[edge_ca] auto_generated_edge_ca_expiry_days not set in /etc/aziot/edged/config.d/00-super.toml- after following quickstart Edge CA guidelines

wvangeem commented 8 months ago

Expected Behavior

I wanted to configure the quickstarte Edge CA, as described in the link below https://learn.microsoft.com/en-us/azure/iot-edge/how-to-manage-device-certificates?view=iotedge-1.4&tabs=ubuntu#manage-edge-ca

After configuring /etc/aziot/config.toml with following settings:

[edge_ca]
auto_generated_edge_ca_expiry_days = 4

[edge_ca.auto_renew]
rotate_key = true
threshold = "60%"
retry = "4%"

You need to delete the contents of the folders /var/lib/aziot/certd/certs and /var/lib/aziot/keyd/keys folders to remove any previously generated certificates.

After deleting, I executed iotedge config apply -c '/etc/aziot/config.toml'

Current Behavior

I had to restart a few times, because at first the symmetric key seems to corrupt, but then it starts ok.

But if I check the contents of the file /etc/aziot/edged/config.d/00-super.toml I see the following

# This file is auto-generated by `iotedge config apply`
# Do not edit it manually; any edits will be lost when the command is run again.

hostname = "*************"
trust_bundle_cert = "aziot-edged-trust-bundle"
auto_reprovisioning_mode = "OnErrorOnly"
homedir = "/var/lib/aziot/edged"
allow_elevated_docker_permissions = true

[edge_ca.auto_renew]
rotate_key = true
threshold = "60%"
retry = "4%"

[agent]
name = "edgeAgent"
type = "docker"
imagePullPolicy = "on-create"

[agent.config]
image = "mcr.microsoft.com/azureiotedge-agent:1.4"

[agent.config.createOptions]

[agent.env]

[connect]
workload_uri = "unix:///var/run/iotedge/workload.sock"
management_uri = "unix:///var/run/iotedge/mgmt.sock"

[listen]
workload_uri = "fd://aziot-edged.workload.socket"
management_uri = "fd://aziot-edged.mgmt.socket"
min_tls_version = "tls1.0"

[watchdog]
max_retries = "infinite"

[moby_runtime]
uri = "unix:///var/run/docker.sock"
network = "azure-iot-edge"

So the [edge_ca] setting seems to be missing, so I have no idea if it has been set or not.

Steps to Reproduce

Provide a detailed set of steps to reproduce the bug. 1.

iotedge config mp --connection-string 'my connection string'
iotedge config apply

2.

Delete files in folders /var/lib/aziot/certd/certs and /var/lib/aziot/keyd/keys

3.

Add CA settings in config.toml

[edge_ca]
auto_generated_edge_ca_expiry_days = 4

[edge_ca.auto_renew]
rotate_key = true
threshold = "60%"
retry = "4%"

4.

Run

iotedge config apply

Restart

systemctl stop aziot-edged.service
systemctl start aziot-edged.service

Context (Environment)

Output of `iotedge check`

Click here

``` root@CNH-787052036B1B:/var/lib/aziot# iotedge check Configuration checks (aziot-identity-service) --------------------------------------------- √ keyd configuration is well-formed - OK √ certd configuration is well-formed - OK √ tpmd configuration is well-formed - OK √ identityd configuration is well-formed - OK √ daemon configurations up-to-date with config.toml - OK √ identityd config toml file specifies a valid hostname - OK ‼ aziot-identity-service package is up-to-date - Warning Installed aziot-identity-service package has version 1.4.4 but 1.4.7 is the latest stable version available. Please see https://aka.ms/aziot-update-runtime for update instructions. √ host time is close to reference time - OK √ preloaded certificates are valid - OK √ keyd is running - OK √ certd is running - OK √ identityd is running - OK √ read all preloaded certificates from the Certificates Service - OK √ read all preloaded key pairs from the Keys Service - OK √ check all EST server URLs utilize HTTPS - OK √ ensure all preloaded certificates match preloaded private keys with the same ID - OK Connectivity checks (aziot-identity-service) -------------------------------------------- √ host can connect to and perform TLS handshake with iothub AMQP port - OK √ host can connect to and perform TLS handshake with iothub HTTPS / WebSockets port - OK √ host can connect to and perform TLS handshake with iothub MQTT port - OK Configuration checks -------------------- √ aziot-edged configuration is well-formed - OK √ configuration up-to-date with config.toml - OK √ container engine is installed and functional - OK √ configuration has correct URIs for daemon mgmt endpoint - OK ‼ aziot-edge package is up-to-date - Warning Installed IoT Edge daemon has version 1.4.10 but 1.4.27 is the latest stable version available. Please see https://aka.ms/iotedge-update-runtime for update instructions. √ container time is close to host time - OK √ DNS server - OK √ production readiness: logs policy - OK √ production readiness: Edge Agent's storage directory is persisted on the host filesystem - OK √ production readiness: Edge Hub's storage directory is persisted on the host filesystem - OK √ Agent image is valid and can be pulled from upstream - OK √ proxy settings are consistent in aziot-edged, aziot-identityd, moby daemon and config.toml - OK Connectivity checks ------------------- √ container on the default network can connect to upstream AMQP port - OK × container on the default network can connect to upstream HTTPS / WebSockets port - Error Container on the default network could not connect to EUHARVCOIOTHUBD01.azure-devices.net:443 √ container on the IoT Edge module network can connect to upstream AMQP port - OK √ container on the IoT Edge module network can connect to upstream HTTPS / WebSockets port - OK 32 check(s) succeeded. 2 check(s) raised warnings. Re-run with --verbose for more details. 1 check(s) raised errors. Re-run with --verbose for more details. 2 check(s) were skipped due to errors from other checks. Re-run with --verbose for more details. ```

Device Information

Host OS : Ubuntu 20.04
Architecture : amd64
Container OS : Linux containers

Runtime Versions

aziot-edged [run iotedge version]: 1.4.10
Edge Agent [image tag (e.g. 1.0.0)]: 1.4
Edge Hub [image tag (e.g. 1.0.0)]: 1.4
Docker/Moby [run docker version]: 20.10.25+azure-1

Logs

edge-agent logs

``` 2024-02-14 12:34:24 Starting Edge Agent 2024-02-14 12:34:24 Changing ownership of storage folder: /data/edgeAgent to 13622 2024-02-14 12:34:24 Changing ownership of backup folder: /tmp/edgeAgent_backup to 13622 2024-02-14 12:34:24 Changing ownership of management socket: /var/run/iotedge/mgmt.sock 2024-02-14 12:34:24 Completed necessary setup. Starting Edge Agent. 2024-02-14 12:34:24.879 +00:00 Edge Agent Main() <6> 2024-02-14 12:34:25.465 +00:00 [INF] - Initializing Edge Agent. <6> 2024-02-14 12:34:25.951 +00:00 [INF] - Version - 1.4.32.87526293 (23679088db32d96fcf0edcfceafc4e6a085fbda0) <6> 2024-02-14 12:34:25.953 +00:00 [INF] - █████╗ ███████╗██╗ ██╗██████╗ ███████╗ ██╔══██╗╚══███╔╝██║ ██║██╔══██╗██╔════╝ ███████║ ███╔╝ ██║ ██║██████╔╝█████╗ ██╔══██║ ███╔╝ ██║ ██║██╔══██╗██╔══╝ ██║ ██║███████╗╚██████╔╝██║ ██║███████╗ ╚═╝ ╚═╝╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝ ██╗ ██████╗ ████████╗ ███████╗██████╗ ██████╗ ███████╗ ██║██╔═══██╗╚══██╔══╝ ██╔════╝██╔══██╗██╔════╝ ██╔════╝ ██║██║ ██║ ██║ █████╗ ██║ ██║██║ ███╗█████╗ ██║██║ ██║ ██║ ██╔══╝ ██║ ██║██║ ██║██╔══╝ ██║╚██████╔╝ ██║ ███████╗██████╔╝╚██████╔╝███████╗ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚═════╝ ╚═════╝ ╚══════╝ <6> 2024-02-14 12:34:25.964 +00:00 [INF] - ModuleUpdateMode: NonBlocking <6> 2024-02-14 12:34:26.171 +00:00 [INF] - Experimental features configuration: {"Enabled":false,"DisableCloudSubscriptions":false} <6> 2024-02-14 12:34:26.569 +00:00 [INF] - Installing certificates [CN=aziot-edge CA 787052036B1B:02/18/2024 12:30:05] to Root <6> 2024-02-14 12:34:27.109 +00:00 [INF] - Starting metrics listener on Host: *, Port: 9600, Suffix: metrics <6> 2024-02-14 12:34:27.162 +00:00 [INF] - Updating performance metrics every 05m:00s <6> 2024-02-14 12:34:27.180 +00:00 [INF] - Started operation Get system resources <6> 2024-02-14 12:34:27.185 +00:00 [INF] - Collecting metadata metrics <6> 2024-02-14 12:34:27.466 +00:00 [INF] - Set metadata metrics: 1.4.32.87526293 (23679088db32d96fcf0edcfceafc4e6a085fbda0), {"Enabled":false,"DisableCloudSubscriptions":false}, {"OperatingSystemType":"Linux","Architecture":"x86_64","Version":"1.4.10","Provisioning":{"Type":"ProvisioningType","DynamicReprovisioning":false,"AlwaysReprovisionOnStartup":false},"ServerVersion":"20.10.25+azure-1","KernelVersion":"#102~20.04.1-Ubuntu SMP Mon Jan 15 13:09:14 UTC 2024","OperatingSystem":"ubuntu","NumCpus":4,"TotalMemory":8145788928,"Virtualized":"no"}, True <6> 2024-02-14 12:34:27.531 +00:00 [INF] - Started operation Checkpoint Availability <6> 2024-02-14 12:34:27.541 +00:00 [INF] - Started operation refresh twin config <6> 2024-02-14 12:34:27.588 +00:00 [INF] - Edge agent attempting to connect to IoT Hub via Amqp_Tcp_Only... <6> 2024-02-14 12:34:28.596 +00:00 [INF] - Created persistent store at /data/edgeAgent <6> 2024-02-14 12:34:28.886 +00:00 [INF] - Started operation Metrics Scrape <6> 2024-02-14 12:34:28.887 +00:00 [INF] - Started operation Metrics Upload Scraping frequency: 01:00:00 Upload Frequency: 1.00:00:00 <6> 2024-02-14 12:34:30.163 +00:00 [INF] - Registering request handler UploadModuleLogs <6> 2024-02-14 12:34:30.164 +00:00 [INF] - Registering request handler GetModuleLogs <6> 2024-02-14 12:34:30.164 +00:00 [INF] - Registering request handler UploadSupportBundle <6> 2024-02-14 12:34:30.165 +00:00 [INF] - Registering request