mender-inventory-mender-configure script does not run correctly on Raspberry Pi image

Description

It exits with error code 60, which according to the curl man page is "Peer certificate cannot be authenticated with known CA certificates.". Not sure exactly what the problem is, because mender-connect also uses system-wide CA certificates, and connects just fine. Maybe mender-connect and curl do not get the certificates from the same pool.

Affects versions

Environment

None

Checklist

Activity

Show:

eystein.maloy.stenberg April 9, 2021 at 4:57 PM

I figured my solution would turn out to be too hacky as usual.

Kristian Amlie April 9, 2021 at 7:28 AM

Thanks, Eystein, we figured out that this was because multi-cert files do not support hashed symlinks, which curl uses to look up certificates. The solution was to split the certificate in two separate files. This works for the demo certificates, and all certificates using with Yocto. It also means that it works for all programs using the trust store, including hardware security.

The only place it does not work is if adding a production certificate using mender-convert. However, since it seems that one certificate per file is the norm, it would be better to change our instructions to use this instead. This is indirectly already on its way here. For now, let's just handle this on a case by case basis on Mender Hub if it comes up.

eystein.maloy.stenberg April 8, 2021 at 9:16 PM

Did you try "curl --cacert cacert.pem ..."?

Something like this:

  • Extract the "Certificate" (path) set in mender.conf
    1) If not set: Use the command we already use
    2) If set:

    • Potentially: Convert it into a format curl can use

    • curl --cacert path-to-cert-in-mender-conf.pem ...other-options

If it works it would solve this particular issue both for demo and self-signed certs without changing the trust store (so the only thing left potentially for future would be hardware sercurity, but we currently don't support server certs in hardware, only client).

https://stackoverflow.com/questions/27611193/use-self-signed-certificate-with-curl

eystein.maloy.stenberg April 8, 2021 at 9:11 PM

I see now what you mean: https://github.com/mendersoftware/mender-configure-module/blob/master/src/mender-inventory-mender-configure#L61

Though this isn't just the case for the demo certificate, what if I have set my own "Certificate" in mender.conf? Or worse, am using hardware security? Those are less likely to happen, I just think this issue will surface again later in some form if we only fix it for the demo certificate. The "real" solution is probably to have the Mender client report this natively, but I do recall that there were some significant obstacles to that (was it reported too frequently?) and so we can't make it a dependency for the release.

So I suppose for now we can just fix it for the demo cert and we'll need a followup to redesign this I think.

Kristian Amlie April 6, 2021 at 11:20 AM

This didn't work. Even though the certificate is present, curl still fails. I even tried to run sudo update-ca-certificates but it still doesn't work. I'm not sure what it takes...

Fixed

Details

Assignee

Reporter

Story Points

Priority

Days in progress

3

Fix versions

Sprint

Backlog

yes

Zendesk Support

Checklist

Created March 29, 2021 at 2:22 PM
Updated June 25, 2024 at 12:02 PM
Resolved April 9, 2021 at 8:50 AM