SELF_SIGNED_CERT_IN_CHAIN: request to https://api.mydomain.us/login_ failed

[dviator]

• Cli version: 9.1.1
• Operating system and architecture: MacOS 10.13.6

Trying to step through the quickstart instructions for openBalena here: https://www.balena.io/open/docs/getting-started

My balena login fails with the error SELF_SIGNED_CERT_IN_CHAIN: request to https://api.mydomain.us/login_ failed, reason: self signed certificate in certificate chain (Edited out actual domain name for dummy mydomain)

Believe I've followed the getting started guide step by step, the openBalena server is installed on an EC2 instance running Ubuntu 18.04.

I've installed the self signed certs on my mac as instructed, so not sure why having a self signed cert in the chain would be a problem.

[pimterry]

Hi @maevyn11. The CLI is written in node.js, which doesn't use the system-wide certificate store, so adding extra CA certificates is controlled by the NODE_EXTRA_CA_CERTS environment variable.

Have you set that? You'll need to run something like the below to set the variable, before running the CLI:

export NODE_EXTRA_CA_CERTS=~/open-balena/config/certs/root/ca.crt

You may need to change the specific path used, depending on where the cert is stored on your local machine.

cc @dfunckt @thgreasi

[dviator]

Hey @pimterry thanks for your reply.

I have set that as well (with the specific path changed), as that step was called out in the quickstart instructions, but it seems to make no difference.

[dfunckt]

@maevyn11 apologies if I state the obvious, but let's make sure we're on the same page -- what happens if you do $ cat $NODE_EXTRA_CA_CERTS on the terminal you run the CLI from?

[dviator]

No worries, it comes back with the certificate text for my ca.crt -----BEGIN CERTIFICATE----- blah blah blah -----END CERTIFICATE-----

[navicore]

I think I'm experiencing this.

Once I set NODE_EXTRA_CA_CERTS I was able to belena login successfully.

But when I balena deploy myApp --logs --source . --emulated I fail with Get https://registry.augiement.com/v2/: x509: certificate signed by unknown authority

And I confirmed the NODE_EXTRA_CA_CERTS is still correct by cat $NODE_EXTRA_CA_CERTS

[dfunckt]

@navicore this is Docker complaining because it can't find the cert in the system's trust store. You need to install the cert system-wide as explained in "Install self-signed certificates" here https://www.balena.io/open/docs/getting-started

[navicore]

@dfunckt thx. ya, I missed that, found it and forgot to update this issue that the install then worked great.

[thgreasi]

@maevyn11 are you still facing this issue after the above clarifications?

[critzo]

I'm also experiencing this issue with an openBalena server using a custom domain name. The server setup went flawlessly, but when attempting to login I get the same error as others. I have installed the balena-cli on an Ubuntu 18.04.1 system and a Mac OS 10.11.6 system. When attempting to login on either I get the error: SELF_SIGNED_CERT_IN_CHAIN: request to https://api.measuringbroadband.org/login_ failed, reason: self signed certificate in certificate chain

My env variable NODE_EXTRA_CA_CERTS is set correctly. Is there something else I'm missing?

I'm also curious if there is a recommended way to use LetsEncrypt certificates in the setup process for users who are setting up a custom domain.

[dviator]

@thgreasi Yes I'm still experiencing the issue. I think all that was clarified was that my NODE_EXTRA_CA_CERTS env variable was set correctly. Not sure how to proceed with debugging from there.

[critzo]

Regarding using real certs with LetsEncrypt, I found this forum post, but haven't had time to try implementing it. Anyone else here try that?

[rlevano77]

I have the same problem.I have deleted the old openbalena server upgrade to latest version. Now when using balena login :

SELF_SIGNED_CERT_INCHAIN: request to https://api.mydomain.com/login failed, reason: self signed certificate in certificate chain

If you need help, don’t hesitate in contacting us at:

GitHub: https://github.com/balena-io/balena-cli/issues/new Forums: https://forums.balena.io

It would be really helpful if the error message can indicate if the problem is in the client or server side.

