Can't Connect Downstream Device Using X.509 Certificates

[scout208]

Describe the Problem According to the documentation, it seems that adding x509=true; to the device connection string should setup the connection to use X.509 certificate authentication however this results in an error (see screenshot below) when trying to access any of the methods on the device client such as SetMethodHandlerAsync().

To Reproduce Steps to reproduce the behavior:

1. Using the LeafDeviceUWPApp sample, modify it by adding x509=true; to the device connection string.
2. Run the sample app.
3. Observe that sending a message results in a 'NullReferenceException' error.

Expected behavior The app should not throw any errors.

Screenshots

Windows Host OS (please complete the following information):

• Edition: IoT Enterprise
• Version: 19044
• Virtual Machine: None

[fcabrera23]

Hi @scout208,

Thanks for sharing this issue. I'll transfer the issue to the IoT Edge team (owner of this feature).

Thanks, Francisco

[nyanzebra]

Hi @scout208, yes the null exception is not super useful in saying what is happening. My guess is you are wanting to do something similar to this: https://github.com/Azure/iotedge/blob/main/samples/dotnet/EdgeDownstreamDevice/Program.cs

Where you put in your custom connection string with x509=true. I assume you have all the certs created and installed correctly? Also would you mind using openssl to verify the certs look correct?

If everything looks correct and following example works then I can try to see if our SDK team can take over and provide a better error at the least, otherwise there might be bigger problem

[scout208]

@nyanzebra Thanks for the response. Unfortunately, my test certificates expired so I had to recreate them and I'm having trouble getting the test app setup correctly again. I'm just trying to test that the connection is working by using symmetric keys but even that is failing for me now. I have trouble understanding the exception messages. This is what I'm getting now.

"error(condition:amqp:not-allowed,description:Unable to open Events link as the connection could not be authenticated)"

Do you know what could cause this message?

[scout208]

Okay I figured it out. I was accidentally using the wrong connection string that's all that error was. Now I am back to where I started. I don't know how to check that all the certs are installed correctly. My leaf device is called LeafDevCASigned and I have these two certs installed in Local Computer\Trusted Root Certification Authorities

Running openssl s_client -connect DEV1-EFLOW:8883 -CAfile C:/Users/Admin/Documents/azure-iot-test-only.root.ca.cert.pem -showcerts gives me this

so I think that means the certs are correct?

[nyanzebra]

@scout208 That does look like it is correct then, would you mind sharing what example or documentation you were following to get this setup? I will locally repro your steps and see if can get same results. Thanks!

[scout208]

@nyanzebra I setup the gateway using this guide. Then I setup the downstream device using this guide with one of the X.509 authentication options. I've tried both self-signed and CA-signed and neither worked so I think either one is fine for reproducing.

I'm using the interop-customvision-textmsg-uwpapp sample to test the connection between the downstream and gateway device. Make sure to do steps 4 and 6 to setup the modules and the UWP app for testing. Add a line to C:\Windows\System32\drivers\etc\hosts to link your EFLOW VM ip address to the hostname. Run the app on the edge device and in the device connection string text box enter HostName=myiothub.azure-devices.net;DeviceId=myDownstreamDevice;x509=true replacing myiothub and myDownstreamDevice with the name of your IoT hub and id of your downstream device respectively. In the gateway hostname text box type the hostname of you EFLOW VM. Click 'Ok' and observe that the app breaks with an exception.

Let me know if you have any questions about this setup.

[nyanzebra]

@scout208 I am back from holiday and going through the steps to try to repro, will let you know how it goes tomorrow :)

[nyanzebra]

Also @scout208 I notice that the docs you linked are for 1.1, have you tried upgrading to 1.4 if possible?

[nyanzebra]

@scout208 I have gone through most of this exercise (it was not easy)

So, first things first, my guess is that the eflow instructions expect you to create a gateway with a SharedAccessKey as from putting in my own equivalent of Hostname=myiothub.azure-devices.net;DeviceId=downstream;x509=true;GatewayHostname=gateway I get a wonderful exception of 'Should specify either SharedAccessKey or SharedAccessSignature if X.509 certificate is not used` @varunpuranik @veyalla Is there an EFLOW contact we add to this issue to explain expectations for this sample project?

Secondly, I haven't gotten to the point of seeing auth issues, but I did see in the eflow sample instructions that test certificates were created again (if you created them when setting up the devices in the first place) which I suspect is a step one should skip if you already have the root certificate and the identity certificate from previous steps.

Lastly, I think one thing that would help a lot is disambiguation of the eflow sample steps to get up and running as most of it is pointing to existing docs but could be instead the relevant parts from the those docs explicitly pointed out in the steps. As my guess into the real problem here is the disconnect between the steps in GH repo and our docs for setting up gateway and downstream devices with regards to expectations from the sample.

[scout208]

@nyanzebra Thanks for the feedback. I'm going to try using 1.4 and see what the results are.

I know that this sample worked using SharedAccessKey as I have tested it and verified that it does work. The problem is I would really like to have my downstream device authenticate using x509 certificates, so I don't have to worry about having a different connection string for each device.

[fcabrera23]

Hi @scout208,

Thanks for your effort. From your investigation, could you please note which issues you're seeing that we need to fix in our documentation?

Thanks, Francisco

[scout208]

@fcabrera23 My specific issue is with connecting a downstream device to IoT Hub using x509 certificates instead of symmetric keys.

This section of the docs seems to suggest that using x509=true in the connection string will authenticate using x509 certificates however I haven't been able to get that to work.

I've also tried following the sample code here and had issues using that method as well.

So, I think it would be helpful if you could clarify that these two methods that I just shared are correct and up-to-date.

Thanks!

[fcabrera23]

Hi @scout208,

Currently, sample code is limited to Symmetric keys. I'll try your scenario and create an x509 authentication, although this is something that we haven tried before.

Thanks, Francisco

[fcabrera23]

Hi @scout208,

We will update sample codes for 1.4LTS and .NET6 support in the upcoming weeks.

Thanks, Francisco