When using GlobalSign, bootstrap certs and EST, unable to set registration_id and common_name

[ksaye]

Expected Behavior

When using GlobalSign as an EST source and using the bootstrap certificate, I am NOT able to set the registration_id and common_name in the [provisioning.attestation] section.

When using a private or non GlobalSign EST Server such as this one I am able to set the registration name. Example I am able to generate a single long lived Bootstrap certificate used by many devices, yet set the unique desired name (and name of the Certificate) in by specifying registration_id in config.toml.

I noticed that when I set the common_name to something different, it will request a new bootstrap cert with the alternate common_name, as shown below:

root@devicecert:/var/lib/aziot/certd/certs# openssl x509 -in estid-c45f3e96a312cc524fecceddbc40dfc2aa789eae911d8bc7dd4eda19b93be900.cer -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = estExampleCA
        Validity
            Not Before: Nov  2 21:13:21 2021 GMT
            Not After : Nov  4 21:13:21 2021 GMT
        Subject: CN = personalest2

Yet it still leaves the origional bootstrap, referenced in config.toml, in tact which has the original expiration date and common_name:

root@devicecert:/var/lib/aziot/certd/certs# openssl x509 -in /certs2/device.public.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = estExampleCA
        Validity
            Not Before: Nov  2 20:36:53 2021 GMT
            Not After : Nov  2 20:36:53 2022 GMT
        Subject: CN = bootstrapksaye
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption

Note that when posting to a GlobalSign EST Server, I have to set the header Secret-Value, vs when using my private EST which uses id and password. (perhaps this is related to the issue)

Current Behavior

I would expect that using either the GlobalSign or a private EST Server, I could set the common_name as needed.

Steps to Reproduce

Here are steps that work with non GlobalSign EST Server.

1. Setup a private EST such as this one
2. Download the trusted cert:

   curl --insecure -s https://YOURSERVER.saye.org/.well-known/est/cacerts | base64 -d | openssl pkcs7 -inform der -outform PEM -print_certs | openssl x509 -out root.public.pem

3. Create a long lived bootstrap cert, and sign it, such as follows:

   openssl req -nodes -new -subj /CN=bootstrap -sha256 -out mycsr.pem --keyout device.private.pem
   curl --insecure -s https://YOURSERVER.saye.org/.well-known/est/simpleenroll --user estuser:estpwd --output cert.p7 --header "Content-Type: application/pkcs10" --header "Content-Transfer-Encoding: base64" --data-binary @./mycsr.pem && rm mycsr.pem
   openssl base64 -d -in cert.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs | openssl x509 -out device.public.pem && rm cert.p7

4. move the certificates in a location that aziotks has access to
5. Configure your config.toml as follows and configure DPS for an enrollment group:

   
   [provisioning]
   source = "dps"
   global_endpoint = "https://global.azure-devices-provisioning.net"
   id_scope = "0ne00XXXXX9"

[provisioning.attestation] method = "x509" registration_id = "notbootstrap" identity_cert = { method = "est", common_name = "notbootstrap" }

[cert_issuance.est] trusted_certs = [ "file:///certs2/root.public.pem", ]

[cert_issuance.est.auth] username = "estuser" password = "estpwd" bootstrap_identity_cert = "file:///certs2/device.public.pem" bootstrap_identity_pk = "file:///certs2/device.private.pem"

[cert_issuance.est.urls] default = "https://YOURSERVER.saye.org/.well-known/est"

This above works and you will see "notbootstrap" in IoT Hub.

### These steps fail with GlobalSign EST Server:
1. Get a GlobalSign account
2. Get the trust certificate

curl https://YOURSERVER.est.edge.dev.globalsign.com:443/.well-known/est/cacerts | openssl base64 -d -a | openssl pkcs7 -inform der -print_certs | sed '/subject|issuer|^$/d' > issuing.pem

