Token authentication failed

I am unable to login to balena cli. I get ‘Token authentication failed’ but nothing to indicate how I might fix the problem. I’ve also tried other options (–web and --credentials but no joy).

PS C:\Users\me> set DEBUG=1
PS C:\Users\me> balena login --token “token-copied-from-dashboard”
_ _
| |__ __ _ | | ____ _ __ __ _
| '_ \ / || | / __ \| '_ \ / _ |
| |
) | () || || /| | | || () |
|
.
_/ _
,||| _/|| || _,_|

Logging in to balena-cloud.com
Token authentication failed

Additional information may be available by setting a DEBUG=1 environment
variable: “set DEBUG=1” on a Windows command prompt, or “export DEBUG=1”
on Linux or macOS.

If you need help, don’t hesitate in contacting our support forums at
https://forums.balena.io

For bug reports or feature requests, have a look at the GitHub issues or
create a new one at: https://github.com/balena-io/balena-cli/issues/

Hi @pimunch, are you using self-signed certs and if so have you set NODE_EXTRA_CA_CERT to point at your openbalena CA (at config/certs/root/ca.crt)?

Hi, I am not using self-signed certs but I am behind a corporate proxy over which I have no control. I did get everything working whilst using my cellphone as a wifi hotspot, but sadly the corporate network does not allow Balena.

Hey, is it possible that your corporate proxy uses it’s own certs? In that case you’d have to add those to the NODE_EXTRA_CA_CERTS environment variable too.

Hi, after some research I’ve found out our proxy (Zscaler) requires two certificates. I have exported these from my laptop and I have two .crt files. How do I get these on the deployment Pi and how do I add the necessary environment variables? Note that I cannot access the Pi over the network through my Balena dashboard. I’m not a noob but a helpful steer in the right direction will see me right. Many thanks!

Hi, have to check with our team, don’t think that sort of proxy is supported at the moment (we support http and socks proxies). Will get back to you with more info later. If you have any documentation regarding the setup your Zscaler proxy requires, that would speed up our investigation, though. Thanks!

Actually scratch that above regarding what we currently support, it’s somewhat different than what I’ve thought on first read of the thread. Just going to check with the team for a proper response.

Hey there! We’ve done some digging and looks like you can create a single PEM file out of both certificates, point NODE_EXTRA_CA_CERTS to such file, and then everything should work. See https://nodejs.org/docs/latest-v10.x/api/cli.html#cli_node_extra_ca_certs_file

@wrboyce @CameronDiver @imrehg @jviotti Thanks for all your responses but I’m a little confused. With balena CLI, node, certificates and the belanaOS image file, what tool do I use for which operation? What goes where? How do I get the certs onto the Pi to enable network access via my dashboard?
:woozy_face:

Hi,

So the balena-cli tool you use to login with via balena login ... is actually a NodeJS-based application. Node manages it’s own set of trusted root CA certificates; certificates which can sign other certificates. When making a HTTPS (TLS) connection to our backend to perform the login, the certificate presented by our servers is checked to see if any of the trusted CA certs signed it. If they did then the connection succeeds, but if not then Node will prevent it.

The suggestion is to set NODE_EXTRA_CA_CERTS to be a path to a file containing your proxies’ certs, which would make them explicitly trusted.

I hope that makes sense, and you can try it out and let us know how that works out :+1:

Hi @richbayliss, thanks for the speedy response. That’s a little clearer now, although I’m not sure how to combine two certs into one though. Another question is once I can ‘balena login’ using cli, how do I (re)configure the Pi and balenaOS image to get on the corporate network via the proxy, thereby establishing a connection with my dashboard?

Hi there,

As an addition to my colleague’s response, just to check, in your first reply you say ‘I did get everything working whilst using my cellphone as a wifi hotspot’. Does this mean you used the hotspot to connect both your laptop and the Pi (ie. the Pi was not running on your corporate network, as if it was then it sounds like there’s some other issue going on).

If you had connected both the Pi and the laptop to your hotspot, and now neither is working as expected on the corporate network, then the first issue is connecting the laptop to balenaCloud, as you’ve stated. To expand a bit on the above answer, you’ll need to create a new file that contains both proxy certificates, one pasted after the other, eg:

Proxy Certificate 1
Proxy Certificate 2

which will look something like this:

-----BEGIN CERTIFICATE----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----
...
-----END CERTIFICATE-----

You should save this as something like proxy-ca-certs.pem, and then set NODE_EXTRA_CA_CERTS=proxy-ca-certs.pem in the shell where you’ll run balena-cli. With this set, you should then be able to run balena login correctly and login then use balenaCloud.

