domain key [Fri Feb 26 20:52:36 UTC 2021] The domain key is here: /usr/src/app/certs/api.{DOMAIN}/api.{DOMAIN}.key [Fri Feb 26 20:52:36 UTC 2021] Multi domain='DNS:api.{DOMAIN},DNS:registry.{DOMAIN},DNS:s3.{DOMAIN},DNS:vpn.{DOMAIN}' [Fri Feb 26 20:52:36 UTC 2021] Getting domain auth token for each domain [Fri Feb 26 20:52:39 UTC 2021] Getting webroot for domain='api.{DOMAIN}' [Fri Feb 26 20:52:39 UTC 2021] Getting webroot for domain='registry.{DOMAIN}' [Fri Feb 26 20:52:39 UTC 2021] Getting webroot for domain='s3.{DOMAIN}' [Fri Feb 26 20:52:39 UTC 2021] Getting webroot for domain='vpn.{DOMAIN}' [Fri Feb 26 20:52:39 UTC 2021] Verifying: api.{DOMAIN} [Fri Feb 26 20:52:39 UTC 2021] Standalone mode server [Fri Feb 26 20:52:44 UTC 2021] Pending [Fri Feb 26 20:52:46 UTC 2021] Success [Fri Feb 26 20:52:46 UTC 2021] Verifying: registry.{DOMAIN} [Fri Feb 26 20:52:46 UTC 2021] Standalone mode server [Fri Feb 26 20:52:51 UTC 2021] Success [Fri Feb 26 20:52:51 UTC 2021] Verifying: s3.{DOMAIN} [Fri Feb 26 20:52:51 UTC 2021] Standalone mode server [Fri Feb 26 20:52:56 UTC 2021] Success [Fri Feb 26 20:52:56 UTC 2021] Verifying: vpn.{DOMAIN} [Fri Feb 26 20:52:56 UTC 2021] Standalone mode server [Fri Feb 26 20:53:00 UTC 2021] Success [Fri Feb 26 20:53:00 UTC 2021] Verify finished, start to sign. [Fri Feb 26 20:53:00 UTC 2021] Lets finalize the order, Le_OrderFinalize: https://acme-staging-v02.api.letsencrypt.org/acme/finalize/18299657/247900355 [Fri Feb 26 20:53:01 UTC 2021] Download cert, Le_LinkCert: https://acme-staging-v02.api.letsencrypt.org/acme/cert/fa90613ff99fa062cf8b01b94a37ad968efc [Fri Feb 26 20:53:02 UTC 2021] Cert success. -----BEGIN CERTIFICATE----- MIIF2jCCBMKgAwIBAgITAPqQYT/5n6Biz4sBuUo3rZaO/DANBgkqhkiG9w0BAQsF ... YQyqRZL5fE2Sb7oqOHw= -----END CERTIFICATE----- [Fri Feb 26 20:53:02 UTC 2021] Your cert is in /usr/src/app/certs/api.{DOMAIN}/api.{DOMAIN}.cer [Fri Feb 26 20:53:02 UTC 2021] Your cert key is in /usr/src/app/certs/api.{DOMAIN}/api.{DOMAIN}.key [Fri Feb 26 20:53:02 UTC 2021] The intermediate CA cert is in /usr/src/app/certs/api.{DOMAIN}/ca.cer [Fri Feb 26 20:53:02 UTC 2021] And the full chain certs is there: /usr/src/app/certs/api.{DOMAIN}/fullchain.cer [Info] Installing certificates... [Fri Feb 26 20:53:02 UTC 2021] Installing cert to:/tmp/cert.pem [Fri Feb 26 20:53:02 UTC 2021] Installing key to:/tmp/key.pem [Fri Feb 26 20:53:02 UTC 2021] Installing full chain to:/tmp/fullchain.pem [Fri Feb 26 20:53:02 UTC 2021] Run reload cmd: cat /tmp/fullchain.pem /tmp/key.pem > /certs/open-balena.pem [Fri Feb 26 20:53:02 UTC 2021] Reload success [Info] Waiting for api.{DOMAIN} to use a staging certificate... [Info] (1/3) Connecting... [Info] (1/3) Failed. Retrying in 5 seconds... [Info] (2/3) Connecting... [Info] (2/3) Failed. Retrying in 5 seconds... [Info] (3/3) Connecting... [Info] (3/3) Failed! [Error] Unable to detect certificate change over. Cannot issue a production certificate. [Stopping] [Info] VALIDATION not set. Using default: http-01 [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Failed. Retrying in 5 seconds... [Info] (2/3) Connecting... [Info] (2/3) Failed. Retrying in 5 seconds... [Info] (3/3) Connecting... [Info] (3/3) Failed! [Info] Unable to access api.{DOMAIN} on port 80. This is needed for certificate validation. Retrying in 30 seconds... [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Success! [Info] Last acquired certificate for STAGING [Info] Using STAGING mode [Info] Waiting for api.{DOMAIN} to be available via HTTP... [Info] (1/3) Connecting... [Info] (1/3) Success! [Info] Issuing certificates... [Fri Feb 26 20:58:47 UTC 2021] Using stage ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory [Fri Feb 26 20:58:48 UTC 2021] Domains not changed. [Fri Feb 26 20:58:48 UTC 2021] Skip, Next renewal time is: Tue Apr 27 20:53:02 UTC 2021 [Fri Feb 26 20:58:48 UTC 2021] Add '--force' to force to renew. [Info] Installing certificates... [Fri Feb 26 20:58:48 UTC 2021] Installing cert to:/tmp/cert.pem [Fri Feb 26 20:58:48 UTC 2021] Installing key to:/tmp/key.pem [Fri Feb 26 20:58:48 UTC 2021] Installing full chain to:/tmp/fullchain.pem [Fri Feb 26 20:58:48 UTC 2021] Run reload cmd: cat /tmp/fullchain.pem /tmp/key.pem > /certs/open-balena.pem [Fri Feb 26 20:58:48 UTC 2021] Reload success [Info] Waiting for api.{DOMAIN} to use a staging certificate... [Info] (1/3) Connecting... [Info] (1/3) Failed. Retrying in 5 seconds... [Info] (2/3) Connecting... [Info] (2/3) Failed. Retrying in 5 seconds... [Info] (3/3) Connecting... [Info] (3/3) Failed! [Error] Unable to detect certificate change over. Cannot issue a production certificate. [Stopping] ```

As shared in the other thread cert-provider-error-maybe-typo there is this open PR: (WIP) openBalena on balenaOS by ab77 · Pull Request #141 · balena-io/open-balena · GitHub which aims to address a lot of existing concerns.

Best
Harald

Topic		Replies	Views
Using signed certs on OpenBalena openBalena	2	777	April 21, 2021
SELF_SIGNED_CERT_IN_CHAIN error in balena login openBalena	1	845	July 19, 2020
openbalena quickstart openBalena	16	671	August 15, 2023
help with the installation openBalena	4	363	March 12, 2024
do the acme certificates replace those generated by easyrsa, or are both still needed? openBalena	3	262	February 28, 2025

openBalena quickstart -c but still cant balena login without SELF_SIGNED_CERT_IN_CHAIN error

Related topics