Deploy incorrectly shows as "succeeded" if certificates are invalid with x509 self-signing error

[bandrews]

• Cli version: 9.5.0
• Standalone install: installed via npm; backend is private OpenBalena instance
• Node version: 8.10.0
• Npm version: 3.5.2
• Operating system and architecture: Ubuntu 18.04 LTS amd64

---

While trying to deploy my first image to a new OpenBalena instance, installed using the quickstart guide, I made the mistake of not registering my self-signed root certificate with the system certificate store. As a result, the proper certificate was only accessible to node.js, not to docker or other applications. This left me in a state where I had enough trust to log into the server and attempt a deployment, but not enough to complete it successfully.

Unfortunately, when the failure occurred, balena-cli didn't detect it correctly, and pronounced the deployment successful:

user@machine:~/balenaos-sample$ balena deploy myapp --logs --source . --emulated [Info] Creating default composition with source: /home/user/balenaos-sample [Info] Everything is up to date (use --build to force a rebuild) [Info] Creating release... [Info] Pushing images to registry... Progress error: Get https://registry.myserver.com/v2/: x509: certificate signed by unknown authority [Info] Saving release... [Success] Deploy succeeded! [Success] Release: 556ecac786d43a84927efb0441cb41a7

                        \
                         \
                          \\
                           \\
                            >\/7
                        _.-(6'  \
                       (=___._/` \
                            )  \ |
                           /   / |
                          /    > /
                         j    < _\
                     _.-' :      ``.
                     \ r=._\        `.
                    <`\\_  \         .`-.
                     \ r-7  `-. ._  ' .  `\
                      \`,      `-.`7  7)   )
                       \/         \|  \'  / `-._
                                  ||    .'
                                   \\  (
                                    >\  >
                                ,.-' >.'
                               <.'_.''
                                 <'

I missed the bolded error, and assumed the deployment had completed successfully due to the italicized portion - which caused me to lose a fair bit of time troubleshooting on the device side. Eventually, I saw 404 errors on registry.myserver.com that led me to discover the root cause.

To save future users this hassle, balena-cli should detect this situation and at a minimum mark the deployment as failed, not showing the success artwork. Ideally, it would also provide helpful information about how to install a self-signed CA into the root store (potentially also pointing out that a docker restart is necessary to pick up any changes you may have made).

[mkol5222]

I can confirm your user experience: I have also overlooked "certificate signed by unknown authority" warning, because whole process finishes with FALSE success state. Solved by sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/ca.crt on MacOS (adding CA of openBalena as trusted root CA).

I was also not aware Docker restart is needed to accept new root CA.

@bandrews Many thanks for posting this.

[pdcastro]

I suspect this issue was fixed in CLI v9.15.5 and later (currently at v11.18.2), thanks to pull requests #1147 and balena-io-modules/docker-progress/pull/50. This needs further testing to confirm, though.