[richbayliss]

@maevyn11 could you provide a bit of info on your workstation for us, mainly:

• node version (node -v)
• npm version (npm -v)
• confirmation that you have the latest balena-cli (npm i balena-cli -g assuming you have it globally installed)
• a dump of env (please remove any sensitive values before posting)
• the output when running balena login

Here is my system for reference:

• node v11.4.0
• npm v6.4.1
• balena-cli@9.5.0
• env:

  TERM_SESSION_ID=w0t0p0:59BA9548-AA38-4AD0-A54A-5CD589236C83
  SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.1ExBfXpbW6/Listeners
  Apple_PubSub_Socket_Render=/private/tmp/com.apple.launchd.Yu7MQaAUXL/Render
  COLORFGBG=12;8
  ITERM_PROFILE=Default
  XPC_FLAGS=0x0
  LANG=en_GB.UTF-8
  PWD=/Users/richardb
  SHELL=/bin/zsh
  TERM_PROGRAM_VERSION=3.2.6
  TERM_PROGRAM=iTerm.app
  PATH=/usr/local/opt/icu4c/sbin:/usr/local/opt/icu4c/bin:/usr/local/opt/node@11/bin:/Users/richardb/.cargo/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/MacGPG2/bin:/usr/local/share/dotnet:/opt/X11/bin:~/.dotnet/tools:/Library/Frameworks/Mono.framework/Versions/Current/Commands:/Applications/Wireshark.app/Contents/MacOS
  DISPLAY=/private/tmp/com.apple.launchd.qPkHBsl5Ug/org.macosforge.xquartz:0
  COLORTERM=truecolor
  TERM=xterm-256color
  HOME=/Users/richardb
  TMPDIR=/var/folders/cq/q5_ghwsn7ks0qfysrpm41yq00000gn/T/
  USER=richardb
  XPC_SERVICE_NAME=0
  LOGNAME=richardb
  __CF_USER_TEXT_ENCODING=0x0:0:0
  ITERM_SESSION_ID=w0t0p0:59BA9548-AA38-4AD0-A54A-5CD589236C83
  SHLVL=1
  OLDPWD=/Users/richardb
  ZSH=/Users/richardb/.oh-my-zsh
  PAGER=less
  LESS=-R
  LSCOLORS=Gxfxcxdxbxegedabagacad
  LC_CTYPE=en_GB.UTF-8
  NVM_DIR=/Users/richardb/.nvm
  NODE_EXTRA_CA_CERTS=/Users/richardb/Projects/open-balena/config/certs/root/ca.crt
  _=/usr/bin/env

and for the login:

$ balena login

 _            _
| |__   __ _ | |  ____  _ __    __ _
| '_ \ / _` || | / __ \| '_ \  / _` |
| |_) | (_) || ||  ___/| | | || (_) |
|_.__/ \__,_||_| \____/|_| |_| \__,_|

Logging in to openbalena.richbayliss.online
? How would you like to login?

which shows it is authenticating against my openbalena.richbayliss.online domain.

[rlevano77]

Hi @richbayliss If any help. Here are my info :

• node@v8.11.4

• npm@v6.4.1

• balena-cli@v9.5.0

• env

TERMINATOR_UUID=urn:uuid:2eca8f42-9d4b-4bdc-ab1e-9ba55d17f0be ANDROID_HOME=/home/ricardo/Android/Sdk XDG_MENU_PREFIX=xfce- LANG=en_US.UTF-8 GDM_LANG=en_US DISPLAY=:0.0 GTK_OVERLAY_SCROLLING=0 COLORTERM=truecolor XDG_VTNR=7 SSH_AUTH_SOCK=/run/user/1000/keyring/ssh MANDATORY_PATH=/usr/share/gconf/xubuntu.mandatory.path GLADE_CATALOG_PATH=: XDG_SESSION_ID=c2 XDG_GREETER_DATA_DIR=/var/lib/lightdm-data/ricardo USER=ricardo GLADE_MODULE_PATH=: BALENARC_BALENA_URL=test.domain.com DESKTOP_SESSION=xubuntu DEFAULTS_PATH=/usr/share/gconf/xubuntu.default.path QT_QPA_PLATFORMTHEME=gtk2 PWD=/home/ricardo/openbalena_project HOME=/home/ricardo SSH_AGENT_PID=1778 QT_ACCESSIBILITY=1 XDG_SESSION_TYPE=x11 XDG_DATA_DIRS=/usr/share/xubuntu:/usr/share/xfce4:/usr/local/share:/usr/share:/var/lib/snapd/desktop:/usr/share TERMINATOR_DBUS_NAME=net.tenshu.Terminator20x1a6021154d881c XDG_SESSION_DESKTOP=xubuntu GLADE_PIXMAP_PATH=: CLUTTER_BACKEND=x11 TERMINATOR_DBUS_PATH=/net/tenshu/Terminator2 SHELL=/bin/bash VTE_VERSION=5202 TERM=xterm-256color XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0 XDG_CURRENT_DESKTOP=XFCE GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1 XDG_SEAT=seat0 SHLVL=1 LANGUAGE=en_US GDMSESSION=xubuntu LOGNAME=ricardo DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus XDG_RUNTIME_DIR=/run/user/1000 XAUTHORITY=/home/ricardo/.Xauthority XDG_SESSION_PATH=/org/freedesktop/DisplayManager/Session0 XDG_CONFIG_DIRS=/etc/xdg/xdg-xubuntu:/etc/xdg:/etc/xdg PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/ricardo/Android/Sdk/tools:/home/ricardo/Android/Sdk/platform-tools PS1=\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]$\[\033[33m\]$(parse_git_branch)\[\033[00m\] NODE_EXTRA_CA_CERTS=/home/ricardo/open-balena/config/certs/root/ca.crt SESSION_MANAGER=local/ricardo-laptop:@/tmp/.ICE-unix/1796,unix/ricardo-laptop:/tmp/.ICE-unix/1796 LESSOPEN=| /usr/bin/lesspipe %s _=/usr/bin/env OLDPWD=/home/ricardo

I have found also if I execute manually the following commands :
NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/ca.crt sudo update-ca-certificates

Sometimes more than once. I am able to do 'balena login' successfully.

[rlevano77]

Hi @richbayliss

I am still experiencing this issue. Can the balena team provide the system configurations ( Linux OS, node version, npm version, ect) for the test computers they used for balena-cli?

Thank you.

[dfunckt]

For anyone hitting this issue, can you please cat ~/.resinrc.yml and inspect its contents? They should be:

resinUrl: "mydomain.com"

and not:

{
  "resinUrl": "mydomain.com"
}

as the Getting Started guide suggests, and it meant the CLI would not respect the setting. (That should be fixed by now.)

[dfunckt]

Actually, ignore my comment, from the error SELF_SIGNED_CERT_IN_CHAIN: request to https://api.mydomain.us/login_ failed it's clear the CLI is indeed trying to hit the correct server so what I'm saying is completely irrelevant.

[siredmar]

Hey there! I have the exact same problem as @maevyn11 I followed the quickstart instructions and ran into the same issue. My setup: cat $NODE_EXTRA_CA_CERTS shows the correct certificate node@v8.14.0 npm@v6.4.1 balena-cli@v9.12.2

[rlevano77]

@siredmar ,

In my case using Ubuntu if I execute balena login and I see that node throws a message error regarding the NODE_EXTRA_CA_CERTS are being skipped.

After I run :

export NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/ca.crt sudo update-ca-certificates

the "balena login" does not show that message and I am able to login.

[siredmar]

I just wanted to write the same. I am able now to login. It was indeed missing read permissions from the user for the NODE_EXTRA_CA_CERTS export.

Edit: Now i got another problem. I put all the installation in an ansible script - did exactly what the getting started said. Now when i try to login i receive:

balena login                                                                                                                      
13:52:14
 _            _
| |__   __ _ | |  ____  _ __    __ _
| '_ \ / _` || | / __ \| '_ \  / _` |
| |_) | (_) || ||  ___/| | | || (_) |
|_.__/ \__,_||_| \____/|_| |_| \__,_|

Logging in to cpee.de
? How would you like to login? Credentials
? Email: balena@hiddendomain.de
? Password: [hidden]
BalenaRequestError: Request error: Unauthorized

If you need help, don't hesitate in contacting us at:

  GitHub: https://github.com/balena-io/balena-cli/issues/new
  Forums: https://forums.balena.io

I also did a complete cleanup (deleted all docker containers, images and the git repo) and started over from scratch manually with the same result. Can anybody tell me whats going on here?

Edit 2: Got it fixed. The docker volumes from the previous installation were still present containing the root user from the "old" installation. Got rid of them by deleting the volumes for the deleted containers via: $ docker volume prune

The login is working now properly.

[robp2175]

I have done everything in the article and I am still experiencing the issue.

• Fixed ~/.resinrc.yml
• export NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/fortigate.crt
• sudo update-ca-certificates
• cat $NODE_EXTRA_CA_CERTS shows my correct cert

One inconsistency that might exists from other installs is that we already have an api.mydomain.edu that can't be changed. So I went into the host file on my openBalena install and manually added api.mydomain.edu with the local ip. I am attempting to login to balena directly from the openBalena server shell. Theoretically, this should work just fine, but maybe??

