Disable Edge CA renewal did not work

[shaeussler]

I want to use EST but without the random module restart.

Expected Behavior

Edge CA renewal should be disabled

Current Behavior

Edge CA renewal is enabled

Steps to Reproduce

Provide a detailed set of steps to reproduce the bug.

1. Run https://learn.microsoft.com/en-us/azure/iot-edge/tutorial-configure-est-server?view=iotedge-1.5#run-est-server-on-device
2. Look for "Certificate aziot-edged-ca will be auto-renewed. Next renewal at 2024-06-07T07:55:02+00:00." in the "iotedge system logs"

   Context (Environment)

config.toml

Click here

``` # ============================================================================== # Hostname # ============================================================================== # # Uncomment the next line to override the default hostname of this device. # hostname = "xxxxxxxxxxxxxxxxxx.cloudapp.azure.com" # ============================================================================== # Parent hostname # ============================================================================== # # If this is a Nested Edge device, uncomment the next line to set the # parent hostname of this device. # # parent_hostname = "my-parent-device" # ============================================================================== # Trust bundle cert # ============================================================================== # # If you have any trusted CA certificates required for Edge module communication, # uncomment the next line and set the value to a file URI for # the path of the file. # # trust_bundle_cert = "file:///var/secrets/trust-bundle.pem" # ============================================================================== # Elevated Docker Permissions Flag # ============================================================================== # # Some docker capabilities can be used to gain root access. # By default, the --privileged flag and all capabilities listed in the CapAdd # field of the docker HostConfig are allowed. # # In a future release, this will be disabled by default and the flag will be required # run as privileged. # # If no modules require privileged or additional capabilities, uncomment the following # line to improve the security of the device. # # allow_elevated_docker_permissions = false # ============================================================================== # Module identity cache preference # ============================================================================== # # The default behavior is to request module identities from IoT Hub and fall back to a # cached backup if the Hub request fails. This keeps identities in sync with IoT Hub, # but results in extra requests to Hub that may not be necessary depending on use case. # # Setting prefer_module_identity_cache to true reverses the behavior so that the cached # identities are preferred to IoT Hub requests. Requests to Hub are still made if identities # are not found in the cache. # # prefer_module_identity_cache = false # ============================================================================== # Provisioning # ============================================================================== # Optional auto reprovisioning mode # ------------------------------------ # This property specifies the conditions under which the device attempts to # automatically reprovision with the cloud. It is ignored if the device has # been provisioned manually. One of the following values can be set: # Dynamic: Reprovision when the device detects that it may have # been moved from one IoT Hub to another. This is the default. # AlwaysOnStartup: Reprovision when the device is rebooted or a crash causes # the daemon(s) to restart. # OnErrorOnly: Never trigger device reprovisioning automatically. # Device reprovisioning only occurs as fallback, if the device # is unable to connect to IoT Hub during identity provisioning # due to connectivity errors. This fallback behavior is implicit # in Dynamic and AlwaysOnStartup modes as well. # # auto_reprovisioning_mode = Dynamic # # ============================================================================== # Cloud Timeout and Retry Behavior # ============================================================================== # # These settings control the timeout and retries for cloud operations, such as # communication with DPS during provisioning or IoT Hub for module identity creation. # # cloud_timeout_sec is the deadline (in seconds) for a network request (such as # an HTTP request) to the aforementioned cloud services. A response from the cloud # must be received before this deadline, or the request will fail as timed out. # # cloud_retries controls how many times a request may be retried should it fail. # The client will always send at least one attempt, so its value will be the number # of retries after the first attempt should that fail (i.e. cloud_retries = 2 # means that the client will make a total of 3 attempts). # # cloud_timeout_sec = 10 # cloud_retries = 1 # Provisioning configuration # -------------------------- # Uncomment one block and replace the stub values with yours. ## Manual provisioning with connection string # # [provisioning] # source = "manual" # connection_string = "HostName=example.azure-devices.net;DeviceId=my-device;SharedAccessKey=YXppb3QtaWRlbnRpdHktc2VydmljZXxhemlvdC1pZGU=" ## Manual provisioning with symmetric key # [provisioning] # source = "manual" # iothub_hostname = "example.azure-devices.net" # device_id = "my-device" # # [provisioning.authentication] # method = "sas" # # device_id_pk = { value = "YXppb3QtaWRlbnRpdHktc2VydmljZXxhemlvdC1pZGU=" } # inline key (base64), or... # device_id_pk = { uri = "file:///var/secrets/device-id.key" } # file URI, or... # device_id_pk = { uri = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" } # PKCS#11 URI ## Manual provisioning with X.509 certificate # [provisioning] # source = "manual" # iothub_hostname = "example.azure-devices.net" # device_id = "my-device" # # [provisioning.authentication] # method = "x509" # ## identity certificate private key # identity_pk = "file:///var/secrets/device-id.key.pem" # file URI, or... # identity_pk = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" # PKCS#11 URI # ## identity certificate # identity_cert = "file:///var/secrets/device-id.pem" # file URI, or... # [provisioning.authentication.identity_cert] # dynamically issued via... # method = "est" # - EST # method = "local_ca" # - a local CA # common_name = "my-device" # with the given common name, or... # subject = { L = "AQ", ST = "Antarctica", CN = "my-device" } # with the given DN fields ## DPS provisioning with symmetric key # [provisioning] # source = "dps" # global_endpoint = "https://global.azure-devices-provisioning.net" # id_scope = "0ab1234C5D6" # ## Uncomment to send a custom payload during DPS registration # payload = { uri = "file:///var/secrets/aziot/identityd/dps-additional-data.json" } # # [provisioning.attestation] # method = "symmetric_key" # registration_id = "my-device" # # symmetric_key = { value = "YXppb3QtaWRlbnRpdHktc2VydmljZXxhemlvdC1pZGVudGl0eS1zZXJ2aWNlfGF6aW90LWlkZW50aXR5LXNlcg==" } # inline key (base64), or... # symmetric_key = { uri = "file:///var/secrets/device-id.key" } # file URI, or... # symmetric_key = { uri = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" } # PKCS#11 URI ## DPS provisioning with X.509 certificate [provisioning] source = "dps" global_endpoint = "https://global.azure-devices-provisioning.net/" id_scope = "0xxxxxxxxxx" # ## Uncomment to send a custom payload during DPS registration # payload = { uri = "file:///var/secrets/aziot/identityd/dps-additional-data.json" } # [provisioning.attestation] method = "x509" registration_id = "my-device" # ## identity certificate private key # identity_pk = "file:///var/secrets/device-id.key.pem" # file URI, or... # identity_pk = "pkcs11:slot-id=0;object=device%20id?pin-value=1234" # PKCS#11 URI # ## identity certificate # identity_cert = "file:///var/secrets/device-id.pem" # file URI, or... [provisioning.attestation.identity_cert] # dynamically issued via... method = "est" # - EST # method = "local_ca" # - a local CA common_name = "my-device" # with the given common name, or... # subject = { L = "AQ", ST = "Antarctica", CN = "my-device" } # with the given DN fields # ## Uncomment the section below to enable automatic renewal of the device ID certificate. ## Auto-renewal requires a known certificate issuance method. This generally means that ## 'method' is either 'est' or 'local_ca'. ## ## IMPORTANT: ## ONLY ENABLE AUTO-RENEWAL IF THIS DEVICE IS CONFIGURED FOR CA-BASED DPS ENROLLMENT. ## USING AUTO-RENEWAL FOR AN INDIVIDUAL ENROLLMENT WILL CAUSE THE DEVICE TO BE UNABLE ## TO REPROVISION. # [provisioning.attestation.identity_cert.auto_renew] # rotate_key = true # threshold = "80%" # retry = "4%" ## DPS provisioning with TPM # [provisioning] # source = "dps" # global_endpoint = "https://global.azure-devices-provisioning.net" # id_scope = "0ab1234C5D6" # ## Uncomment to send a custom payload during DPS registration # payload = { uri = "file:///var/secrets/aziot/identityd/dps-additional-data.json" } # # [provisioning.attestation] # method = "tpm" # registration_id = "my-device" # ============================================================================== # Cert issuance # ============================================================================== # # If you configured any dynamically issued certs above, uncomment the block # corresponding to the issuance method and replace the stub values with yours. # Cert issuance via EST # --------------------- [cert_issuance.est] trusted_certs = [ "file:///var/aziot/certs/cacert.crt.pem", ] [cert_issuance.est.auth] username = "estuser" password = "estpwd" # # # EST ID cert already on device, or... # identity_cert = "file:///var/secrets/est-id.pem" # # identity_pk = "file:///var/secrets/est-id.key.pem" # file URI, or... # identity_pk = "pkcs11:slot-id=0;object=est-id?pin-value=1234" # PKCS#11 URI # # # EST ID cert requested via EST bootstrap ID cert # bootstrap_identity_cert = "file:///var/secrets/est-bootstrap-id.pem" # # bootstrap_identity_pk = "file:///var/secrets/est-bootstrap-id.key.pem" # file URI, or... # bootstrap_identity_pk = "pkcs11:slot-id=0;object=est-bootstrap-id?pin-value=1234" # PKCS#11 URI # ## Controls the renewal of EST identity certs. These certs are issued by the EST server after ## initial authentication with the bootstrap cert and managed by Certificates Service. # [cert_issuance.est.identity_auto_renew] # rotate_key = true # threshold = "80%" # retry = "4%" # [cert_issuance.est.urls] default = "https://localhost:8085/.well-known/est" # Cert issuance via local CA # -------------------------- # [cert_issuance.local_ca] # cert = "file:///var/secrets/local-ca.pem" # # pk = "file:///var/secrets/local-ca.key.pem" # file URI, or... # pk = "pkcs11:slot-id=0;object=local-ca?pin-value=1234" # PKCS#11 URI # ============================================================================== # TPM # ============================================================================== # # If special configuration is required for the TPM when using DPS TPM # provisioning, uncomment any pertinent sections below. # [tpm] # # TCTI loader string; see "TCG TSS 2.0 TPM Command Transmission # # Interface (TCTI) API Specification" section 3.5 for an overview of # # acceptable TCTI loader strings. By default, this is "device". Setting # # this to the empty string will cause the TCTI loader library to try # # loading a predefined set of TCTI modules in order. # # Ref: https://github.com/tpm2-software/tpm2-tss/blob/3.1.1/src/tss2-tcti/tctildr-dl.c#L28-L59 # tcti = "swtpm:port=2321" # # # The TPM index at which to persist the DPS authentication key. The index is # # taken as an offset from the base address for persistent objects # # (0x81000000), and must lie in the range 0x00_00_00--0x7F_FF_FF. The default # # value is 0x00_01_00. # auth_key_index = "0x00_01_00" # # Authorization values for use of the endorsement and owner hierarchies, if # # necessary. By default, these are empty strings. # [tpm.hierarchy_authorization] # endorsement = "hello" # owner = "world" # ============================================================================== # PKCS#11 # ============================================================================== # # If you used any PKCS#11 URIs above, uncomment the next block and # replace the stub values with your PKCS#11 configuration. # [aziot_keys] # pkcs11_lib_path = "/usr/lib/libmypkcs11.so" # pkcs11_base_slot = "pkcs11:slot-id=0?pin-value=1234" # ============================================================================== # Default Edge Agent # ============================================================================== # # If you need to override the parameters of the default Edge Agent module, # uncomment this section and replace the values in this section with your own. # # Note that the agent.config.createOptions field is specified as # a TOML inline table. This format looks similar to JSON but it is not JSON. # See https://toml.io/en/v1.0.0#inline-table for documentation. # [agent] # name = "edgeAgent" # type = "docker" # imagePullPolicy = "..." # "on-create" or "never". Defaults to "on-create" # [agent.config] # image = "mcr.microsoft.com/azureiotedge-agent:1.5" # createOptions = { HostConfig = { Binds = ["/iotedge/storage:/iotedge/storage"] } } # [agent.config.auth] # serveraddress = "example.azurecr.io" # username = "username" # password = "password" # [agent.env] # "RuntimeLogLevel" = "debug" # "UpstreamProtocol" = "AmqpWs" # "storageFolder" = "/iotedge/storage" # ============================================================================== # Daemon management and workload API endpoints # ============================================================================== # # If you need to override the management and workload API endpoints, # uncomment this section and replace the values in this section with your own. # [connect] # workload_uri = "unix:///var/run/iotedge/workload.sock" # management_uri = "unix:///var/run/iotedge/mgmt.sock" # # [listen] # workload_uri = "fd://aziot-edged.workload.socket" # management_uri = "fd://aziot-edged.mgmt.socket" # ============================================================================== # Edge Agent watchdog # ============================================================================== # # If you need to override the default Edge Agent watchdog settings, # uncomment this section and replace the values with your own. # # [watchdog] # max_retries = "infinite" # the string "infinite" or a positive integer. Defaults to "infinite" # ============================================================================== # Edge CA certificate # ============================================================================== # # If you have your own Edge CA certificate that you want all module certificates # to be issued by, uncomment one of the sections below and replace the values with # your own. # Edge CA certificate loaded from a file: # --------------------- # [edge_ca] # cert = "file:///var/secrets/edge-ca.pem" # file URI # # pk = "file:///var/secrets/edge-ca.key.pem" # file URI, or... # pk = "pkcs11:slot-id=0;object=edge%20ca?pin-value=1234" # PKCS#11 URI # Edge CA certificate issued over EST: # --------------------- [edge_ca] method = "est" # # # Optional EST configuration for issuing the Edge CA certificate below. # # If not set, the defaults in [cert_issuance.est] will be used. # # common_name = "aziot-edge CA" # expiry_days = 90 # url = "https://example.org/.well-known/est" # # username = "estuser" # password = "estpwd" # # # EST ID cert already on device, or... # identity_cert = "file:///var/secrets/est-id.pem" # # identity_pk = "file:///var/secrets/est-id.key.pem" # file URI, or... # identity_pk = "pkcs11:slot-id=0;object=est-id?pin-value=1234" # PKCS#11 URI # # # EST ID cert requested via EST bootstrap ID cert # bootstrap_identity_cert = "file:///var/secrets/est-bootstrap-id.pem" # # bootstrap_identity_pk = "file:///var/secrets/est-bootstrap-id.key.pem" # file URI, or... # bootstrap_identity_pk = "pkcs11:slot-id=0;object=est-bootstrap-id?pin-value=1234" # PKCS#11 URI # Edge CA certificate issued from a local CA certificate: # Requires [cert_issuance.local_ca] to be set. # --------------------- # [edge_ca] # method = "local_ca" # # # Optional configuration below. # # common_name = "aziot-edge CA" # expiry_days = 90 # ============================================================================== # Edge CA certificate (Quickstart) # ============================================================================== # # If you do not have your own Edge CA certificate that you want all # module certificates to be issued by, you can uncomment this section and # set the number of days for the lifetime of the auto-generated # self-signed Edge CA certificate. Defaults to 90 days. # # SECURITY NOTE: this setting is NOT recommended for production usage. Please # configure your own Edge CA certificate in the Edge CA certificate section # above instead. # # [edge_ca] # auto_generated_edge_ca_expiry_days = 90 # ============================================================================== # Edge CA certificate auto-renewal # ============================================================================== # # Manage auto-renewal of the Edge CA certificate. Generally, this applies when the # Edge CA is configured as Quickstart or when the Edge CA has an issuance `method` # set. Edge CA certs loaded from files generally cannot be auto-renewed as the Edge # runtime will not have enough information to renew them. # # Renewal of an Edge CA requires all server certificates issued by that CA to be # regenerated. This is done by restarting all modules. The time of Edge CA renewal # cannot be guaranteed, so if random module restarts are unacceptable for your use # case, disable auto renewal. # # Note that for auto-generated (quickstart) certificates, both the certificate and key # must be regenerated on renewal so rotate_key must be true. Another issuance method # is required if rotate_key = false. # # [edge_ca.auto_renew] # rotate_key = true # threshold = "80%" # retry = "4%" # ============================================================================== # Image garbage collection # ============================================================================== # # If you need to override the default image garbage collection configuration, # uncomment this section and replace the values in this section with your own. # # 'enabled' controls whether image garbage collection runs or not. # 'cleanup_recurrence' is how frequently you want the image gc to run. # 'image_age_cleanup_threshold' is the "age" of unused images, after which they will be cleaned up. # 'cleanup_time' in 24-hour HH:MM format is a best efforts dictate of when the cleanup job runs. # [image_garbage_collection] # enabled = true # cleanup_recurrence = "1d" # image_age_cleanup_threshold = "7d" # cleanup_time = "00:00" # ============================================================================== # Moby runtime # ============================================================================== # # If you need to override the default Moby runtime configuration, # uncomment this section and replace the values in this section with your own. # [moby_runtime] # uri = "unix:///var/run/docker.sock" # network = "azure-iot-edge" ```

Output of iotedge check

Click here

``` Configuration checks (aziot-identity-service) --------------------------------------------- √ keyd configuration is well-formed - OK √ certd configuration is well-formed - OK √ tpmd configuration is well-formed - OK √ identityd configuration is well-formed - OK √ daemon configurations up-to-date with config.toml - OK √ identityd config toml file specifies a valid hostname - OK √ aziot-identity-service package is up-to-date - OK √ host time is close to reference time - OK ‼ production readiness: identity certificates expiry - Warning DPS identity 'device-id' will expire soon (2024-06-07 09:21:12 UTC, in 0 days) √ preloaded certificates are valid - OK √ keyd is running - OK √ certd is running - OK √ identityd is running - OK √ read all preloaded certificates from the Certificates Service - OK √ read all preloaded key pairs from the Keys Service - OK √ check all EST server URLs utilize HTTPS - OK √ ensure all preloaded certificates match preloaded private keys with the same ID - OK Connectivity checks (aziot-identity-service) -------------------------------------------- ‼ host can connect to and perform TLS handshake with iothub AMQP port - Warning Could not retrieve iothub_hostname from provisioning file. Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information. Since no hostname is provided, all hub connectivity tests will be skipped. ‼ host can connect to and perform TLS handshake with iothub HTTPS / WebSockets port - Warning Could not retrieve iothub_hostname from provisioning file. Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information. Since no hostname is provided, all hub connectivity tests will be skipped. ‼ host can connect to and perform TLS handshake with iothub MQTT port - Warning Could not retrieve iothub_hostname from provisioning file. Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information. Since no hostname is provided, all hub connectivity tests will be skipped. √ host can connect to and perform TLS handshake with DPS endpoint - OK Configuration checks -------------------- √ aziot-edged configuration is well-formed - OK √ configuration up-to-date with config.toml - OK √ container engine is installed and functional - OK √ configuration has correct URIs for daemon mgmt endpoint - OK √ aziot-edge package is up-to-date - OK √ container time is close to host time - OK ‼ DNS server - Warning Container engine is not configured with DNS server setting, which may impact connectivity to IoT Hub. Please see https://aka.ms/iotedge-prod-checklist-dns for best practices. You can ignore this warning if you are setting DNS server per module in the Edge deployment. ‼ production readiness: logs policy - Warning Container engine is not configured to rotate module logs which may cause it run out of disk space. Please see https://aka.ms/iotedge-prod-checklist-logs for best practices. You can ignore this warning if you are setting log policy per module in the Edge deployment. √ production readiness: Edge Agent's storage directory is persisted on the host filesystem - OK √ production readiness: Edge Hub's storage directory is persisted on the host filesystem - OK √ proxy settings are consistent in aziot-edged, aziot-identityd, moby daemon and config.toml - OK Connectivity checks ------------------- 26 check(s) succeeded. 6 check(s) raised warnings. Re-run with --verbose for more details. 7 check(s) were skipped due to errors from other checks. Re-run with --verbose for more details. ```

Device Information

• Host OS: Ubuntu 22.04
• Architecture [e.g. amd64, arm32, arm64]: amd64
• Container OS [e.g. Linux containers, Windows containers]: Linux containers

Runtime Versions

• aziot-edged [run iotedge version]: iotedge 1.5.0
• Edge Agent [image tag (e.g. 1.0.0)]: 1.5.0
• Edge Hub [image tag (e.g. 1.0.0)]: 1.5.0
• Docker/Moby [run docker version]: 26.1.3-1

Note: when using Windows containers on Windows, run docker -H npipe:////./pipe/iotedge_moby_engine version instead

Logs

iotedge system logs

``` Jun 06 12:42:56 test-ubuntu2204 aziot-edged[39311]: 2024-06-06T12:42:56Z [INFO] - Starting Azure IoT Edge Daemon Jun 06 12:42:56 test-ubuntu2204 aziot-edged[39311]: 2024-06-06T12:42:56Z [INFO] - Version - 1.5.0 Jun 06 12:42:56 test-ubuntu2204 aziot-edged[39311]: 2024-06-06T12:42:56Z [INFO] - Obtaining Edge device provisioning data... Jun 06 12:42:56 test-ubuntu2204 systemd[1]: Started Azure IoT Identity Service. Jun 06 12:42:56 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:42:56Z [INFO] - Starting service... Jun 06 12:42:56 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:42:56Z [INFO] - Version - 1.5.0 Jun 06 12:42:56 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:42:56Z [INFO] - Loaded openssl'd Default provider Jun 06 12:42:56 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:42:56Z [INFO] - Provisioning starting. Reason: Startup Jun 06 12:42:56 test-ubuntu2204 systemd[1]: Started Azure IoT Keys Service. Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - Starting service... Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - Version - 1.5.0 Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - Loaded libaziot-keys with version 0x02010000 Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - Starting server... Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- GET /keypair/device-id?api-version=2021-05-01 {"host": "keyd.sock"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [ERR!] - invalid parameter "id": not found Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - !!! a parameter has an invalid value Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 400 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 systemd[1]: Started Azure IoT Certificates Service. Jun 06 12:42:56 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:42:56Z [INFO] - Starting service... Jun 06 12:42:56 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:42:56Z [INFO] - Version - 1.5.0 Jun 06 12:42:56 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:42:56Z [INFO] - Starting server... Jun 06 12:42:56 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:42:56Z [INFO] - <-- GET /certificates/device-id?api-version=2020-09-01 {"host": "certd.sock"} Jun 06 12:42:56 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:42:56Z [INFO] - !!! parameter "id" has an invalid value Jun 06 12:42:56 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:42:56Z [INFO] - !!! caused by: not found Jun 06 12:42:56 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:42:56Z [INFO] - --> 400 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /keypair?api-version=2021-05-01 {"content-type": "application/json", "host": "keyd.sock", "content-length": "56"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /parameters/algorithm?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /parameters/rsa-modulus?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /parameters/rsa-exponent?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /parameters/algorithm?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /parameters/rsa-modulus?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /parameters/rsa-exponent?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /encrypt?api-version=2021-05-01 {"content-length": "355", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:42:56Z [INFO] - <-- POST /certificates?api-version=2020-09-01 {"content-type": "application/json", "host": "certd.sock", "content-length": "947"} Jun 06 12:42:56 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:42:56Z [INFO] - --> 201 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:42:56Z [INFO] - Provisioned with backup for mydevice. Jun 06 12:42:56 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:42:56Z [INFO] - Successfully provisioned with DPS. Jun 06 12:42:56 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:42:56Z [INFO] - Provisioning complete. Jun 06 12:42:56 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:42:56Z [INFO] - Identity reconciliation started. Reason: Startup Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /encrypt?api-version=2021-05-01 {"content-length": "636", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:42:56Z [INFO] - Could not reconcile Identities with current device data. Reprovisioning. Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- GET /keypair/device-id?api-version=2021-05-01 {"host": "keyd.sock"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:42:56Z [INFO] - <-- GET /certificates/device-id?api-version=2020-09-01 {"host": "certd.sock"} Jun 06 12:42:56 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /parameters/algorithm?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /parameters/rsa-modulus?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /parameters/rsa-exponent?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /parameters/algorithm?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /parameters/rsa-modulus?