3. Generate a bootstrap certificate:

openssl req -nodes -new -subj /CN=bootstrap -sha256 -keyout bootstrap.key.pem -out bootstrap.csr curl -X POST --data-binary "@bootstrap.csr" -H "Content-Transfer-Encoding:base64" -H "Secret-Value: YOURSECRET" -H "Content-Type:application/pkcs10" https://YOURSERVER.est.edge.dev.globalsign.com:443/.well-known/est/simpleenroll > cert.p7b openssl base64 -d -in cert.p7b | openssl pkcs7 -inform DER -outform PEM -print_certs | openssl x509 -out bootstrap.cert.pem && rm cert.p7b

4. move the certificates in a location that aziotks has access to
5. Configure your config.toml as follows and configure DPS for an enrollment group:

[provisioning] source = "dps" global_endpoint = "https://global.azure-devices-provisioning.net/" id_scope = "0ne00XXXXX9"

[provisioning.attestation] method = "x509" registration_id = "notbootstrap" identity_cert = { method = "est", common_name = "notbootstrap"}

[cert_issuance.est] trusted_certs = [ "file:///certs/issuing.pem", ]

[cert_issuance.est.auth] bootstrap_identity_cert = "file:///certs/bootstrap.cert.pem" bootstrap_identity_pk = "file:///certs/bootstrap.key.pem"

[cert_issuance.est.urls] default = "https://YOURSERVER.est.edge.dev.globalsign.com:443/.well-known/est/"

## Context (Environment)

### Output of `iotedge check`

<details>
<summary>Click here</summary>

root@devicecert:~# iotedge check

Configuration checks (aziot-identity-service)

√ keyd configuration is well-formed - OK √ certd configuration is well-formed - OK √ tpmd configuration is well-formed - OK √ identityd configuration is well-formed - OK √ daemon configurations up-to-date with config.toml - OK √ identityd config toml file specifies a valid hostname - OK √ aziot-identity-service package is up-to-date - OK √ host time is close to reference time - OK ‼ production readiness: identity certificates expiry - Warning DPS identity 'device-id' will expire soon (2021-11-04 21:13:21 UTC, in 1 days) ‼ production readiness: EST identity and bootstrap certificates expiry - Warning x509 identity 'est-id' will expire soon (2021-11-04 21:13:21 UTC, in 1 days) √ preloaded certificates are valid - OK √ keyd is running - OK √ certd is running - OK √ identityd is running - OK √ read all preloaded certificates from the Certificates Service - OK √ read all preloaded key pairs from the Keys Service - OK √ ensure all preloaded certificates match preloaded private keys with the same ID - OK

Connectivity checks (aziot-identity-service)

‼ host can connect to and perform TLS handshake with iothub AMQP port - Warning Could not retrieve iothub_hostname from provisioning file. Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information. Since no hostname is provided, all hub connectivity tests will be skipped. ‼ host can connect to and perform TLS handshake with iothub HTTPS / WebSockets port - Warning Could not retrieve iothub_hostname from provisioning file. Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information. Since no hostname is provided, all hub connectivity tests will be skipped. ‼ host can connect to and perform TLS handshake with iothub MQTT port - Warning Could not retrieve iothub_hostname from provisioning file. Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information. Since no hostname is provided, all hub connectivity tests will be skipped. √ host can connect to and perform TLS handshake with DPS endpoint - OK

Configuration checks

√ aziot-edged configuration is well-formed - OK √ configuration up-to-date with config.toml - OK √ container engine is installed and functional - OK √ configuration has correct URIs for daemon mgmt endpoint - OK √ aziot-edge package is up-to-date - OK √ container time is close to host time - OK ‼ DNS server - Warning Container engine is not configured with DNS server setting, which may impact connectivity to IoT Hub. Please see https://aka.ms/iotedge-prod-checklist-dns for best practices. You can ignore this warning if you are setting DNS server per module in the Edge deployment. ‼ production readiness: container engine - Warning Device is not using a production-supported container engine (moby-engine). Please see https://aka.ms/iotedge-prod-checklist-moby for details. ‼ production readiness: logs policy - Warning Container engine is not configured to rotate module logs which may cause it run out of disk space. Please see https://aka.ms/iotedge-prod-checklist-logs for best practices. You can ignore this warning if you are setting log policy per module in the Edge deployment. ‼ production readiness: Edge Agent's storage directory is persisted on the host filesystem - Warning The edgeAgent module is not configured to persist its /tmp/edgeAgent directory on the host filesystem. Data might be lost if the module is deleted or updated. Please see https://aka.ms/iotedge-storage-host for best practices. ‼ production readiness: Edge Hub's storage directory is persisted on the host filesystem - Warning The edgeHub module is not configured to persist its /tmp/edgeHub directory on the host filesystem. Data might be lost if the module is deleted or updated. Please see https://aka.ms/iotedge-storage-host for best practices.

Connectivity checks

22 check(s) succeeded. 10 check(s) raised warnings. Re-run with --verbose for more details. 7 check(s) were skipped due to errors from other checks. Re-run with --verbose for more details.

</details>

### Device Information
* Host OS [e.g. Ubuntu 18.04, Windows Server IoT 2019]: Ubuntu 18.04
* Architecture [e.g. amd64, arm32, arm64]:  amd64
* Container OS [e.g. Linux containers, Windows containers]: Linux

### Runtime Versions
* aziot-edged [run `iotedge version`]: 1.2.4
* Edge Agent [image tag (e.g. 1.0.0)]:  1.1
* Edge Hub [image tag (e.g. 1.0.0)]:  1.1
* Docker/Moby [run `docker version`]:  20.10.10+azure-1

Note: when using Windows containers on Windows, run `docker -H npipe:////./pipe/iotedge_moby_engine version` instead

## Logs
<!--
Please share as many logs as possible. This will help debugging
Follow [diagnostic steps](https://docs.microsoft.com/en-us/azure/iot-edge/troubleshoot#standard-diagnostic-steps) to help extract useful information.
Don't forget to remove any connection string information!
-->

<details>
<summary>aziot-identity-d -- when failing with GlobalSign</summary>

Nov 02 15:15:12 devicecert aziot-identityd[11208]: 2021-11-02T20:15:12Z [INFO] - Starting service... Nov 02 15:15:12 devicecert aziot-identityd[11208]: 2021-11-02T20:15:12Z [INFO] - Version - 1.2.3 Nov 02 15:15:12 devicecert aziot-identityd[11208]: 2021-11-02T20:15:12Z [INFO] - Provisioning starting. Reason: Startup Nov 02 15:15:12 devicecert aziot-identityd[11208]: 2021-11-02T20:15:12Z [DBUG] - [hyper::proto::h1::io] flushed 81 bytes Nov 02 15:15:12 devicecert aziot-identityd[11208]: 2021-11-02T20:15:12Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:15:12 devicecert aziot-identityd[11208]: 2021-11-02T20:15:12Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (2736 bytes) Nov 02 15:15:12 devicecert aziot-identityd[11208]: 2021-11-02T20:15:12Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:15:12 devicecert aziot-identityd[11208]: 2021-11-02T20:15:12Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", certd.sock) Nov 02 15:15:12 devicecert aziot-identityd[11208]: 2021-11-02T20:15:12Z [DBUG] - [hyper::proto::h1::io] flushed 75 bytes Nov 02 15:15:12 devicecert aziot-identityd[11208]: 2021-11-02T20:15:12Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:15:12 devicecert aziot-identityd[11208]: 2021-11-02T20:15:12Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes) Nov 02 15:15:12 devicecert aziot-identityd[11208]: 2021-11-02T20:15:12Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:15:12 devicecert aziot-identityd[11208]: 2021-11-02T20:15:12Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", keyd.sock) Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::client::pool] reuse idle connection for ("http", certd.sock) Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::proto::h1::io] flushed 81 bytes Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (2736 bytes) Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", certd.sock) Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [aziot_dps_client_async] DPS request Request { method: PUT, uri: https://global.azure-devices-provisioning.net/0ne00223A39/registrations/nonebootstrap/register?api-version=2018-11-01, version: HTTP/1.1, headers: {"content-type": "application/json"}, body: Body(Full(b"{\"registrationId\":\"nonebootstrap\"}")) } Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::client::connect::dns] resolving host="global.azure-devices-provisioning.net" Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::client::connect::http] connecting to 104.214.34.123:443 Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::client::connect::http] connected to 104.214.34.123:443 Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::proto::h1::io] flushed 220 bytes Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::proto::h1::io] parsed 5 headers Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::proto::h1::conn] incoming body is chunked encoding Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::proto::h1::decode] incoming chunked header: 0x8F (143 bytes) Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [aziot_dps_client_async] DPS response status 401 Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [aziot_dps_client_async] DPS response headers{"date": "Tue, 02 Nov 2021 20:15:13 GMT", "content-type": "application/json; charset=utf-8", "transfer-encoding": "chunked", "x-ms-request-id": "5bc62f02-aa12-4d0e-b7a6-5e75f5e7d6be", "strict-transport-security": "max-age=31536000; includeSubDomains"} Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [ERR!] - Failed to provision with IoT Hub, and no valid device backup was found: DPS client error Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [ERR!] - service encountered an error Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [ERR!] - caused by: DPS client error Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [ERR!] - caused by: Unauthorized Nov 02 15:15:13 devicecert aziot-identityd[11208]: 2021-11-02T20:15:13Z [ERR!] - 0: Nov 02 15:15:13 devicecert aziot-identityd[11208]: 1: Nov 02 15:15:13 devicecert systemd[1]: aziot-identityd.service: Main process exited, code=exited, status=1/FAILURE Nov 02 15:15:13 devicecert systemd[1]: aziot-identityd.service: Failed with result 'exit-code'.

