Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Support self-signed Mender server certificates for more than one service

Description

With the introduction of mender-shell, the MENDER_CERT_LOCATION is no longer needed by only one recipe, but several. It is possible to override it from a global file, like local.conf, but this is considered poor practice, and is anyway not part of our instructions. Generally the number of global configuration options should be kept as low as possible.

The suggestion is to instead create a separate recipe for the self signed certificate, and install it in the ca-certificates folder on the system, so that the Mender client will no longer use the ServerCertificate variable and will load it through the normal system mechanism instead. This enables other processes to do the same, which benefits not only mender-shell, but other clients like the ones users might like to make (UIs and such).

However, we cannot create a separate recipe in dunfell, because our instructions are listing these entries in local.conf:

FILESEXTRAPATHS_prepend_pn-mender-client := "<DIRECTORY-CONTAINING-server.crt>:" SRC_URI_append_pn-mender-client = " file://server.crt"

These are recipe-local, and therefore we cannot use a separate recipe to install the certificate, or we would break existing builds. There, in the backport for dunfell from master, we need to install the certificate in the same way, but from the mender-client recipe.

Acceptance criteria:

  • In meta-mender/master:

    • MENDER_CERT_LOCATION variable is removed, or moved to its own recipe.

    • ServerCertificate setting in config file is removed (but only from meta-mender, not from the client)

    • A recipe, mender-server-certificate, is added which adds a user certificate to the system ca-certificates folder.

    • In demo mode, our demo certificate is installed.

    • In production mode, nothing is installed by default.

  • In meta-mender/dunfell:

    • ServerCertificate setting in config file is removed (but only from meta-mender, not from the client)

    • In addition to adding server.crt to the location specified by MENDER_CERT_LOCATION (which it already does), add this certificate to the ca-certificate folder on the system, under the name mender-server-certificate.crt.

    • If server.crt is not in SRC_URI, nothing is installed (this implicitly separates between demo and production, as for meta-mender/master).

Affects versions

None

Environment

None

Checklist

Activity

Show:

Lluis CamposDecember 22, 2020 at 1:51 PM

Lluis CamposDecember 21, 2020 at 7:05 PM

Kristian AmlieDecember 21, 2020 at 12:40 PM

You can add the commits to a separate branch, and list them in this ticket.

Lluis CamposDecember 18, 2020 at 1:24 PM

What about documentation? I was originally thinking that I should update the Mender Docs instructions, but now I realized that these are for dunfell so I should not change it. However, how will be remember to change them before next Yocto update?

Lluis CamposDecember 18, 2020 at 1:21 PM

Fixed

Details

Assignee

Reporter

Labels

Story Points

Priority

Days in progress

0

Fix versions

Sprint

Backlog

yes

Zendesk Support

Checklist

Created December 15, 2020 at 2:56 PM
Updated June 25, 2024 at 12:02 PM
Resolved December 29, 2020 at 1:41 PM

Flag notifications