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /parameters/rsa-exponent?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:42:56Z [INFO] - Sending DPS registration request. Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - <-- POST /encrypt?api-version=2021-05-01 {"content-length": "355", "content-type": "application/json"} Jun 06 12:42:56 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:42:56Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:01 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:43:01Z [INFO] - Checking DPS registration status. Jun 06 12:43:01 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:01Z [INFO] - <-- POST /encrypt?api-version=2021-05-01 {"content-length": "355", "content-type": "application/json"} Jun 06 12:43:01 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:01Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:43:02Z [INFO] - Assigned to IoT hub: TestIotHub.azure-devices.net Jun 06 12:43:02 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:43:02Z [INFO] - DPS registration complete. Jun 06 12:43:02 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:43:02Z [INFO] - Successfully provisioned with DPS. Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - <-- POST /encrypt?api-version=2021-05-01 {"content-length": "636", "content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:43:02Z [INFO] - Identity reconciliation complete. Jun 06 12:43:02 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:43:02Z [INFO] - Starting server... Jun 06 12:43:02 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:43:02Z [INFO] - <-- POST /identities/device?api-version=2020-09-01 {"content-type": "application/json", "host": "identityd.sock", "content-length": "16"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - <-- GET /keypair/device-id?api-version=2021-05-01 {"host": "keyd.sock"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-identityd[39314]: 2024-06-06T12:43:02Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-edged[39311]: 2024-06-06T12:43:02Z [INFO] - Device is mydevice on TestIotHub.azure-devices.net Jun 06 12:43:02 test-ubuntu2204 aziot-edged[39311]: 2024-06-06T12:43:02Z [INFO] - Initializing module runtime... Jun 06 12:43:02 test-ubuntu2204 aziot-edged[39311]: 2024-06-06T12:43:02Z [INFO] - Using runtime network id azure-iot-edge Jun 06 12:43:02 test-ubuntu2204 aziot-edged[39311]: 2024-06-06T12:43:02Z [INFO] - Successfully initialized module runtime Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - <-- POST /keypair?api-version=2020-09-01 {"content-type": "application/json", "host": "keyd.sock", "content-length": "61"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:43:02Z [INFO] - <-- GET /certificates/aziot-edged-ca?api-version=2020-09-01 {"host": "certd.sock"} Jun 06 12:43:02 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:43:02Z [INFO] - !!! parameter "id" has an invalid value Jun 06 12:43:02 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:43:02Z [INFO] - !!! caused by: not found Jun 06 12:43:02 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:43:02Z [INFO] - --> 400 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-edged[39311]: 2024-06-06T12:43:02Z [INFO] - Requesting new Edge CA certificate... Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - <-- POST /parameters/algorithm?api-version=2021-05-01 {"content-length": "252", "content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - <-- POST /parameters/rsa-modulus?api-version=2021-05-01 {"content-length": "252", "content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - <-- POST /parameters/rsa-exponent?api-version=2021-05-01 {"content-length": "252", "content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - <-- POST /parameters/algorithm?api-version=2021-05-01 {"content-length": "252", "content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - <-- POST /parameters/rsa-modulus?api-version=2021-05-01 {"content-length": "252", "content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - <-- POST /parameters/rsa-exponent?api-version=2021-05-01 {"content-length": "252", "content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - <-- POST /encrypt?api-version=2021-05-01 {"content-length": "359", "content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-keyd[39317]: 2024-06-06T12:43:02Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:43:02Z [INFO] - <-- POST /certificates?api-version=2020-09-01 {"content-type": "application/json", "host": "certd.sock", "content-length": "1046"} Jun 06 12:43:02 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:43:02Z [INFO] - --> 201 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-edged[39311]: 2024-06-06T12:43:02Z [INFO] - Created new Edge CA certificate Jun 06 12:43:02 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:43:02Z [INFO] - <-- GET /certificates/aziot-edged-ca?api-version=2020-09-01 {"host": "certd.sock"} Jun 06 12:43:02 test-ubuntu2204 aziot-certd[39323]: 2024-06-06T12:43:02Z [INFO] - --> 200 {"content-type": "application/json"} Jun 06 12:43:02 test-ubuntu2204 aziot-edged[39311]: 2024-06-06T12:43:02Z [INFO] - Certificate aziot-edged-ca will be auto-renewed. Next renewal at 2024-06-07T07:55:02+00:00. Jun 06 12:43:02 test-ubuntu2204 aziot-edged[39311]: 2024-06-06T12:43:02Z [INFO] - Stopping all modules... J ```

edge-agent logs

``` ```

edge-hub logs

``` ```

Additional Information

Please provide any additional information that may be helpful in understanding the issue.