Certificate verify failed for embedded device

[eddylawsurgere]

I built the pnp bridge with toolchain for embedded device (RFID reader R420) by running build.sh script. Then I ran it on the device. I got error “certificate verify failed”. I had the same error before when I used Azure IoT SDK C. After I added the flag “-Duse_sample_trusted_cert:BOOL=on” in the build.sh script, it’s fixed. But I even added this flag that won’t fix it.

To Reproduce Steps to reproduce the behavior:

1. Download pnp bridge in https://github.com/Azure/iot-plug-and-play-bridge/tree/pnpbridgedev-surgere
2. Follow the steps to install and setup in https://docs.microsoft.com/en-us/azure/iot-pnp/howto-use-iot-pnp-bridge
3. Set the toolchainfile flag to a toolchain file for device reader
4. Put the pnpbridge_bin console app to the device and run it
5. Got error

Error from log

Log

root@SpeedwayR-12-C8-A7:/cust/iot# ./pnpbridge_bin Info: -- Press Ctrl+C to stop PnpBridge

Info: Using default configuration location Info: Starting Azure PnpBridge Info: Pnp Bridge is running as am IoT egde device. Info: Pnp Bridge creation succeeded. Info: Connection_type is [dps] Info: Tracing is disabled Info: IoT Edge Device configuration initialized successfully Info: Building Pnp Bridge Adapter Manager, Adapters & Components Info: Adapter with identity environment-sensor-sample-pnp-adapter does not have any associated global parameters. Proceeding with adapter creation. Info: Pnp Adapter with adapter ID environment-sensor-sample-pnp-adapter has been created. Info: Pnp Adapter Manager created successfully. Info: Pnp components created successfully. Info: Pnp components built in model successfully. Info: Eddy:PnP_CreateDeviceClientHandle Info: Initiating DPS client to retrieve IoT Hub connection information Error: Time:Fri Jan 15 21:19:53 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/deps/azure-iot-sdk-c-pnp/c-utility/adapters/tlsio_openssl.c Func:send_handshake_bytes Line:674 error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Device : Speedyway R420 RFID reader

• OS: Linux
• Cross-compiler

Additional question I have another question. When I set these two flags prov_use_tpm_simulator and use_edge_modules to OFF in build.sh script file and built it, I got error.

Screenshot for error

Log from building

etk@f40df7f55477:~/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/scripts/linux$ ./build_linux32.sh ~/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/cmake/linux32 ~/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/scripts/linux -- The C compiler identification is GNU 9.3.0 -- The CXX compiler identification is GNU 7.5.0 -- Check for working C compiler: /usr/bin/cc -- Check for working C compiler: /usr/bin/cc -- works -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done -- Detecting C compile features -- Detecting C compile features - done -- Check for working CXX compiler: /usr/bin/c++ -- Check for working CXX compiler: /usr/bin/c++ -- works -- Detecting CXX compiler ABI info -- Detecting CXX compiler ABI info - done -- Detecting CXX compile features -- Detecting CXX compile features - done -- Looking for include file stdint.h -- Looking for include file stdint.h - found -- Looking for include file stdbool.h -- Looking for include file stdbool.h - found -- target architecture: x86_64 -- Performing Test CXX_FLAG_CXX11 -- Performing Test CXX_FLAG_CXX11 - Success -- IoT Client SDK Version = 1.3.9 -- Provisioning SDK Version = 1.3.9 CMake Warning (dev) at deps/azure-iot-sdk-c-pnp/deps/umock-c/CMakeLists.txt:13 (option): Policy CMP0077 is not set: option() honors normal variables. Run "cmake --help-policy CMP0077" for policy details. Use the cmake_policy command to set the policy and suppress this warning.

For compatibility with older versions of CMake, option is clearing the
normal variable 'use_cppunittest'.

This warning is for project developers. Use -Wno-dev to suppress it.

-- target architecture: x86_64 -- Found OpenSSL: /usr/lib/x86_64-linux-gnu/libcrypto.so (found version "1.1.1f")
-- Found PkgConfig: /usr/bin/pkg-config (found version "0.29.1") -- Checking for module 'libcurl' -- Found libcurl, version 7.68.0 -- Found CURL: curl
-- target architecture: x86_64 -- iothub architecture: x86_64 -- Configuring done -- Generating done CMake Warning: Manually-specified variables were not used by the project:

