Closed rajb865 closed 2 years ago
Can you please share your whole config.toml with any private information removed? The format is correct, but just from that screenshot, it looks like some other lines are uncommented and may be causing it to invalidate
# ==============================================================================
# Hostname
# ==============================================================================
#
# Uncomment the next line to override the default hostname of this device.
#
# hostname = "my-device"
# ==============================================================================
# Parent hostname
# ==============================================================================
#
# If this is a Nested Edge device, uncomment the next line to set the
# parent hostname of this device.
#
# parent_hostname = "my-parent-device"
# ==============================================================================
# Trust bundle cert
# ==============================================================================
#
# If you have any trusted CA certificates required for Edge module communication,
# uncomment the next line and set the value to a file URI for
# the path of the file.
#
# trust_bundle_cert = "file:///var/secrets/trust-bundle.pem"
# ==============================================================================
# Elevated Docker Permissions Flag
# ==============================================================================
#
# Some docker capabilities can be used to gain root access.
# By default, the --privileged flag and all capabilities listed in the CapAdd
# field of the docker HostConfig are allowed.
#
# In a future release, this will be disabled by default and the flag will be required
# run as privileged.
#
# If no modules require privileged or additional capabilities, uncomment the following
# line to improve the security of the device.
#
# allow_elevated_docker_permissions = false
# ==============================================================================
# Provisioning
# ==============================================================================
# Optional auto reprovisioning mode
# ------------------------------------
# This property specifies the conditions under which the device attempts to
# automatically reprovision with the cloud. It is ignored if the device has
# been provisioned manually. One of the following values can be set:
# Dynamic: Reprovision when the device detects that it may have
# been moved from one IoT Hub to another. This is the default.
# AlwaysOnStartup: Reprovision when the device is rebooted or a crash causes
# the daemon(s) to restart.
# OnErrorOnly: Never trigger device reprovisioning automatically.
# Device reprovisioning only occurs as fallback, if the device
# is unable to connect to IoT Hub during identity provisioning
# due to connectivity errors. This fallback behavior is implicit
# in Dynamic and AlwaysOnStartup modes as well.
#
# auto_reprovisioning_mode = Dynamic
#
# Provisioning configuration
# --------------------------
# Uncomment one block and replace the stub values with yours.
## Manual provisioning with connection string
#
# [provisioning]
# source = "manual"
# connection_string = "HostName=example.azure-devices.net;DeviceId=my-device;SharedAccessKey=YXppb3QtaWRlbnRpdHktc2VydmljZXxhemlvdC1pZGU="
## Manual provisioning with symmetric key
# [provisioning]
# source = "manual"
# iothub_hostname = "example.azure-devices.net"
# device_id = "my-device"
#
# [provisioning.authentication]
# method = "sas"
#
# device_id_pk = { value = "YXppb3QtaWRlbnRpdHktc2VydmljZXxhemlvdC1pZGU=" } # inline key (base64), or...
# device_id_pk = { uri = "file:///var/secrets/device-id.key" } # file URI, or...
# device_id_pk = { uri = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" } # PKCS#11 URI
## Manual provisioning with X.509 certificate
[provisioning]
source = "manual"
iothub_hostname = "EYRajIoTHub.azure-devices.net"
device_id = "raj-edge-device"
#
[provisioning.authentication]
method = "x509"
#
## identity certificate private key
identity_pk = "/home/raj/iot-edge-device-identity-raj-edge-device.cert.pem" # file URI, or...
# identity_pk = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" # PKCS#11 URI
#
## identity certificate
identity_cert = "/home/raj/iot-edge-device-identity-raj-edge-device.key.pem" # file URI, or...
# [provisioning.authentication.identity_cert] # dynamically issued via...
# method = "est" # - EST
# method = "local_ca" # - a local CA
# common_name = "my-device" # with the given common name, or...
# subject = { L = "AQ", ST = "Antarctica", CN = "my-device" } # with the given DN fields
## DPS provisioning with symmetric key
# [provisioning]
# source = "dps"
# global_endpoint = "https://global.azure-devices-provisioning.net"
# id_scope = "0ab1234C5D6"
#
# [provisioning.attestation]
# method = "symmetric_key"
# registration_id = "my-device"
#
# symmetric_key = { value = "YXppb3QtaWRlbnRpdHktc2VydmljZXxhemlvdC1pZGVudGl0eS1zZXJ2aWNlfGF6aW90LWlkZW50aXR5LXNlcg==" } # inline key (base64), or...
# symmetric_key = { uri = "file:///var/secrets/device-id.key" } # file URI, or...
# symmetric_key = { uri = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" } # PKCS#11 URI
## DPS provisioning with X.509 certificate
# [provisioning]
# source = "dps"
# global_endpoint = "https://global.azure-devices-provisioning.net/"
# id_scope = "0ab1234C5D6"
#
# [provisioning.attestation]
# method = "x509"
# registration_id = "my-device"
#
## identity certificate private key
# identity_pk = "file:///var/secrets/device-id.key.pem" # file URI, or...
# identity_pk = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" # PKCS#11 URI
#
## identity certificate
# identity_cert = "file:///var/secrets/device-id.pem" # file URI, or...
# [provisioning.attestation.identity_cert] # dynamically issued via...
# method = "est" # - EST
# method = "local_ca" # - a local CA
# common_name = "my-device" # with the given common name, or...
# subject = { L = "AQ", ST = "Antarctica", CN = "my-device" } # with the given DN fields
## DPS provisioning with TPM
# [provisioning]
# source = "dps"
# global_endpoint = "https://global.azure-devices-provisioning.net"
# id_scope = "0ab1234C5D6"
#
# [provisioning.attestation]
# method = "tpm"
# registration_id = "my-device"
# ==============================================================================
# Cert issuance
# ==============================================================================
#
# If you configured any dynamically issued certs above, uncomment the block
# corresponding to the issuance method and replace the stub values with yours.
# Cert issuance via EST
# ---------------------
# [cert_issuance.est]
# trusted_certs = [
# "file:///var/secrets/est-id-ca.pem",
# ]
#
# [cert_issuance.est.auth]
# username = "estuser"
# password = "estpwd"
#
# # EST ID cert already on device, or...
# identity_cert = "file:///var/secrets/est-id.pem"
#
# identity_pk = "file:///var/secrets/est-id.key.pem" # file URI, or...
# identity_pk = "pkcs11:slot-id=0;object=est-id?pin-value=1234" # PKCS#11 URI
#
# # EST ID cert requested via EST bootstrap ID cert
# bootstrap_identity_cert = "file:///var/secrets/est-bootstrap-id.pem"
#
# bootstrap_identity_pk = "file:///var/secrets/est-bootstrap-id.key.pem" # file URI, or...
# bootstrap_identity_pk = "pkcs11:slot-id=0;object=est-bootstrap-id?pin-value=1234" # PKCS#11 URI
#
# [cert_issuance.est.urls]
# default = "https://example.org/.well-known/est"
# Cert issuance via local CA
# --------------------------
# [cert_issuance.local_ca]
# cert = "file:///var/secrets/local-ca.pem"
#
# pk = "file:///var/secrets/local-ca.key.pem" # file URI, or...
# pk = "pkcs11:slot-id=0;object=local-ca?pin-value=1234" # PKCS#11 URI
# ==============================================================================
# PKCS#11
# ==============================================================================
#
# If you used any PKCS#11 URIs above, uncomment the next block and
# replace the stub values with your PKCS#11 configuration.
# [aziot_keys]
# pkcs11_lib_path = "/usr/lib/libmypkcs11.so"
# pkcs11_base_slot = "pkcs11:slot-id=0?pin-value=1234"
# ==============================================================================
# Default Edge Agent
# ==============================================================================
#
# If you need to override the parameters of the default Edge Agent module,
# uncomment this section and replace the values in this section with your own.
#
# Note that the agent.config.createOptions field is specified as
# a TOML inline table. This format looks similar to JSON but it is not JSON.
# See https://toml.io/en/v1.0.0#inline-table for documentation.
# [agent]
# name = "edgeAgent"
# type = "docker"
# imagePullPolicy = "..." # "on-create" or "never". Defaults to "on-create"
# [agent.config]
# image = "mcr.microsoft.com/azureiotedge-agent:1.2"
# createOptions = { HostConfig = { Binds = ["/iotedge/storage:/iotedge/storage"] } }
# [agent.config.auth]
# serveraddress = "example.azurecr.io"
# username = "username"
# password = "password"
# [agent.env]
# "RuntimeLogLevel" = "debug"
# "UpstreamProtocol" = "AmqpWs"
# "storageFolder" = "/iotedge/storage"
# ==============================================================================
# Daemon management and workload API endpoints
# ==============================================================================
#
# If you need to override the management and workload API endpoints,
# uncomment this section and replace the values in this section with your own.