The Pi is a slightly different matter. There’s a config variable that can be added into the config.json in the boot partition of the provisioning image for the Pi that will allow the Pi to verify the Proxy certificates. You can do this a few different ways, the simplest is to download the provisioning image from the balenaCloud Dashboard, then mount the image on your development machine and manually editing the config.json in the boot partition. You’ll need to add a balenaRootCA key whose value is the contents of proxy-ca-certs.pem which has been Base64 encoded.

The config.json will end up looking something like this:


Add this to the end of the `config.json`, unmount the image, then flash it to an SD card and provision the Pi.

Sorry, hit Enter too soon!

The config.json will end up looking something like this:

{
   ...
   "balenaRootCA": "<base64encodedPEMfile>"
}

Add this to the end of the config.json, unmount the image, then flash it to an SD card and provision the Pi.

This should cover everything, assuming your corporate proxy is rewriting traffic based on its own certificates. Please let us know if anything else is unclear!

Best regards, Heds

Thank you @hedss (and all). I need a bit of spoon feeding here! I will try all this and let you know how I get on.

Hello again,

I’ve can report some success but also some failure.

I followed the advice above for getting my laptop configured but was unable to login via CLI. I then upgraded to CLI 11.7 and all was good.

I’m now trying to ‘balena push’ the Sense application but I’m getting errors. I’ve made sure to set line endings correctly (I’m on Win7 trying to deploy to Raspbian). I note the error ‘curl: (60) SSL certificate problem: unable to get local issuer certificate’

----Log start
C:\Users\me\Downloads\balena-sense>balena push balenaSense
(node:948) Warning: Ignoring extra certs from C:\Users\HoltJ\Documents\zscaler- certs.pem, load failed: error:0B07C065:x509 certificate routines:X509_STORE_add
_cert:cert already in hash table

