Closed SLdragon closed 5 years ago
FWIW I've been working on this as well, and I have the suspicion that the certificate expiry math is missing a constant so that it's expiring in X hours instead of X days or similar.
Just wanted to leave a comment since I came across this github issue while searching for that particular error.
In our case the problem was that the service being authenticated (iotedge for us) seems to strip underscores out of device hostnames.
So we had a device with underscores in the name, and provisioned a certificate with that hostname. The framework then stripped the underscores causing the hostname to no longer match that which the certificate was provisioned for.
Causing a generic TLS Authentication Error.
Again this might not be the cause in your particular case, but I wanted to leave something here in case others with the same issue stumble on this thread.
@SLdragon,
Are the certificates generated every time there is a new run or how are they generated? It might be similar to an issue that we had with quick start certs and got fixed by adding authorityKeyIdentifier to the certificates extension. You can find here the configuration for openssl that we use: https://github.com/Azure/iotedge/blob/master/tools/CACertificates/openssl_root_ca.cnf
This issue happens when multiple certs are generated for the same device and on Linux the SDK installs the trusted root in the dotnet trust store. Sometimes dotnet can't build the cert chain correctly because it can't find the correct root, if the certs contain authorityKeyIdentifier the chain is build correctly.
Thank you @ancaantochi for your information, as @adashen discussed with me yeasterday, she also found if we clear the cert folder (~/.dotnet/corefx/cryptography/x509stores/root) from linux, then reset the cert, and the sample would work.
I am not sure whether it is related to the dotnet runtime or iot c# sdk, so are there some plans to fix this issue from iot c# sdk side to let it choose the right certificate?
@SLdragon , I think the issue is in dotnet core, to be able to correctly construct the chain the certs have to be generated with the authorityKeyIdentifier extension.
Removing the certs from x509stores is a good workaround.
@SLdragon Since this looks like a dotnet core limitation on Linux, there isn't much we can do from the SDK side.
Please try using the above suggested solution of generating certificates with authorityKeyIdentifier extension, which will assist in the correct certificate chain construction.
Closing this issue; in case you continue hitting an error even with the above solution, please reopen another issue and let us know.
Thanks!
@JetstreamRoySprowl, @drewf7, @ancaantochi, @SLdragon, @abhipsaMisra, thank you for your contribution to our open-sourced project! Please help us improve by filling out this 2-minute customer satisfaction survey
Description of the issue:
Other information:
Code sample exhibiting the issue:
Console log of the issue: