To start with, just want to say thank you all the hard work regarding the balena suite. Everything here is an absolute dream for distributed systems.
I have been using balena cloud and wanted to try to self host. Following step for step on the article and I keep hitting a wall. Hoping to get some guidance through the forums here.
I have setup my base domain as openbalena.example.com (this is a real domain but just for example purpose I am using “example.com”).
I have an A record for openbalena.example.com → 126.96.36.199
I have a CNAME record for *.openbalena.example.com → openbalena.example.com
These records come through my firewall and into a caddy reverse proxy which has auto SSL capabilities. This might be the issue but I am not sure quite just yet. So this proxy is sending off traffic to my local server (192.168.100.31).
When trying to verify my connection using curl to the api.openbalena.example.com I keep hitting:
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
Is there any way to get this to work behind a caddy proxy that already handles the SSL connection? Also, not sure what else I should add in terms of my env so I am keeping it fairly open ended for now until I am asked to include more information as I am not sure what info I should include.
also, here are the tutorials/setups I have followed and tried this far:
Sorry for the late reply. Great to hear you like balena and giving a try to the openBalena solution.
tlsv1 alert internal error is likely related handshake error via Caddy.
Caddy tries to issue a certificate from Let’s Encrypt or ZeroSSL for any domain that doesn’t look like
*.localhost. With local balena hostname, it will fail to get a publicly trusted certificate. So you’ll need to change config on Caddy
tls internal in your site to tell Caddy to issue a certificate from its own internal CA instead.
If you still face something similar, it would be good to try a
-v verbose option with
curl to check what exactly might be causing
internal error. Let us know how it goes.
Thanks for the response @nitish! So after knocking my head of a wall for a couple weeks, I think that I got the open balena setup done but now my device just indefinitely stays as a status of “Idle” and the IS ONLINE flag is just false. Any ideas on where to dig into this?
The command for curl -k https://api.blah.hi.com/ping returns an OK by the way. But the device is in the offline state according to the balena devices command.
Also my quickstart command, I have been using the “-c” flag as found from other posts.
So if you probably have something that looks like:
client:443 => caddy (188.8.131.52:443) => openBalena HAProxy (192.168.100.31:80) -> api (service:80)
Which means you are offloading SSL at the caddy endpoint and passing traffic to HAProxy over HTTP (open-balena/haproxy.cfg at master · balena-io/open-balena · GitHub).
What domains (SANs) does you Caddy issued SSL certificate cover?