balena-cli: SELF_SIGNED_CERT_IN_CHAIN: request to https://api.mydomain.us/login_ failed

Hi @maevyn11. The CLI is written in node.js, which doesn’t use the system-wide certificate store, so adding extra CA certificates is controlled by the NODE_EXTRA_CA_CERTS environment variable.

Have you set that? You’ll need to run something like the below to set the variable, before running the CLI:

export NODE_EXTRA_CA_CERTS=~/open-balena/config/certs/root/ca.crt

You may need to change the specific path used, depending on where the cert is stored on your local machine.

cc @dfunckt @thgreasi

I was running into this problem too on my ArchLinux machine. As it turns out, past me had gotten a little too cute with certs and that bit me:

alias balena='NODE_EXTRA_CA_CERTS=~/open-balena/keys/haproxy-certs/ca.pem /usr/bin/balena'

In order to debug, I ran this through strace (which worked since it bypassed my shell). After that, I ran the interactive login prompt (balena login), and read all the environment (cat /proc/{{pid of balena login process}}/environ). At that point I saw the misaligned path to NODE_EXTRA_CA_CERTS.

I followed everything in getting started guide (balena.io/open/docs/getting-started) and did everything suggested in this page and still getting SELF_SIGNED_CERT_IN_CHAIN: request to https://api.plasticard.online/login_ failed, reason: self signed certificate in certificate chain

I have tried both in macosx and ubuntu 18.04 and still the same. My setup: cat $NODE_EXTRA_CA_CERTS shows the correct certificate MacOSX: node -> v8.11.2 npm -> 6.4.0 balena -> 11.4.1

Ubuntu: node -> v12.5.0 npm -> 6.9.0 balena -> 11.4.1

I did the following already and still getting the same error: MacOSX: sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/ca.crt

Ubuntu: sudo cp ca.crt /usr/local/share/ca-certificates/ca.crt sudo update-ca-certificates export NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/ca.crt sudo update-ca-certificates