Uploaded image for project: 'Mender'
  1. Mender
  2. MEN-4273

Support self-signed Mender server certificates for more than one service



    • Sprint:
      MEN Sprint 127
    • Story Points:
    • Backlog:
    • Days in progress:


      With the introduction of mender-shell, the MENDER_CERT_LOCATION is no longer needed by only one recipe, but several. It is possible to override it from a global file, like local.conf, but this is considered poor practice, and is anyway not part of our instructions. Generally the number of global configuration options should be kept as low as possible.

      The suggestion is to instead create a separate recipe for the self signed certificate, and install it in the ca-certificates folder on the system, so that the Mender client will no longer use the ServerCertificate variable and will load it through the normal system mechanism instead. This enables other processes to do the same, which benefits not only mender-shell, but other clients like the ones users might like to make (UIs and such).

      However, we cannot create a separate recipe in dunfell, because our instructions are listing these entries in local.conf:

      FILESEXTRAPATHS_prepend_pn-mender-client := "<DIRECTORY-CONTAINING-server.crt>:"
      SRC_URI_append_pn-mender-client = " file://server.crt"

      These are recipe-local, and therefore we cannot use a separate recipe to install the certificate, or we would break existing builds. There, in the backport for dunfell from master, we need to install the certificate in the same way, but from the mender-client recipe.

      Acceptance criteria:

      • In meta-mender/master:
        • MENDER_CERT_LOCATION variable is removed, or moved to its own recipe.
        • ServerCertificate setting in config file is removed (but only from meta-mender, not from the client)
        • A recipe, mender-server-certificate, is added which adds a user certificate to the system ca-certificates folder.
        • In demo mode, our demo certificate is installed.
        • In production mode, nothing is installed by default.
      • In meta-mender/dunfell:
        • ServerCertificate setting in config file is removed (but only from meta-mender, not from the client)
        • In addition to adding server.crt to the location specified by MENDER_CERT_LOCATION (which it already does), add this certificate to the ca-certificate folder on the system, under the name mender-server-certificate.crt.
        • If server.crt is not in SRC_URI, nothing is installed (this implicitly separates between demo and production, as for meta-mender/master).


          Issue Links



              lluis LluĂ­s Campos
              a10040 Kristian Amlie
              0 Vote for this issue
              2 Start watching this issue