How can I load the x509 ca.crt certificate from my openBalena registry into ssl certs store on a read-only balenaOS?
I have an openBalena instance running in AWS EC2. We are dependent on secrets during the build process so cannot build devices on EC2 or my local x86 development machine; we need a balenaEngine, which means we need a BalenaOS. So I built us a little raspberry pi build farm (farm of 1 ) running on the lan, which after a moderate yak-shaving exercise does the build itself nicely.
The failing command is:
balena deploy balenatest -h balena.local --logs
When it gets to the deploy stage:
Error: Get https://registry.<our_private_domain>/v2/: x509: certificate signed by unknown authority
I have that certificate trusted in the keychain on my local development machine. And I have restarted Docker. But, as the build is actually using the balenaEngine on the build farm Pi, I am assuming that the deploy is actually happening there, and not my local machine.
Hence I want to get the certificate into the BalenaOS farm Pi’s certs store.
Things I have tried and checked
Obviously, as the pi is read-only, the standard linux commands for adding certs are telling me to get lost.
I’ve come across:
How to install a certificate in trusted - and am curious as to how this isn’t failing on the read-only fs at the first line.
Balena deploy -> Error: Get https://registry.iot.domain.edu/v2/: x509: certificate signed by unknown authority - but this is for builds on a local machine, and I have done all those steps to no avail.
I’ve scoured the doco and the forums. But I’m hoping I’ve missed a nugget somewhere.
Any ideas or doco I may have missed?
Many thanks in advance