</details>

<details>
<summary>aziot-identity-d -- when working -- non GlobalSign</summary>

Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (16 bytes) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [INFO] - <-- POST /identities/device/reprovision?api-version=2020-09-01 {"content-type": "application/json", "host": "2f72756e2f617a696f742f6964656e74697479642e736f636b:0", "content-length": "16"} Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [INFO] - Provisioning starting. Reason: Api Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::pool] reuse idle connection for ("http", certd.sock) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] flushed 81 bytes Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (2736 bytes) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", certd.sock) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::pool] reuse idle connection for ("http", keyd.sock) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] flushed 75 bytes Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", keyd.sock) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::pool] reuse idle connection for ("http", certd.sock) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] flushed 81 bytes Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (2736 bytes) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", certd.sock) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [aziot_dps_client_async] DPS request Request { method: PUT, uri: https://global.azure-devices-provisioning.net/0XXXXXX9/registrations/bootstrap/register?api-version=2018-11-01, version: HTTP/1.1, headers: {"content-type": "application/json"}, body: Body(Full(b"{\"registrationId\":\"bootstrap\"}")) } Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::connect::dns] resolving host="global.azure-devices-provisioning.net" Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::connect::http] connecting to 104.214.34.123:443 Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::connect::http] connected to 104.214.34.123:443 Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] flushed 212 bytes Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] parsed 6 headers Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body is chunked encoding Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::decode] incoming chunked header: 0x5E (94 bytes) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [aziot_dps_client_async] DPS response status 202 Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [aziot_dps_client_async] DPS response headers{"date": "Tue, 02 Nov 2021 20:17:09 GMT", "content-type": "application/json; charset=utf-8", "transfer-encoding": "chunked", "location": "https://global.azure-devices-provisioning.net/0nXXXXXXX9/registrations/bootstrap/register", "x-ms-request-id": "4cd16e58-59dd-4cfc-92cf-5a423dd768d8", "strict-transport-security": "max-age=31536000; includeSubDomains"} Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::pool] reuse idle connection for ("http", keyd.sock) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] flushed 75 bytes Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", keyd.sock) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::pool] reuse idle connection for ("http", certd.sock) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] flushed 81 bytes Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (2736 bytes) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", certd.sock) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [aziot_dps_client_async] DPS request Request { method: GET, uri: https://global.azure-devices-provisioning.net/0XXXXXXX9/registrations/bootstrap/operations/4.1de57fe9bf9d2c65.d172947a-d662-4253-9be7-fb4628ed37c2?api-version=2018-11-01, version: HTTP/1.1, headers: {}, body: Body(Empty) } Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::connect::dns] resolving host="global.azure-devices-provisioning.net" Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::connect::http] connecting to 104.214.34.123:443 Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::client::connect::http] connected to 104.214.34.123:443 Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] flushed 188 bytes Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::io] parsed 7 headers Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body is chunked encoding Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::decode] incoming chunked header: 0xA6 (166 bytes) Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [aziot_dps_client_async] DPS response status 202 Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [aziot_dps_client_async] DPS response headers{"date": "Tue, 02 Nov 2021 20:17:10 GMT", "content-type": "application/json; charset=utf-8", "transfer-encoding": "chunked", "location": "https://global.azure-devices-provisioning.net/0ne00223A39/registrations/bootstrap/operations/4.1de57fe9bf9d2c65.d172947a-d662-4253-9be7-fb4628ed37c2", "retry-after": "3", "x-ms-request-id": "eb92d41b-9328-44c9-981e-d5b348fecd81", "strict-transport-security": "max-age=31536000; includeSubDomains"} Nov 02 15:17:10 devicecert aziot-identityd[11719]: 2021-11-02T20:17:10Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::client::pool] reuse idle connection for ("http", keyd.sock) Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::io] flushed 