# [connect]
# workload_uri = "unix:///var/run/iotedge/workload.sock"
# management_uri = "unix:///var/run/iotedge/mgmt.sock"
#
# [listen]
# workload_uri = "fd://aziot-edged.workload.socket"
# management_uri = "fd://aziot-edged.mgmt.socket"
# ==============================================================================
# Edge Agent watchdog
# ==============================================================================
#
# If you need to override the default Edge Agent watchdog settings,
# uncomment this section and replace the values with your own.
#
# [watchdog]
# max_retries = "infinite" # the string "infinite" or a positive integer. Defaults to "infinite"
# ==============================================================================
# Edge CA certificate
# ==============================================================================
#
# If you have your own Edge CA certificate that you want all module certificates
# to be issued by, uncomment one of the sections below and replace the values with
# your own.
# Edge CA certificate loaded from a file:
# ---------------------
# [edge_ca]
# cert = "file:///var/secrets/edge-ca.pem" # file URI
#
# pk = "file:///var/secrets/edge-ca.key.pem" # file URI, or...
# pk = "pkcs11:slot-id=0;object=edge%20ca?pin-value=1234" # PKCS#11 URI
# Edge CA certificate issued over EST:
# ---------------------
# [edge_ca]
# method = "est"
#
# # Optional EST configuration for issuing the Edge CA certificate below.
# # If not set, the defaults in [cert_issuance.est] will be used.
#
# common_name = "iotedged workload ca"
# expiry_days = 90
# url = "https://example.org/.well-known/est"
#
# username = "estuser"
# password = "estpwd"
#
# # EST ID cert already on device, or...
# identity_cert = "file:///var/secrets/est-id.pem"
#
# identity_pk = "file:///var/secrets/est-id.key.pem" # file URI, or...
# identity_pk = "pkcs11:slot-id=0;object=est-id?pin-value=1234" # PKCS#11 URI
#
# # EST ID cert requested via EST bootstrap ID cert
# bootstrap_identity_cert = "file:///var/secrets/est-bootstrap-id.pem"
#
# bootstrap_identity_pk = "file:///var/secrets/est-bootstrap-id.key.pem" # file URI, or...
# bootstrap_identity_pk = "pkcs11:slot-id=0;object=est-bootstrap-id?pin-value=1234" # PKCS#11 URI
# Edge CA certificate issued from a local CA certificate:
# Requires [cert_issuance.local_ca] to be set.
# ---------------------
# [edge_ca]
# method = "local_ca"
#
# # Optional configuration below.
#
# common_name = "iotedged workload ca"
# expiry_days = 90
# ==============================================================================
# Edge CA certificate (Quickstart)
# ==============================================================================
#
# If you do not have your own Edge CA certificate that you want all
# module certificates to be issued by, you can uncomment this section and
# set the number of days for the lifetime of the auto-generated
# self-signed Edge CA certificate. Defaults to 90 days.
#
# SECURITY NOTE: this setting is NOT recommended for production usage. Please
# configure your own Edge CA certificate in the Edge CA certificate section
# above instead.
#
# [edge_ca]
# auto_generated_edge_ca_expiry_days = 90
# ==============================================================================
# Moby runtime
# ==============================================================================
#
# If you need to override the default Moby runtime configuration,
# uncomment this section and replace the values in this section with your own.
# [moby_runtime]
# uri = "unix:///var/run/docker.sock"
# network = "azure-iot-edge"
Is the above issue resolved? As I am also facing the exact same issue.
@NishantThakkar no it is not resolved yet. @brotherneeru I have provided the config.toml file. do you have any updates on the issue?
@rajb865 Your file URIs aren't parsing. identity_pk and identity_cert must start with "file://", as in the documentation. It also looks like you have your key and cert swapped
@rajb865 Following up on this issue. Did this resolve the problem you were seeing?
No activity. Closing
@NishantThakkar no it is not resolved yet. @brotherneeru I have provided the config.toml file. do you have any updates on the issue?
What is resolution for this issue? I am facing the same one.
I run also into this issue, but the error is misleading. You need to add a connectionstring from the configured IoT Edge device in the IoT Hub and NOT the connection string of the IoT Hub itself.
https://github.com/Azure/iotedge/issues/6170#issue-1156266610
Facing the same issue how did you guys resolve it?
