Using signed certs on OpenBalena

I’m having a problem getting signed certs to work when using the -c option with the quickstart script.

The config and certs are all created on the server and everything seems fine, however I cannot connect to the api using the balena-cli from a remote ubuntu machine.

I keep getting the following error:
UNABLE_TO_GET_ISSUER_CERT_LOCALLY: request to https://api.prod.xxxxx.xx/login_ failed, reason: unable to get local issuer certificate

In the quickstart guide it only mentions self-signed certs i.e. running quickstart without the -c option and this works fine for me. After the cert are created I downloaded the generated ca.crt to the client machines and set the NODE_EXTRA_CA_CERTS env variable.

I have tried the same process after the signed certs are created but I get the error listed above. I think its because I need the CA Bundle on the client machine rather than just the ca.crt but I don’t see this on the server anywhere.

Do you have any documentation on the process for suing signed certs or can you provide the steps required to allow the balena-cli on a remote machine to connect using signed certs?

Thanks
Gerard.

1 Like

Looks like I have the same issue as you, works perfectly with the self signed cert but not with the signed cert.

When I run the openssl command to check the cert I get the same error message.
Verify return code: 20 (unable to get local issuer certificate)

1 Like

Hi @willforde yes, same for me when checking with openssl.

Thanks for reaching out. Can you provide a bit more details on how the cert is signed? And, the output of ssl query: $ echo | openssl s_client -showcerts -servername registry.{mydomain} -connect registry.{xxxxx.xx}:443 2>/dev/null | openssl x509 -inform pem -noout -text

We have added support for ACME v2 (certs: Add support for an ACME certificate provider by richbayliss · Pull Request #38 · balena-io/open-balena · GitHub) and if you signed cert is from one. Then the cert-provider container logs can provide additional details: open-balena/cert-provider.sh at bea552de6ab1df05c20c1f0ee44b173fdaac2704 · balena-io/open-balena · GitHub

Also, we have a similar issue where the user was able to run with Let’s Encrypt signed cert [ref: Using real (not self-signed) certificates - #177 by DistgenAl]