75 bytes Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes) Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", keyd.sock) Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::client::pool] reuse idle connection for ("http", certd.sock) Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::io] flushed 81 bytes Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (2736 bytes) Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", certd.sock) Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [aziot_dps_client_async] DPS request Request { method: GET, uri: https://global.azure-devices-provisioning.net/0nXXXXXXX9/registrations/bootstrap/operations/4.1de57fe9bf9d2c65.d172947a-d662-4253-9be7-fb4628ed37c2?api-version=2018-11-01, version: HTTP/1.1, headers: {}, body: Body(Empty) } Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::client::connect::dns] resolving host="global.azure-devices-provisioning.net" Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::client::connect::http] connecting to 104.214.34.123:443 Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::client::connect::http] connected to 104.214.34.123:443 Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::io] flushed 188 bytes Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::io] parsed 5 headers Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::conn] incoming body is chunked encoding Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::decode] incoming chunked header: 0x1E1 (481 bytes) Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [aziot_dps_client_async] DPS response status 200 Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [aziot_dps_client_async] DPS response headers{"date": "Tue, 02 Nov 2021 20:17:20 GMT", "content-type": "application/json; charset=utf-8", "transfer-encoding": "chunked", "x-ms-request-id": "e55e43ed-1c32-4c54-b814-f66e8809fe02", "strict-transport-security": "max-age=31536000; includeSubDomains"} Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [INFO] - Successfully provisioned with DPS. Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [INFO] - Provisioning complete. Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [INFO] - Identity reconciliation started. Reason: Api Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::client::pool] reuse idle connection for ("http", keyd.sock) Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::io] flushed 75 bytes Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes) Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", keyd.sock) Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::client::pool] reuse idle connection for ("http", certd.sock) Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::io] flushed 81 bytes Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (2736 bytes) Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", certd.sock) Nov 02 15:17:20 devicecert aziot-identityd[11719]: 2021-11-02T20:17:20Z [DBUG] - [hyper::client::connect::dns] resolving host="kevinsay.azure-devices.net" Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::client::connect::http] connecting to 20.40.207.0:443 Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::client::connect::http] connected to 20.40.207.0:443 Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::io] flushed 108 bytes Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::io] parsed 6 headers Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (889 bytes) Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::client::pool] pooling idle connection for ("https", kevinsay.azure-devices.net) Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [aziot_hub_client_async] IoTHub response status 200 Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [aziot_hub_client_async] IoTHub response headers{"content-length": "889", "content-type": "application/json; charset=utf-8", "vary": "Origin", "server": "Microsoft-HTTPAPI/2.0", "x-ms-request-id": "fc6d3520-5e53-4bdb-b09d-50946435e6fc", "date": "Tue, 02 Nov 2021 20:17:20 GMT"} Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [INFO] - Identity reconciliation complete. Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [INFO] - --> 204 {} Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::io] flushed 83 bytes Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::conn] read eof Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::conn] read eof Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (16 bytes) Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [INFO] - <-- POST /identities/device?api-version=2020-09-01 {"content-type": "application/json", "host": "2f72756e2f617a696f742f6964656e74697479642e736f636b:0", "content-length": "16"} Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::client::pool] reuse idle connection for ("http", keyd.sock) Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::io] flushed 75 bytes Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes) Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::conn] incoming body completed Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", keyd.sock) Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [INFO] - --> 200 {"content-type": "application/json"} Nov 02 15:17:21 devicecert aziot-identityd[11719]: 2021-11-02T20:17:21Z [DBUG] - [hyper::proto::h1::io] flushed 530 bytes

</details>

<details>
<summary>edge-hub logs</summary>

``` ## Additional Information Please provide any additional information that may be helpful in understanding the issue.

[onalante-msft]

certd does not modify the bootstrap certificate, and only uses it for initial interaction with the EST server to generate the identity certificate. So, in this case, it is expected behavior for the bootstrap identity to not change. As long as the identity certificate reflects the desired CN settings, the setup with DPS should proceed without issue. Once the identity certificate is persisted, the bootstrap certificate is not necessary unless the identity certificate is somehow deleted. In fact, some folks configure the bootstrap certificate to be single-use.

[ksaye]

It is my belief (guess really) that because GlobalSign requires a Header and that config.toml is not configured with a header, that it can not use the bootstrap (only) to communicate with GlobalSign's EST server to get the identity certificate -- therefor it fails.

[onalante-msft]

If your GlobalSign server is also using basic authentication, this is possible to configure:

[cert_issuance.est.auth]
username = "${USERNAME}"
password = "${PASSWORD}"
bootstrap_identity_cert = "${CERT}"
bootstrap_identity_pk = "${PRIVKEY}

I believe GlobalSign also supports authentication with custom headers. We decided not to support this scenario since the security characteristics of header-based authentication are often the same as those of basic authentication.

[ksaye]

Thanks, I am checking on that and will close this when resolved.

[ksaye]

@onalante-msft you are correct that GlobalSign does support a password at authentication time, but I still get the error.

Here is my toml:

[provisioning]
source = "dps"
global_endpoint = "https://global.azure-devices-provisioning.net"
id_scope = "0ne*********39"

[provisioning.attestation]
method = "x509"
registration_id = "issue2"
identity_cert = { method = "est", common_name = "issue2" }

[cert_issuance.est]
 trusted_certs = [
     "file:///certs/issuing.pem",
 ]

[cert_issuance.est.auth]
username = ""
password = "dM**************kV"
bootstrap_identity_cert = "file:///certs/mytestmachine.cert.pem"
bootstrap_identity_pk = "file:///certs/privkey.pem"

[cert_issuance.est.urls]
default = "https://********.est.edge.dev.globalsign.com:443/.well-known/est"

Note that I am using issue2 as the cn, yet my bootstrap cert is named 'issue'. Also, note that Edge successfully request a cert from GlobalSign, but it is using the name issue not issue2, which I guess is why DPS is failing.

root@issue:/var/lib/aziot/certd/certs# openssl x509 -in /certs/mytestmachine.cert.pem -text | head -n 10
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3700237818720134912 (0x3359e2b10147a700)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = New Hampshire, L = Portsmouth, O = Microsoft Non-prod, CN = MIcrosoft Demo Root CA
        Validity
            Not Before: Nov 10 20:16:08 2021 GMT
            Not After : Feb  8 20:16:08 2022 GMT
        Subject: CN = issue
root@issue:/var/lib/aziot/certd/certs# openssl x509 -in ./estid-c45f3e96a312cc524fecceddbc40dfc2aa789eae911d8bc7dd4eda19b93be900.cer -text | head -n 10
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 637455700359914690 (0x8d8b295040024c2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = New Hampshire, L = Portsmouth, O = Microsoft Non-prod, CN = MIcrosoft Demo Root CA
        Validity
            Not Before: Nov 10 20:29:16 2021 GMT
            Not After : Feb  8 20:29:16 2022 GMT
        Subject: CN = issue
root@issue:/var/lib/aziot/certd/certs# openssl x509 -in ./deviceid-bd732105ef89cf8edd2606a5309c8a26b7b5599a4e124a0fe6199b6b2f60e655.cer -text | head -n 10
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7352851720270241926 (0x660a93aeb8d3e086)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = New Hampshire, L = Portsmouth, O = Microsoft Non-prod, CN = MIcrosoft Demo Root CA
        Validity
            Not Before: Nov 10 20:29:17 2021 GMT
            Not After : Feb  8 20:29:17 2022 GMT
        Subject: CN = issue
root@issue:/var/lib/aziot/certd/certs#

I am also still getting the error:

Nov 10 14:34:17 issue systemd[1]: Started Azure IoT Identity Service.
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [INFO] - Starting service...
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [INFO] - Version - 1.2.3
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [INFO] - Provisioning starting. Reason: Startup