  run_valgrind
  use_32bit

-- Build files have been written to: /home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/cmake/linux32 Initial MAKE_CORES=2 VSPACE=5081628 MAKE_CORES=2 Starting run... Sat Jan 16 16:38:19 UTC 2021 Scanning dependencies of target parson Scanning dependencies of target umock_c [ 0%] Building C object deps/azure-iot-sdk-c-pnp/CMakeFiles/parson.dir/deps/parson/parson.c.o [ 1%] Linking C static library libparson.a [ 1%] Built target parson Scanning dependencies of target aziotsharedutil [ 2%] Building C object deps/azure-iot-sdk-c-pnp/deps/umock-c/CMakeFiles/umock_c.dir/src/umock_c.c.o [ 2%] Building C object deps/azure-iot-sdk-c-pnp/deps/umock-c/CMakeFiles/umock_c.dir/src/umock_c_negative_tests.c.o [ 2%] Building C object deps/azure-iot-sdk-c-pnp/deps/umock-c/CMakeFiles/umock_c.dir/src/umockalloc.c.o [ 3%] Building C object deps/azure-iot-sdk-c-pnp/deps/umock-c/CMakeFiles/umock_c.dir/src/umockcall.c.o [ 3%] Building C object deps/azure-iot-sdk-c-pnp/deps/umock-c/CMakeFiles/umock_c.dir/src/umockcallrecorder.c.o ... ... [ 92%] Building C object deps/azure-iot-sdk-c-pnp/iothub_client/CMakeFiles/iothub_client.dir/src/iothub_client_ll_uploadtoblob.c.o [ 92%] Building C object deps/azure-iot-sdk-c-pnp/iothub_client/CMakeFiles/iothub_client.dir/src/blob.c.o [ 93%] Linking C static library libiothub_client.a [ 93%] Built target iothub_client Scanning dependencies of target pnpbridge [ 93%] Building C object src/pnpbridge/CMakeFiles/pnpbridge.dir/src/configuration_parser.c.o [ 93%] Building C object src/pnpbridge/CMakeFiles/pnpbridge.dir/src/iothub_comms.c.o [ 94%] Building C object src/pnpbridge/CMakeFiles/pnpbridge.dir/src/pnpadapter_manager.c.o [ 94%] Building C object src/pnpbridge/CMakeFiles/pnpbridge.dir/src/pnpbridge.c.o [ 94%] Building C object src/pnpbridge/CMakeFiles/pnpbridge.dir/src/utility.c.o [ 95%] Building C object src/pnpbridge/CMakeFiles/pnpbridge.dir/src/pnpadapter_api.c.o [ 95%] Building C object src/pnpbridge/CMakeFiles/pnpbridge.dir/common/pnp_device_client.c.o [ 95%] Building C object src/pnpbridge/CMakeFiles/pnpbridge.dir/common/pnp_dps.c.o /home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/src/pnpbridge/common/pnp_device_client.c: In function 'AllocateModuleClientHandle': /home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/src/pnpbridge/common/pnp_device_client.c:144:35: error: implicit declaration of function 'IoTHubModuleClient_CreateFromEnvironment'; did you mean 'IoTHubModuleClient_CreateFromConnectionString'? [-Werror=implicit-function-declaration] 144 | if ((moduleClientHandle = IoTHubModuleClient_CreateFromEnvironment(MQTT_Protocol)) == NULL) | ^~~~~~~~~~~~ | IoTHubModuleClient_CreateFromConnectionString /home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/src/pnpbridge/common/pnp_device_client.c:144:33: error: assignment to 'IOTHUB_MODULE_CLIENT_HANDLE' {aka 'struct IOTHUB_CLIENT_CORE_INSTANCE_TAG *'} from 'int' makes pointer from integer without a cast [-Werror=int-conversion] 144 | if ((moduleClientHandle = IoTHubModuleClient_CreateFromEnvironment(MQTT_Protocol)) == NULL) | ^ cc1: all warnings being treated as errors make[2]: [src/pnpbridge/CMakeFiles/pnpbridge.dir/build.make:141: src/pnpbridge/CMakeFiles/pnpbridge.dir/common/pnp_device_client.c.o] Error 1 make[2]: Waiting for unfinished jobs.... make[1]: [CMakeFiles/Makefile2:2401: src/pnpbridge/CMakeFiles/pnpbridge.dir/all] Error 2 make: [Makefile:141: all] Error 2 etk@f40df7f55477:~/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/scripts/linux$

[usivagna]

@dipannita08 can you please have a look at this issue?

[dipannita08]

@eddylawsurgere Regarding the cert failure:

• On embedded devices with no OS concept of a trusted certificate store, you could be using a local trusted certificate corresponding to the build flavor in which case, set use_sample_trusted_cert=ON in the build script. If you still see issues with validating the certificate, we can loop in the right people to help resolve this.
• Your PnP bridge log indicates that you are bypassing the handle creation failure (Info: Eddy:PnP_CreateDeviceClientHandle) and allowing the PnP bridge to continue executing, this makes it rather difficult to debug all consecutive errors. Could you please attach the original log with the full traces, so I can make sure there is nothing else that is failing.
• I'll merge the change to consume and set the use_sample_trusted_cert flag from the PnP bridge cmake. Here is the pull request.

Regarding the edge module flag (use_edge_modules):

• Please do not change anything in the build script, the underlying Azure IoT SDK uses this to define container specific APIs such as IoTHubModuleClient_CreateFromEnvironment. Unfortunately this is not documented well, and we are aware of this gap. We plan to improve documentation around this.

[eddylawsurgere]

@dipannita-shaw, @dipannita08 I checkout branch https://github.com/Azure/iot-plug-and-play-bridge/tree/pnpbridgedev-surgere. I attached the build log file from running build.sh script with toolchain file for the reader r420. build_log.txt

Here is the log from running pnpbridge_bin console on the reader device below:

root@SpeedwayR-12-C8-A7:/cust/iot# ls -al drwx------ 2 root root 0 Jan 19 16:20 ./ drwxr-xr-x 6 root root 0 Nov 17 19:37 ../ -rw------- 1 root root 1039 Jan 15 18:34 config.json -rw------- 1 root root 1029 Jan 13 14:49 config_iotc.json -rwxr-xr-x 1 root root 943244 Jan 19 16:20 iothub_ll_telemetry_sample -rwxr-xr-x 1 root root 1053532 Jan 19 20:53 pnp_simple_thermostat -rwxrwxrwx 1 root root 1236996 Jan 15 18:28 pnpbridge -rwxrwxrwx 1 root root 1124400 Jan 20 03:54 pnpbridge_bin -rwxrwxrwx 1 root root 1215112 Jan 15 19:00 pnpbridge_environmentalsensor -rwxr-xr-x 1 root root 1034116 Jan 19 15:59 prov_dev_client_ll_sample -rwxrwxrwx 1 root root 3221848 Jan 15 20:57 sensorlink -rwxrwxrwx 1 root root 750924 Jan 15 18:39 surgere_arm root@SpeedwayR-12-C8-A7:/cust/iot# root@SpeedwayR-12-C8-A7:/cust/iot# root@SpeedwayR-12-C8-A7:/cust/iot# root@SpeedwayR-12-C8-A7:/cust/iot# ./pnpbridge_bin Info: -- Press Ctrl+C to stop PnpBridge

Info: Using default configuration location Info: Starting Azure PnpBridge Info: Pnp Bridge is running as am IoT egde device. Info: Pnp Bridge creation succeeded. Info: Connection_type is [dps] Info: Tracing is disabled Info: IoT Edge Device configuration initialized successfully Info: Building Pnp Bridge Adapter Manager, Adapters & Components Info: Adapter with identity environment-sensor-sample-pnp-adapter does not have any associated global parameters. Proceeding with adapter creation. Info: Pnp Adapter with adapter ID environment-sensor-sample-pnp-adapter has been created. Info: Pnp Adapter Manager created successfully. Info: Pnp components created successfully. Info: Pnp components built in model successfully. Info: Initiating DPS client to retrieve IoT Hub connection information Error: Time:Wed Jan 20 13:29:00 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/deps/azure-iot-sdk-c-pnp/c-utility/adapters/tlsio_openssl.c Func:send_handshake_bytes Line:674 error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed Error: Time:Wed Jan 20 13:29:00 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/deps/azure-iot-sdk-c-pnp/umqtt/src/mqtt_client.c Func:onOpenComplete Line:454 Error: failure opening connection to endpoint Error: Time:Wed Jan 20 13:29:01 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/deps/azure-iot-sdk-c-pnp/provisioning_client/src/prov_transport_mqtt_common.c Func:mqtt_error_callback Line:139 MQTT communication error Error: Time:Wed Jan 20 13:29:01 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/deps/azure-iot-sdk-c-pnp/provisioning_client/src/prov_device_ll_client.c Func:on_transport_registration_data Line:771 Failure retrieving data from the provisioning service Error: Time:Wed Jan 20 13:29:01 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/src/pnpbridge/common/pnp_dps.c Func:provisioningRegisterCallback Line:55 DPS Provisioning callback called with error state 5 Error: Time:Wed Jan 20 13:29:01 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/src/pnpbridge/common/pnp_dps.c Func:PnP_CreateDeviceClientHandle_ViaDps Line:142 Error registering device for DPS Error: Time:Wed Jan 20 13:29:01 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/src/pnpbridge/common/pnp_device_client.c Func:AllocateDeviceClientHandle Line:44 Cannot retrieve IoT Hub connection information from DPS client Error: Time:Wed Jan 20 13:29:01 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/src/pnpbridge/common/pnp_device_client.c Func:PnP_CreateDeviceClientHandle Line:66 Unable to allocate deviceHandle Error: Time:Wed Jan 20 13:29:01 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/src/pnpbridge/src/iothub_comms.c Func:IotComms_InitializeIotDeviceHandle Line:29 PnP_CreateDeviceClientHandle failed

Error: Time:Wed Jan 20 13:29:01 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/src/pnpbridge/src/pnpbridge.c Func:PnpBridge_RegisterIoTHubHandle Line:283 IotComms_InitializeIotHandle failed. Error: Time:Wed Jan 20 13:29:01 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/src/pnpbridge/src/pnpbridge.c Func:PnpBridge_Main Line:379 PnpBridge_RegisterIoTHubHandle failed: 2 Error: Time:Wed Jan 20 13:29:01 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/deps/azure-iot-sdk-c-pnp/c-utility/adapters/threadapi_pthreads.c Func:ThreadAPI_Join Line:97 (result = THREADAPI_INVALID_ARG (2)) Info: Cleaning Pnp Bridge resources Error: Time:Wed Jan 20 13:29:01 2021 File:/home/etk/Projects/lib_sources/iot-plug-and-play-bridge/pnpbridge/deps/azure-iot-sdk-c-pnp/c-utility/adapters/lock_pthreads.c Func:Lock_Deinit Line:105 pthread_mutex_destroy failed; root@SpeedwayR-12-C8-A7:/cust/iot#

[eddylawsurgere]

@dipannita-shaw, @dipannita08, I think I fixed the issue “Certificate verify failed” for the embedded device.

I modified the file pnp_dps.c to add these codes: 1) Add this include statements on top

ifdef SET_TRUSTED_CERT

include "azure_c_shared_utility/shared_util_options.h"

include "certs.h"

endif

2) Add that code in function “PnP_CreateDeviceClientHandle_ViaDps”

ifdef SET_TRUSTED_CERT

// Setting the Trusted Certificate.  This is only necessary on systems without built in certificate stores.
else if ((provDeviceResult = Prov_Device_SetOption(provDeviceHandle, OPTION_TRUSTED_CERT, certificates)) != PROV_DEVICE_RESULT_OK)
{
    LogError("Unable to set the trusted cert, error=%d", provDeviceResult);
    result = false;
}

endif // SET_TRUSTED_CERT

I successfully ran the pnpbridge_bin console on the device and here is the log.

root@SpeedwayR-12-C8-A7:/cust/iot# ./pnpbridge_bin Info: -- Press Ctrl+C to stop PnpBridge

Info: Using default configuration location Info: Starting Azure PnpBridge Info: Pnp Bridge is running as am IoT egde device. Info: Pnp Bridge creation succeeded. Info: Connection_type is [dps] Info: Tracing is disabled Info: IoT Edge Device configuration initialized successfully Info: Building Pnp Bridge Adapter Manager, Adapters & Components Info: Adapter with identity environment-sensor-sample-pnp-adapter does not have any associated global parameters. Proceeding with adapter creation. Info: Pnp Adapter with adapter ID environment-sensor-sample-pnp-adapter has been created. Info: Pnp Adapter Manager created successfully. Info: Pnp components created successfully. Info: Pnp components built in model successfully. Info: Initiating DPS client to retrieve IoT Hub connection information Info: Provisioning callback indicates success. iothubUri=iotc-c7af64e7-b5fe-405e-880e-6283964253d0.azure-devices.net, deviceId=eddytest01 Info: DPS successfully registered. Continuing on to creation of IoTHub device client handle. Info: Connected to Azure IoT Hub Info: Environmental Sensor: Starting Pnp Component Info: IoTHub client call to _SendReportedState succeeded Info: Environmental Sensor Adapter:: Sending device information property to IoTHub. propertyName=state, propertyValue=true Info: Pnp components started successfully. Info: IoTHub client call to _SendEventAsync succeeded Info: Processing property update for the device or module twin Info: PropertyCallback called, result=204, property name=state Info: PnpBridge_PnpBridgeStateTelemetryCallback called, result=0, telemetry=PnpBridge configuration complete Info: Environmental Sensor Adapter:: Successfully delivered telemetry message for Info: IoTHub client call to _SendEventAsync succeeded Info: Environmental Sensor Adapter:: Successfully delivered telemetry message for Info: IoTHub client call to _SendEventAsync succeeded

[eddylawsurgere]

In addition, add the certs.c and certs.h files in the CMakeLists to build too.