You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While testing balenaMachine, we have seen that an initial run of os-config fails to fetch configuration due to an invalid certificate, while a re-run works.
os-config since v0.0.2 in commit 2216099c6b85d3344bd831f9720ca33de7ba5651 has support for custom CA certificates, reading balenaRootCA and using it to fetch the configuration.
Then OS wide CA certificate support was added in meta-balena commit 2218cb2.
Upon analysis, this seems to be a race condition between update-ca-certificates and os-config.
we run os-config
it creates a reqwest::Client instance for fetching from remote url
we attach root certificate to that object
we start fetching in a loop
somewhere he update-ca-certificates is run in parallel in the OS
we continue to fail in the above loop because the reqwest::Client instance is not recreated on each fetch
The proposed solution is to order extract-balena-ca before os-config update and drop support for balenaRootCA from os-config. And at the same time ensure we restart extract-balena-ca during a join operation.
Two steps:
we order extract-balena-ca before os-config update
This is the MVP. os-config still passes the certificate, and join has no issues. This is just a PR to meta-balena.
drop support for balenaRootCA from os-config
This work can then happen exclusively in os-config. It also needs to:
ensure we restart extract-balena-ca during a join operation
if a config.json with a new balenaRootCA is provided:
Make sure the provided root CA can access the API endpount
replace any balenaRootCA in the current config.json with the new one
The text was updated successfully, but these errors were encountered:
While testing balenaMachine, we have seen that an initial run of
os-configfails to fetch configuration due to an invalid certificate, while a re-run works.Upon analysis, this seems to be a race condition between update-ca-certificates and os-config.
The proposed solution is to order
extract-balena-cabeforeos-config updateand drop support forbalenaRootCAfromos-config. And at the same time ensure we restart extract-balena-ca during a join operation.Two steps:
extract-balena-cabeforeos-configupdateThis is the MVP. os-config still passes the certificate, and join has no issues. This is just a PR to meta-balena.
This work can then happen exclusively in
os-config. It also needs to:config.jsonwith a newbalenaRootCAis provided:balenaRootCAin the currentconfig.jsonwith the new oneThe text was updated successfully, but these errors were encountered: