search

Azure / azure-iot-sdk-node

A Node.js SDK for connecting devices to Microsoft Azure IoT services
https://docs.microsoft.com/en-us/azure/iot-hub/
Other
261 stars 227 forks source link

Downstream device not getting connected(when registered through DPS) through edge device #894

Closed amit12cool closed 3 years ago

amit12cool commented 4 years ago

I have registered the edge device with DPS. It was registered successfully and edgeAgent and edgeHub modules ran correctly.

Now, when I registered my downstream device through DPS , the registration was successful using single enrollment group in DPS.

Till now all good. Now,, When I connect my downstream device through edge gateway connection string HostName=amitedge;DeviceId=amidha-leaf-ca;x509=true I see error in edgeHub logs like below:-

<4> 2020-09-22 11:19:08.080 +00:00 [WRN] - Error authenticating certificate for amidha-leaf-ca because the certificate thumbprint did not match the primary or the secondary thumbprints.
<6> 2020-09-22 11:19:08.080 +00:00 [INF] - Unable to authenticate client amidha-leaf-ca with cached service identity amidha-leaf-ca. Resyncing service identity...
<4> 2020-09-22 11:19:08.990 +00:00 [WRN] - Error authenticating certificate for amidha-leaf-ca because the certificate thumbprint did not match the primary or the secondary thumbprints.
<6> 2020-09-22 11:19:08.990 +00:00 [INF] - Client amidha-leaf-ca in device scope not authenticated locally.
<3> 2020-09-22 11:19:08.990 +00:00 [ERR] - Unable to generate identity for clientId amidha-leaf-ca and username amitedge/amidha-leaf-ca/?api-version=2019-03-30&DeviceClientType=azure-iot-device%2F1.12.2%20(node%20v12.18.0%3B%20Ubuntu%2018.04%3B%20x64)
<6> 2020-09-22 11:19:08.990 +00:00 [INF] - ClientNotAuthenticated, Client ID: amidha-leaf-ca; Username: amitedge/amidha-leaf-ca/?api-version=2019-03-30&DeviceClientType=azure-iot-device%2F1.12.2%20(node%20v12.18.0%3B%20Ubuntu%2018.04%3B%20x64), 6a9c918a

I'm using this example to connect to edge device. My options object is like below:-

var options = {
  ca : fs.readFileSync(edge_ca_cert_path, 'utf-8'),
  cert: fs.readFileSync(certFile, 'utf-8'),
  key: fs.readFileSync(keyFile, 'utf-8')
};

My initial RCA is that DPS uses SHA256 thumbprint to register the device while the downstream device making the connection through the edge device is using sha1 thumbprint.

AB#8360324

jebrando commented 4 years ago

@amit12cool Thank you for the issue we will look into this.

amit12cool commented 4 years ago

@jebrando any updates on this?

BertKleewein commented 4 years ago

@amit12cool - I'm looking at this and I want to make sure I understand your situation. Can you help me with a few answers please:

  1. When you registered your IotEdge device with DPS, did you use an individual enrollment or a group enrollment?
  2. When you registered your leaf (downstream) device, you used an individual enrollment. Is this correct?
  3. What certificate authority did you use to create the leaf device cert? Did you use the Device CA cert or the Workload CA cert?

(reference: https://docs.microsoft.com/en-us/azure/iot-edge/iot-edge-certs#iot-edge-certificates)

elhorton commented 3 years ago

Hi @amit12cool, we are going to close this in the absence of a response, but please reopen if you haven't been able to resolve this. Thanks!

az-iot-builder-01 commented 3 years ago

@jebrando, @amit12cool, @BertKleewein, thank you for your contribution to our open-sourced project! Please help us improve by filling out this 2-minute customer satisfaction survey