[Info] Starting build for balenaSense, user gh_pimunch
[Info] Dashboard link: https://dashboard.balena-cloud.com/apps/1482147/devi
ces
[Info] Building on arm01
[Info] Pulling previous images for caching purposes…
[Success] Successfully pulled cache images
[telegraf] Step 1/7 : FROM balenalib/raspberrypi3
[influxdb] Step 1/4 : FROM balenalib/raspberrypi3-alpine
[sensor] Step 1/16 : FROM balenalib/raspberrypi3-python:3-build
[grafana] Step 1/8 : FROM balenalib/raspberrypi3
[grafana] —> 409a5ebb1eea
[grafana] Step 2/8 : COPY ./grafana.ini /usr/share/grafana/conf/custom.ini
[grafana] Using cache
[grafana] —> 12bf8b1f3c19
[grafana] Step 3/8 : COPY ./provisioning /usr/src/app/provisioning
[telegraf] —> 409a5ebb1eea
[telegraf] Step 2/7 : RUN curl -o /tmp/telegraf.deb https://dl.influxdata.com/t
elegraf/releases/telegraf_1.11.0-1_armhf.deb
[grafana] Using cache
[grafana] —> a660271f6ddc
[grafana] Step 4/8 : COPY ./*.sh /usr/src/app/
[sensor] —> 7a6aae1a0243
[sensor] Step 2/16 : ARG BSEC_FILENAME=BSEC_1.4.7.3_Generic_Release_20190410.
zip
[grafana] Using cache
[grafana] —> c5642daa9271
[grafana] Step 5/8 : RUN install_packages fontconfig-config fonts-
dejavu-core libfontconfig1 ucf jq
[sensor] Using cache
[sensor] —> 6798932258a0
[sensor] Step 3/16 : RUN install_packages unzip
[grafana] Using cache
[grafana] —> 7cd5ac1b12df
[grafana] Step 6/8 : RUN chmod +x /usr/src/app/download.sh && /usr/src/app/dow
nload.sh “raspberrypi3”
[sensor] Using cache
[sensor] —> 60282d672314
[sensor] Step 4/16 : WORKDIR /usr/src/app
[influxdb] —> 3a72b1214260
[influxdb] Step 2/4 : RUN apk add influxdb
[sensor] Using cache
[sensor] —> deda21240d9f
[sensor] Step 5/16 : RUN git clone https://github.com/balena-io-playground/bs
ec_bme680_linux.git
[influxdb] Using cache
[influxdb] —> 3143815bb7e5
[influxdb] Step 3/4 : RUN sed -i ‘s|/var/lib/influxdb|/data/influxdb|g’ /etc/in
fluxdb/influxdb.conf
[sensor] Using cache
[sensor] —> 4558a4cd6dc2
[sensor] Step 6/16 : RUN wget https://ae-bst.resource.bosch.com/media/_tech/m
edia/bsec/$BSEC_FILENAME
[influxdb] Using cache
[influxdb] —> 8f750aa7debd
[influxdb] Step 4/4 : CMD influxd
[influxdb] Using cache
[influxdb] —> db2286d15c3c
[influxdb] Successfully built db2286d15c3c
[telegraf] —> Running in 4fc1e1c8247a
[grafana] —> Running in 9081a964c3b3
[sensor] —> Running in 312e3f7e9710
[telegraf] % Total % Received % Xferd Average Speed Time Time Ti
me Current
[telegraf] Dload Upload Total Spent Le
ft Speed
0 raf]
[telegraf] 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:--
0
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
[telegraf]
[telegraf] curl: (60) SSL certificate problem: unable to get local issuer certi
ficate
[telegraf] More details here: https://curl.haxx.se/docs/sslcerts.html
[telegraf] curl failed to verify the legitimacy of the server and therefore cou
ld not
[telegraf] establish a secure connection to it. To learn more about this situat
ion and
[telegraf] how to fix it, please visit the web page mentioned above.
[telegraf]
[sensor] --2019-07-16 13:40:30-- https://ae-bst.resource.bosch.com/media/_te
ch/media/bsec/BSEC_1.4.7.3_Generic_Release_20190410.zip
[sensor]
[sensor] Resolving ae-bst.resource.bosch.com (ae-bst.resource.bosch.com)…
[grafana] % Total % Received % Xferd Average Speed Time Time Ti
me Current
[grafana]
[grafana] Dload Upload Total Spent
[grafana] Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
0 0 0 0 0 0 0 0 --:–:-- –
[grafana] :–:-- --:–:-- 0
[grafana]
[grafana] curl: (60) SSL certificate problem: unable to get local i
[grafana] ssuer certificate
[grafana] More details here: https://curl.haxx.se/docs/sslcerts.html
[grafana] curl failed to verify the legitimacy of the server and therefore cou
ld not
[grafana] establish a secure connection to it. To learn more about this situat
ion and
[grafana] how to fix it, please visit the web page mentioned above.
[grafana]
[telegraf] Removing intermediate container 4fc1e1c8247a
[telegraf] The command ‘/bin/sh -c curl -o /tmp/telegraf.deb https://dl.influxd
ata.com/telegraf/releases/telegraf_1.11.0-1_armhf.deb’ returned a non-zero code:
60
[grafana] Removing intermediate container 9081a964c3b3
[grafana] The command ‘/bin/sh -c chmod +x /usr/src/app/download.sh && /usr/sr
c/app/download.sh “raspberrypi3”’ returned a non-zero code: 60
[sensor] 139.15.248.75
[sensor] Connecting to ae-bst.resource.bosch.com (ae-bst.resource.bosch.com)|
139.15.248.75|:443…
[sensor] connected.
[sensor]
[sensor] HTTP request sent, awaiting response…
[sensor] 404 Not Found
[sensor] 2019-07-16 13:40:31 ERROR 404: Not Found.
[sensor]
[sensor] Removing intermediate container 312e3f7e9710
[Info] Uploading images
[sensor] The command ‘/bin/sh -c wget https://ae-bst.resource.bosch.com/media
/_tech/media/bsec/$BSEC_FILENAME’ returned a non-zero code: 8
[Info] Still Working…
[Info] Still Working…
[Success] Successfully uploaded images
[Error] Some services failed to build:
[Error] Service: undefined
[Error] Error: Information not available
[Error] Service: grafana
[Error] Error: The command ‘/bin/sh -c chmod +x /usr/src/app/download.sh
&& /usr/src/app/download.sh “raspberrypi3”’ returned a non-zero code: 60
[Error] Service: sensor
[Error] Error: The command ‘/bin/sh -c wget https://ae-bst.resource.bosc
h.com/media/_tech/media/bsec/$BSEC_FILENAME’ returned a non-zero code: 8
[Error] Service: telegraf
[Error] Error: The command ‘/bin/sh -c curl -o /tmp/telegraf.deb https:/
/dl.influxdata.com/telegraf/releases/telegraf_1.11.0-1_armhf.deb’ returned a non
-zero code: 60
[Error] Not deploying release.
Remote build failed
----Log end