Unknown CA error for custom nerves hub instance

meraj · January 1, 2021, 2:21pm

After setting up custom nerves hub instance, I am able to create devices and products, add certificates via web. However, whenever I try to create them via command line e.g.:

mix nerves_hub.product create

I am getting this error:
Unhandled error: {:error, {:tls_alert, {:unknown_ca, 'TLS client: In state wait_cert at ssl_handshake.erl:1838 generated CLIENT ALERT: Fatal - Unknown CA\n'}}}

This is a staging setup and the domains are as:

www.staging.mydomain.com - we are able to access this via browser and it shows it has a valid certificate issued by AWS.
api.staging.mydomain.com - it shows the certificate is signed by NervesHub (as I deployed NH custom instance after creating an initial key-chain via nerves_hub repo) and browser also show this error of privacy alert. I had to add an exception to access this web page.
device.staging.mydomain.com - same as above in no 2.

I have tried this both from Mac and Linux after adding these certificates to trusted generated by nerves hub. In code, I am telling it to load all these certificates from:
ca_certs = Path.expand("../ssl/prod", __DIR__)

I don’t know if this error is coming due to self signed certs or anything else. Is there any way I can resolve this error and be able to run these commands from my terminal against custom nerves hub instance and later after creating and installing image on our device, it is also able to communicate with our custom nerves hub instance.

Currently we are trying to achieve this without NervesKey.

jjcarstens · January 1, 2021, 9:01pm

The API request still doesn’t have the ca certs it needs. So the real question here is what are you doing with the ca_certs variable you create it? Just assigning the variable doesn’t help us really know where it is.

I’d also check out the doc here https://docs.nerves-hub.org/v/main/nerves-hub/setup/connecting-other-envs

Specifically, you need the config :nerves_hub_user_api, ca_certs: ca_certs portion in order for your CLI requests to succeed

meraj · January 4, 2021, 10:41am

Thank you @jjcarstens I will share the details and code portion from our config.

#config option #1
ca_certs = Path.expand("../ssl/prod", __DIR__)

config :nerves_hub_link,
       device_api_host: "device.staging.customdomain",
       device_api_sni: 'device.staging.customdomain',
       device_api_port: 443,
       ca_certs: ca_certs

config :nerves_hub_user_api,
       host: "api.staging.customdomain",
       port: 443,
      socket: [
        json_library: Jason,
        heartbeat_interval: 45_000
      ],
      ssl: [
        server_name_indication: 'api.staging.customdomain',
        log_level: :debug,
      ],
      fwup_public_keys: [:devkey],
       ca_certs: ca_certs

With this option #1, I am getting the error shared in my original post.

#config option #2
ca_certs = Path.expand("../ssl/prod", __DIR__)

config :nerves_hub_link,
       device_api_host: "device.staging.customdomain",
       device_api_sni: 'device.staging.customdomain',
       device_api_port: 443,
       ca_certs: ca_certs

config :nerves_hub_user_api,
       host: "api.staging.customdomain",
       port: 443,
       server_name_indication: "api.staging.customdomain",
       fwup_public_keys: [:devkey],
       ca_certs: ca_certs

With this option #2, I am getting this error:

Unhandled error: {:error, {:options, {:server_name_indication, “api.staging.customdomain”}}}

This directory …/ssl/prod/ contains all the certs which were generated by the following command and later used in deployment by terraform on AWS:

mix nerves_hub_ca.init --path path/to/nerveshub-terraform/ssl/staging

As I am not sure which certs files to place in ssl/prod, I copied all of them except for keys. Do we need to place only certain cert files there or any other cert I am missing which is causing these errors?

jjcarstens · January 17, 2021, 5:19pm

Option #2 is what you want. At this point, the error you are getting is probably a mismatch of what is configured in your CA and what you have listed in the server_name_indication option.

For that, you’re going to just need to inspect the cert and server setup to make sure the SNI is what you expect it to be on both ends. This error is showing that the nerves_hub_cli and nerves_hub_user_api are setup correctly and using what they are told - the settings just happen to not match what the server is expecting.

meraj · January 19, 2021, 11:47am

Thank you @jjcarstens

Yes. It seems so because on server because for staging.customdomain.com the certificate is issued by AWS but for api.staging.customdomain.com, it shows the certificate issued by NervesHub (it seems to be the one which were generated with mix nerves_hub_ca.init --path path/to/nerveshub-terraform/ssl/staging).