Requirements | Mender documentation

Overview Requirements

Working with Firewalls

The following URLs and access types need outgoing permissions in firewalls in order for Mender to work correctly:

Hosted Mender access: Devices, APIs and browser access

https://hosted.mender.io
https://*.hosted.mender.io

Artifact storage access: Devices, APIs and browser access

https://s3.amazonaws.com/hosted-mender-artifacts
https://hosted-mender-artifacts.s3.amazonaws.com
https://c271964d41749feb10da762816c952ee.r2.cloudflarestorage.com

Amazon S3 IAM policies

Only required for on-premise installation

A minimum policy set to use an Amazon S3 bucket to store Mender Artifacts is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetAccessPoint",
                "s3:ListAllMyBuckets"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "s3:*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::BUCKET-NAME"
        },
        {
            "Action": [
                "s3:*"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::BUCKET-NAME/*"
        },
    ]
}

Root CAs used in hosted Mender

The following are the Root Certificate Authorities (CAs) that currently trust the certificates of hosted Mender servers:

Hosted Mender US
Hosted Mender EU

Hosted Mender access: Devices, APIs and browser access

https://hosted.mender.io
- Root CA: Amazon Root CA 1 - provider's information - PEM - DER - sha256
- Not Before: May 25 12:00:00 2015 GMT
- Not After: Dec 31 01:00:00 2037 GMT

Artifact storage access: Devices, APIs and browser access

https://s3.amazonaws.com/hosted-mender-artifacts
- Root CA: Amazon Root CA 1 - provider's information - PEM - DER - sha256
- Not Before: May 25 12:00:00 2015 GMT
- Not After: Dec 31 01:00:00 2037 GMT
https://hosted-mender-artifacts.s3.amazonaws.com
- Root CA: Amazon Root CA 1 - provider's information - PEM - DER - sha256
- Not Before: May 25 12:00:00 2015 GMT
- Not After: Dec 31 01:00:00 2037 GMT
https://c271964d41749feb10da762816c952ee.r2.cloudflarestorage.com
- Root CA: GTS Root R4 - provider's information - PEM - DER - sha256
- Not Before: Jun 22 00:00:00 2016 GMT
- Not After: Jun 22 23:59:59 2036 GMT

Warning: The CA Chains are subject to change from the provider without notice for security reasons (renewal, revokation). Please ensure that your devices are able to update their Root CA store.

We don't recommend pinning the Root CA in your devices.

We do recommend using the Root CA store of the device's OS and keeping it up-to-date.

We welcome contributions to improve this documentation. To submit a change, use the Edit link at the top of the page or email us at .