handler RestartModule <6> 2024-02-14 12:34:30.417 +00:00 [INF] - Edge agent connected to IoT Hub via Amqp_Tcp_Only. <6> 2024-02-14 12:34:30.780 +00:00 [INF] - Initialized new module client with subscriptions enabled <6> 2024-02-14 12:34:30.950 +00:00 [INF] - Obtained Edge agent twin from IoTHub with desired properties version 100 and reported properties version 796. <6> 2024-02-14 12:34:31.821 +00:00 [INF] - Plan execution started for deployment 100 <6> 2024-02-14 12:34:31.833 +00:00 [INF] - Executing command: "Command Group: (\n [Stop module StateAnalyzer]\n [Start module StateAnalyzer]\n [Saving StateAnalyzer to store]\n)" <6> 2024-02-14 12:34:31.851 +00:00 [INF] - Executing command: "Stop module StateAnalyzer" <6> 2024-02-14 12:34:31.943 +00:00 [INF] - Executing command: "Start module StateAnalyzer" <6> 2024-02-14 12:34:32.791 +00:00 [INF] - Executing command: "Saving StateAnalyzer to store" <6> 2024-02-14 12:34:32.818 +00:00 [INF] - Executing command: "Command Group: (\n [Stop module APIServer]\n [Start module APIServer]\n [Saving APIServer to store]\n)" <6> 2024-02-14 12:34:32.818 +00:00 [INF] - Executing command: "Stop module APIServer" <6> 2024-02-14 12:34:32.822 +00:00 [INF] - Executing command: "Start module APIServer" <6> 2024-02-14 12:34:33.781 +00:00 [INF] - Executing command: "Saving APIServer to store" <6> 2024-02-14 12:34:33.782 +00:00 [INF] - Executing command: "Command Group: (\n [Stop module SensorController]\n [Start module SensorController]\n [Saving SensorController to store]\n)" <6> 2024-02-14 12:34:33.782 +00:00 [INF] - Executing command: "Stop module SensorController" <6> 2024-02-14 12:34:33.786 +00:00 [INF] - Executing command: "Start module SensorController" <6> 2024-02-14 12:34:34.817 +00:00 [INF] - Executing command: "Saving SensorController to store" <6> 2024-02-14 12:34:34.820 +00:00 [INF] - Executing command: "Command Group: (\n [Stop module edgeHub]\n [Start module edgeHub]\n [Saving edgeHub to store]\n)" <6> 2024-02-14 12:34:34.821 +00:00 [INF] - Executing command: "Stop module edgeHub" <6> 2024-02-14 12:34:34.826 +00:00 [INF] - Executing command: "Start module edgeHub" <6> 2024-02-14 12:34:36.129 +00:00 [INF] - Executing command: "Saving edgeHub to store" <6> 2024-02-14 12:34:36.131 +00:00 [INF] - Plan execution ended for deployment 100 <6> 2024-02-14 12:34:36.651 +00:00 [INF] - Updated reported properties <6> 2024-02-14 12:34:41.922 +00:00 [INF] - Updated reported properties ```

yophilav commented 8 months ago

HI @wvangeem , Thank you for the question. You are concerning about the [edge_ca] section is missing in the file /etc/aziot/edged/config.d/00-super.toml, correct? The [edge_ca] section isn't expected to be there, it should be in certd's file at /etc/aziot/certd/config.d/00-super.toml. Please take a look at the file there :)

wvangeem commented 8 months ago

Hi @yophilav ,

Thanks for the quick response. Indeed the result is passed in the file /etc/aziot/certd/config.d/00-super.toml. I was mistaken, because the [edge_ca.auto_renew] section was in the file /etc/aziot/edged/config.d/00-super.toml, I was expecting the section [edge_ca] there as well.

This is the contents (for reference only):

[cert_issuance.aziot-edged-ca]
method = "self_signed"
expiry_days = 4

[cert_issuance.aziot-edged-ca-temp]
method = "self_signed"
expiry_days = 4

Case closed!

Azure / iotedge