Uploaded image for project: 'Mender'
  1. Mender
  2. MEN-2229

Mender -rootfs does not use trusted certificates from server.crt

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: (None)
    • Resolution: Unresolved
    • Affects Version/s: 1.6.0
    • Fix Version/s: None
    • Labels:
    • Environment:
      Mender 1.6.0 on Yocto sumo

      Description

      When an update is started using mender -rootfs, only the system certificate storage will be used to verify the server certificate. The file specified for the ServerCertificate-configuration in /etc/mender/mender.conf (usually /etc/mender/server.crt) is never loaded when Mender is run this way.

      To me, this was unexpected behaviour, as the documentation says that if you want to use self-signed certificates, you have to put your certificate in server.crt, which is what I did, and I still got an error saying that the certificate was signed by an unknown authority.

       

      When mender is run with -rootfs AND -trusted-certs, the certificates from the file specified in the trusted-certs-argument is loaded, so this serves as a workaround.

      I expected mender -rootfs to use the configured ServerCertificate file as the default, and have the -trusted-certs argument work as an override.

       

      I'm not sure if this is the proper fix, but I wonder if what is done on the following lines should be done for the ServerCert-option as well: https://github.com/mendersoftware/mender/blob/1.6.0/main.go#L430-L432

       

      if runOptions.Config.ServerCert == nil {
      runOptions.Config.ServerCert = config.ServerCertificate
      }

       

      I see Mirza briefly came across this issue in september (https://groups.google.com/a/lists.mender.io/d/msg/mender/qIZFokSnIKc/h46nB3KHAwAJ), but I couldn't find any other traces of this issue, so I created this issue here.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              zaptec Knut Ørland
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:

                Summary Panel