Uploaded image for project: 'Mender'
  1. Mender
  2. MEN-1661

Log hint on Certificate signed by unknown authority

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:

      Description

      A common problem is that the Mender client is unable to connect to the server and logs:

      ... level=info msg="Mender state: authorize-wait -> bootstrapped" module=mender
      ... level=error msg="authorize failed :transient error :authorisation request failed: failed do execute authorisation request:
      Post https://<SERVER-URI>/api/devices/v1/authentication/auth_requests: x509: certificate signed by unknown authority" module=state
      

      Typically this is caused by not incorporating a self-signed certificate into Mender's configuration. See https://docs.mender.io/troubleshooting/mender-client#certificate-signed-by-unknown-authority for full explanation.
      Since this is such a common problem we should add more context around the error message.

      Acceptance criteria

      • There are more log entries directly following the "...certificate signed by unknown authority" message that gives more context
      • Stretch goal:
         "Received API Gateway certificate (in PEM format): {CERTIFICATE-IN-PEM-FORMAT}" 
         If /etc/mender/server.crt is empty/inaccessible: "Your /etc/mender/server.crt can not be opened, if you are using self-signed certificates make sure to include the API Gateway and Storage Proxy certificates here." 
        See https://docs.mender.io/troubleshooting/mender-client#certificate-expired-or-not-yet-valid for more information.
      • Minimum:
         "If you are using a self-signed certificate, make sure it is available locally to the Mender client in /etc/mender/server.crt. See https://docs.mender.io/troubleshooting/mender-client#certificate-signed-by-unknown-authority for more information."
      • These messages are only printed after this given error

      Sample certificate in PEM format (that can be put in /etc/mender/server.crt):

      -----BEGIN CERTIFICATE-----
      MIIFAzCCA+ugAwIBAgISA27K71fdL2zTIgd3SVhISNy7MA0GCSqGSIb3DQEBCwUA
      MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
      ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzEwMjAwODUwMTFaFw0x
      ODAxMTgwODUwMTFaMBsxGTAXBgNVBAMTEGhvc3RlZC5tZW5kZXIuaW8wggEiMA0G
      CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5wyqFlA4CoH20WfGspcqyKqBHLW7p
      /vC5oUzUPIxonsA9u56qkTwt9v2ju9p4NWCp3QnZGIExYo6XEAi8Dc5uE+st9ehM
      ce9yYFq+GUnB47CewlFlSrjgLfJvRvgC7SqFBLInXz+f848e3B1xRoZWDU92a8pC
      InFhnVBEoU7oNui2GJH7p/sQdM4UQ/sq2ASQC/0hZ7YJ2Jjogux7rvb1Wf+Q7+ir
      t1cTdGXwZZJIGSvifOIHT401ZeoEOT8H+faIHUZ71wsS+B3flwX6zalh5hV3UITK
      vcA1zZ7dEE+7tMokcjaBQVOX01Vvb7SWJyh/T3qXRkCjjAJOetwq6ZtDAgMBAAGj
      ggIQMIICDDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
      AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBcu3bGNpnVsYBiku2iZk3M4
      BGdnMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEB
      BGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0
      Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0
      Lm9yZy8wGwYDVR0RBBQwEoIQaG9zdGVkLm1lbmRlci5pbzCB/gYDVR0gBIH2MIHz
      MAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6
      Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2Vy
      dGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0
      aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUg
      UG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRv
      cnkvMA0GCSqGSIb3DQEBCwUAA4IBAQA0IoEwpY4FNUNLKx+SgEK6vU8nv5V6TDG9
      aVb+LjdrIT2uiSttxUagP1N0nPSpVcBkoz0wTtfSZahZ+JQAT+tNAXO/pX+EmT7z
      9SM9+BVGSzpRKz5/dpXUdvrmTULlAWxZ8Udk/myaQgjhlpUcAnU3u5R6Z+MFhwap
      vMGPkcs74AcJaKIq2BNxKZU2WuAQXR0Pe19oQ9sG8nmi7Urf0AoUsWeFktgnBsbL
      7vi7VCwhb3GlGAc7oINRb1rWNYh6lPxe7oCzebY6pwKDHETE9gW+gJCDsszO7kil
      646xvFbcsCABPLTgZ+TNVSTLwB0fivaJxpXnwCjqB1sgha8n7/54
      -----END CERTIFICATE-----
      

        Attachments

          Activity

            People

            • Assignee:
              a10053 Marcin Pasinski
              Reporter:
              a10003 Eystein Maloy Stenberg
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Zendesk Support

                  Summary Panel