Uploaded image for project: 'Mender'
  1. Mender
  2. MEN-2229

Mender -rootfs does not use trusted certificates from server.crt



    • Type: Bug
    • Status: Open
    • Priority: (None)
    • Resolution: Unresolved
    • Affects Version/s: 1.6.0
    • Fix Version/s: None
    • Labels:
    • Environment:
      Mender 1.6.0 on Yocto sumo


      When an update is started using mender -rootfs, only the system certificate storage will be used to verify the server certificate. The file specified for the ServerCertificate-configuration in /etc/mender/mender.conf (usually /etc/mender/server.crt) is never loaded when Mender is run this way.

      To me, this was unexpected behaviour, as the documentation says that if you want to use self-signed certificates, you have to put your certificate in server.crt, which is what I did, and I still got an error saying that the certificate was signed by an unknown authority.


      When mender is run with -rootfs AND -trusted-certs, the certificates from the file specified in the trusted-certs-argument is loaded, so this serves as a workaround.

      I expected mender -rootfs to use the configured ServerCertificate file as the default, and have the -trusted-certs argument work as an override.


      I'm not sure if this is the proper fix, but I wonder if what is done on the following lines should be done for the ServerCert-option as well: https://github.com/mendersoftware/mender/blob/1.6.0/main.go#L430-L432


      if runOptions.Config.ServerCert == nil {
      runOptions.Config.ServerCert = config.ServerCertificate


      I see Mirza briefly came across this issue in september (https://groups.google.com/a/lists.mender.io/d/msg/mender/qIZFokSnIKc/h46nB3KHAwAJ), but I couldn't find any other traces of this issue, so I created this issue here.




            • Assignee:
              zaptec Knut Ørland
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created:

                Summary Panel