Open bandrews opened 5 years ago
I can confirm your user experience: I have also overlooked "certificate signed by unknown authority" warning, because whole process finishes with FALSE success state. Solved by sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/ca.crt on MacOS (adding CA of openBalena as trusted root CA).
I was also not aware Docker restart is needed to accept new root CA.
@bandrews Many thanks for posting this.
I suspect this issue was fixed in CLI v9.15.5 and later (currently at v11.18.2), thanks to pull requests #1147 and balena-io-modules/docker-progress/pull/50. This needs further testing to confirm, though.
While trying to deploy my first image to a new OpenBalena instance, installed using the quickstart guide, I made the mistake of not registering my self-signed root certificate with the system certificate store. As a result, the proper certificate was only accessible to node.js, not to docker or other applications. This left me in a state where I had enough trust to log into the server and attempt a deployment, but not enough to complete it successfully.
Unfortunately, when the failure occurred, balena-cli didn't detect it correctly, and pronounced the deployment successful:
user@machine:~/balenaos-sample$ balena deploy myapp --logs --source . --emulated [Info] Creating default composition with source: /home/user/balenaos-sample [Info] Everything is up to date (use --build to force a rebuild) [Info] Creating release... [Info] Pushing images to registry... Progress error: Get https://registry.myserver.com/v2/: x509: certificate signed by unknown authority [Info] Saving release... [Success] Deploy succeeded! [Success] Release: 556ecac786d43a84927efb0441cb41a7
I missed the bolded error, and assumed the deployment had completed successfully due to the italicized portion - which caused me to lose a fair bit of time troubleshooting on the device side. Eventually, I saw 404 errors on registry.myserver.com that led me to discover the root cause.
To save future users this hassle, balena-cli should detect this situation and at a minimum mark the deployment as failed, not showing the success artwork. Ideally, it would also provide helpful information about how to install a self-signed CA into the root store (potentially also pointing out that a docker restart is necessary to pick up any changes you may have made).