• node@11.10.0
• npm@6.7.0
• balena-cli@9.12.4

LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
LESSCLOSE=/usr/bin/lesspipe %s %s
LANG=en_US.UTF-8
OLDPWD=/root/open-balena
XDG_SESSION_ID=3
USER=root
PWD=/root
HOME=/root
SSH_CLIENT=10.40.2.23 56025 22
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
SSH_TTY=/dev/pts/0
MAIL=/var/mail/root
TERM=xterm
SHELL=/bin/bash
SHLVL=1
LOGNAME=root
XDG_RUNTIME_DIR=/run/user/0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/fortigate.crt
LESSOPEN=| /usr

Still getting

root@balena:~# balena login
 _            _
| |__   __ _ | |  ____  _ __    __ _
| '_ \ / _` || | / __ \| '_ \  / _` |
| |_) | (_) || ||  ___/| | | || (_) |
|_.__/ \__,_||_| \____/|_| |_| \__,_|

Logging in to mydomain.edu
? How would you like to login? Credentials
? Email: rpelletier@mydomain.edu
? Password: [hidden]
SELF_SIGNED_CERT_IN_CHAIN: request to https://api.mydomain.edu/login_ failed, reason: self signed certificate in certificate chain

If you need help, don't hesitate in contacting us at:

  GitHub: https://github.com/balena-io/balena-cli/issues/new
  Forums: https://forums.balena.io

[hslorenzo]

I followed everything in getting started guide (balena.io/open/docs/getting-started) and did everything suggested in this page and still getting SELF_SIGNED_CERT_INCHAIN: request to https://api.plasticard.online/login failed, reason: self signed certificate in certificate chain

I have tried both in macosx and ubuntu 18.04 and still the same. My setup: cat $NODE_EXTRA_CA_CERTS shows the correct certificate MacOSX: node -> v8.11.2 npm -> 6.4.0 balena -> 11.4.1

Ubuntu: node -> v12.5.0 npm -> 6.9.0 balena -> 11.4.1

I did the following already and still getting the same error: MacOSX: sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/ca.crt

Ubuntu: sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt sudo update-ca-certificates export NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/ca.crt sudo update-ca-certificates

[pdcastro]

So far it looks like this issue leans towards "troubleshooting" rather than "a bug has been identified that requires fixing". Balena engineers have not been able to reproduce the issue. The openBalena getting started guide was recently updated to improve the distinction between:

• The "local machine", where the CLI is installed (for example, a laptop running Windows or macOS or Linux), and where the NODE_EXTRA_CA_CERTS variable should be set, and
• The openBalena instance / server, running Linux. On the server, there is no need to set the NODE_EXTRA_CA_CERTS variable.

The guide was updated as we realised that some users were setting the NODE_EXTRA_CA_CERTS on the server, instead of setting it on the local machine -- please double check this! On the local machine, the NODE_EXTRA_CA_CERTS needs to point to a copy of the ca.crt file.

For anyone (still) facing this issue, please note that the balena support team does not monitor this Github repo, which is used by CLI developers to track bugs and feature requests. The support team monitors the openBalena forum threads and will help with troubleshooting more quickly if a thread is created at: https://forums.balena.io/c/open-balena

[builtbybrayne]

Have you tried to reproduce this for workflows using a remote docker engine? I can get self-signed working just fine on my local mac, but not if I use a remote balenaOS as the build engine.

[pdcastro]

@builtbybrayne, do you mean using the --dockerHost and --dockerPort options of the balena build and balena deploy commands? Such that you would have a 3rd machine/device: 1- openBalena instance / server running Linux 2- Mac laptop as the "local machine" 3- balenaOS device (dev image) running balenaEngine as the "build engine"

Then on the Mac laptop, you would run the balena CLI commands using --dockerHost and --dockerPort to point to balenaEngine on the balenaOS device, but deploy the built image to the openBalena Linux server. Or you did you mean some different setup?

[xginn8]

I was running into this problem too on my ArchLinux machine. As it turns out, past me had gotten a little too cute with certs and that bit me:

alias balena='NODE_EXTRA_CA_CERTS=~/open-balena/keys/haproxy-certs/ca.pem /usr/bin/balena'

In order to debug, I ran this through strace (which worked since it bypassed my shell). After that, I ran the interactive login prompt (balena login), and read all the environment (cat /proc/{{pid of balena login process}}/environ). At that point I saw the misaligned path to NODE_EXTRA_CA_CERTS.