@rajb865
Expected Behavior
IoT Edge runtime should be provisioned using X.509 certificate.
Current Behavior
I am following the tutorial Create and provision an IoT Edge device on Linux using X.509 certificates and trying to provision IoT Edge runtime on Linux virtual machine using x509 certificate. When I try to apply the updates to config.toml file, it gives me the error
Command failed: could not parse config file: data did not match any variant of untagged enum ManualProvisioning at line 103 column 2
. below the config.toml file sectionCould you please verify if the information on this page is correct
Steps to Reproduce
Provide a detailed set of steps to reproduce the bug.
Command failed: could not parse config file: data did not match any variant of untagged enum ManualProvisioning at line 103 column 2
Context (Environment)
Ubuntu 18.04
Output of
iotedge check
Click here
``` Configuration checks (aziot-identity-service) --------------------------------------------- √ keyd configuration is well-formed - OK × certd configuration is well-formed - Error certd's configuration file is not well-formed. √ tpmd configuration is well-formed - OK × identityd configuration is well-formed - Error identityd's configuration file is not well-formed. ‼ daemon configurations up-to-date with config.toml - Warning /etc/aziot/keyd/config.d/00-super.toml does not exist. Did you run 'aziotctl config apply'? √ host time is close to reference time - OK × production readiness: identity certificates expiry - Error this command must be run as root × keyd is running - Error Could not connect to keyd on unix:///run/aziot/keyd.sock × certd is running - Error Could not connect to certd on unix:///run/aziot/certd.sock × tpmd is running - Error Could not connect to tpmd on unix:///run/aziot/tpmd.sock × identityd is running - Error Could not connect to identityd on unix:///run/aziot/identityd.sock Connectivity checks (aziot-identity-service) -------------------------------------------- Configuration checks -------------------- × aziot-edged configuration is well-formed - Error The IoT Edge daemon's configuration file is not well-formed. ‼ configuration up-to-date with config.toml - Warning /etc/aziot/edged/config.d/00-super.toml does not exist. Did you run 'iotedge config apply'? ‼ aziot-edge package is up-to-date - Warning Installed IoT Edge daemon has version 1.2.7 but 1.2.8 is the latest stable version available. Please see https://aka.ms/iotedge-update-runtime for update instructions. ‼ DNS server - Warning Container engine is not configured with DNS server setting, which may impact connectivity to IoT Hub. Please see https://aka.ms/iotedge-prod-checklist-dns for best practices. You can ignore this warning if you are setting DNS server per module in the Edge deployment. ‼ production readiness: logs policy - Warning Container engine is not configured to rotate module logs which may cause it run out of disk space. Please see https://aka.ms/iotedge-prod-checklist-logs for best practices. You can ignore this warning if you are setting log policy per module in the Edge deployment. Connectivity checks ------------------- 3 check(s) succeeded. 5 check(s) raised warnings. Re-run with --verbose for more details. 8 check(s) raised errors. Re-run with --verbose for more details. 26 check(s) were skipped due to errors from other checks. Re-run with --verbose for more details. ```Device Information
Runtime Versions
iotedge version
]: iotedge 1.2.7docker version
]: Client: Version: 20.10.11+azure-3 API version: 1.41 Go version: go1.16.12 Git commit: dea9396e184290f638ea873c76db7c80efd5a1d2 Built: Wed Nov 17 23:49:46 2021 OS/Arch: linux/amd64 Context: default Experimental: trueServer: Engine: Version: 20.10.11+azure-3 API version: 1.41 (minimum version 1.12) Go version: go1.16.12 Git commit: 847da184ad5048b27f5bdf9d53d070f731b43180 Built: Thu Nov 18 00:21:59 2021 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.4.12+azure-2 GitCommit: 7b11cfaabd73bb80907dd23182b9347b4245eb5d runc: Version: 1.0.3 GitCommit: f46b6ba2c9314cfc8caae24a32ec5fe9ef1059fe docker-init: Version: 0.19.0 GitCommit:
Note: when using Windows containers on Windows, run
docker -H npipe:////./pipe/iotedge_moby_engine version
insteadLogs
aziot-edged logs
```edge-agent logs
```edge-hub logs
```Additional Information
Please provide any additional information that may be helpful in understanding the issue.