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::io] flushed 81 bytes
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (2732 bytes)
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", certd.sock)
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [INFO] - Provisioned with backup for issue.
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [INFO] - Successfully provisioned with DPS.
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [INFO] - Provisioning complete.
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [INFO] - Identity reconciliation started. Reason: Startup
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::io] flushed 75 bytes
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (46 bytes)
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", keyd.sock)
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [INFO] - Could not reconcile Identities with current device data. Reprovisioning.
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::client::pool] reuse idle connection for ("http", certd.sock)
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::io] flushed 81 bytes
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (2732 bytes)
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", certd.sock)
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::client::pool] reuse idle connection for ("http", keyd.sock)
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::io] flushed 75 bytes
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (46 bytes)
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", keyd.sock)
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [ERR!] - Failed to provision with IoT Hub, and no valid device backup was found:
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [ERR!] - service encountered an error
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [ERR!] - caused by: DPS client error
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [ERR!] - caused by: a parameter has an invalid value
Nov 10 14:34:17 issue aziot-identityd[11442]: 2021-11-10T20:34:17Z [ERR!] -    0: <unknown>
Nov 10 14:34:17 issue aziot-identityd[11442]:    1: <unknown>
Nov 10 14:34:17 issue systemd[1]: aziot-identityd.service: Main process exited, code=exited, status=1/FAILURE
Nov 10 14:34:17 issue systemd[1]: aziot-identityd.service: Failed with result 'exit-code'.

If I change my toml to:

registration_id = "issue"
identity_cert = { method = "est", common_name = "issue" }

it works fine, but that does not seem like a use case for the bootstrap certificate.

[onalante-msft]

Are you deleting the existing certificates after changing the configuration? I had run into a similar DPS error myself when certd used a device identity certificate produced by a previous configuration. For reference, here is my configuration file for GlobalSign tests:

[provisioning]
source = "dps"
global_endpoint = "https://global.azure-devices-provisioning.net/"
id_scope = "0nehunter2"

[provisioning.attestation]
method = "x509"
registration_id = "globalsign-est"

[provisioning.attestation.identity_cert]
method = "est"
common_name = "globalsign-est"

[cert_issuance.est.auth]
bootstrap_identity_cert = "file:///var/secrets/bootstrap_globalsign.cer"
bootstrap_identity_pk = "file:///var/secrets/bootstrap_globalsign.key"

[cert_issuance.est.urls]
default = "https://hunter2.globalsign.com:443/.well-known/est/hunter2/"

And the certificates:

• bootstrap_globalsign.cer:

  > openssl x509 -in bootstrap_globalsign.cer -text -noout
  ...
  Subject: hunter2, CN = Custom Name
  ...

• deviceid-bd732105ef89cf8edd2606a5309c8a26b7b5599a4e124a0fe6199b6b2f60e655.cer

  > openssl x509 -in deviceid-bd732105ef89cf8edd2606a5309c8a26b7b5599a4e124a0fe6199b6b2f60e655.cer -text -noout
  ...
  Subject: CN = globalsign-est
  ...

[ksaye]

replied offline with steps to reproduce

[ksaye]

Thanks @onalante-msft for the guidance.

For others, it appears to be a misconfiguration of the EST server. When posting the CSR, the EST server is rewriting the subject. :(

[ksaye]

I verified with GlobalSign, and their response below. Once that change was made, it worked as planned.

Hi Kevin,

This is due to the default behavior of Edge Enroll in which it will notice that a previously issued certificate was presented and "upgrade" the request to the reenrollment workflow. Typically we see that customers would use a separate CA for the bootstrap/idevid, so in practice this outcome usually wouldn't be seen. For testing purposes I have changed this on the account, could you try again and let me know if it works as expected?

Thanks,

Nick