search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.2k stars 21.35k forks source link

Azure IoT Edge Gateway invalid certificates #12826

Closed johscheuer closed 6 years ago

johscheuer commented 6 years ago

Currently I have some issues following the documentation for setting up an Azure IoT Edge Gateway on Ubuntu 16.04 (I also tried Ubuntu 18.04). Are there some missing steps or what is the best way to debug this?

As describe in the documentation I executed the following steps:

Everything looks fine until I want to connect to the edge gateway I get the following error messages from my application:

Unhandled Exception: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

or if I try to validate it with openssl;

openssl s_client -connect lx-daec-01.services.kapp.inovex.de:8883 -CAfile ./azure-iot-test-only.root.ca.cert.pem -showcerts
CONNECTED(00000005)
depth=0 CN = azure-edge
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = azure-edge
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = azure-edge
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=azure-edge
   i:/CN=iotedged workload ca
-----BEGIN CERTIFICATE-----
MIIDvzCCAaegAwIBAgIEAt5KgzANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRp
b3RlZGdlZCB3b3JrbG9hZCBjYTAeFw0xODA4MDMwNjI0MDdaFw0xODExMDEwNjA3
MjJaMBUxEzARBgNVBAMMCmF6dXJlLWVkZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDOoHB0UO0kN3sGqnOVZUrTzO/K2SIp7LOY6etRI8VmBMeH3EHZ
65LUHCPATUVxC6bI2iMLiLDIyerXqCqBQWYbNuaOpUH1ZGgRvphPkwxx3uOZ0jOS
alP+APA3QPWtVTkql4Xrqy6tkAtIzp/xrkic8+A3J/2EHDvwscmssfFulc61GlVG
CIkOKjktT3EsNCNRjb9SlQtn59rH7lE+3HeFWGhnna1qPMaPBNIcOSgbRhu5Un45
UMiWtcgourNZ2NGepaDfb8ZlJwDoeTh7Eg33ltFsE7qA3KBN1Y6uMtf1Xs0uix5C
QFw+zDz4CedD2FcJH29/5qZbQEJtQDP6tqWtAgMBAAGjDTALMAkGA1UdEwQCMAAw
DQYJKoZIhvcNAQELBQADggIBAEUXoqMKsHMV9n4Cbx6Jdql8vHhuvFAzH2/N7cem
FRFC/qhQId9un4FAi/clNm/+1gc9fnBZt5tCEdl3oAK7BIuBvAMWhSJ/PMTSoKWL
W9G7uxp4KMFNAqKnAXEs12i6/DC8XjuE2xhlQjU5d/GIaDG4cFCK3rN3HgLqGerW
to9zE3DSgA84HQSHHtxhwQFYjHw8KARjh5th7gwcfsMxMmTONfasmL5+BinlVv+D
dBcy3lPDOLxdQPeb2zyqaLFhk0TnX2Mmcbpta4jMqIEg4uv9tiyxsEq+46PBI9r9
nt2qwHUBK99pmZ4/bkoeebKETpmWJqbMPxiz0A4s9fGO8iRWeXfzSuwJt7N3aQxD
iXj9s2YUYZ3YJWqilbkgCzomYA0XxU/ZvfyCdaMOgDytgrTtwBz3aytilExArhkq
Oz1ZOVOwAJff0GOuSqqYo4m2L5Gdwy+tarsoZhgJ62qk/Fr2ls5Usi9bJf9BWSs6
TxDqJlkWNXYWYD2n5VKH7hZl53k/btaEhQs1wXCtF8pgvVW7QPFt2jBKWN4xil6+
x6+BFJKkqKwAApLp14hFMq7Uf6U6wEqdSBWWJso3X21B7yK3jT7nTbUY4siofr2J
LKusxu1raI63YvXPiO/VzVa114s2zZFYooxf1T+etprj0O5DtivzQAObo3QrMCWa
i2aB
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=azure-edge
issuer=/CN=iotedged workload ca
---
No client certificate CA names sent
---
SSL handshake has read 1697 bytes and written 524 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 61792CF34DC568164E2291EABDE9A7B40DAC4647D6FB8C6218E4AF8EB41AE6FB
    Session-ID-ctx:
    Master-Key: 2225242BE66C5BDFA3CFAB6D73070D3BC13A35D784AAF5A84542D4E9711270479A5EEC89B4C0F93D26D262DBFDBEB590
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - af 55 e4 20 33 f1 1e 45-4f 89 99 25 e6 5f ff a5   .U. 3..EO..%._..
    0010 - 9d 9f c0 93 67 f8 a9 ec-ee 33 da 9c 98 7a f7 78   ....g....3...z.x
    0020 - 66 51 4c 62 ab 4b 6e 98-90 40 39 78 85 3c 9b 61   fQLb.Kn..@9x.<.a
    0030 - 09 fb 4a 0b 41 9b c8 13-80 64 ac 66 27 5e 5b 7d   ..J.A....d.f'^[}
    0040 - 51 e4 3f c3 f3 86 9d 20-89 1f 70 d1 74 46 46 76   Q.?.... ..p.tFFv
    0050 - e5 1a 0d e0 4e e7 58 1f-b7 4f 39 dc c7 db cb 02   ....N.X..O9.....
    0060 - 80 fa 75 78 78 43 9e ea-53 25 5e 04 a6 d8 45 26   ..uxxC..S%^...E&
    0070 - 52 b9 a2 76 15 5c 68 66-7a 6c 49 f2 0c fb 57 db   R..v.\hfzlI...W.
    0080 - ee 05 9d 10 73 ac 8f c2-33 52 47 6d 15 6f 06 38   ....s...3RGm.o.8
    0090 - 86 04 38 7d 05 2a 63 54-f0 2a 3c 22 68 2f b0 59   ..8}.*cT.*<"h/.Y

    Start Time: 1533285747
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

I also added the CA to the system CA: https://docs.microsoft.com/en-us/azure/iot-edge/how-to-create-transparent-gateway-linux#os-level but also without any success.

In the startup logs of the IoT edge runtime I can also find the correct logs:

Aug 03 10:07:40 lx-daec-01 iotedged[5905]: 2018-08-03T08:07:40Z [INFO] - Configuring certificates...
Aug 03 10:07:40 lx-daec-01 iotedged[5905]: 2018-08-03T08:07:40Z [INFO] - Configuring the Device CA certificate using "/home/azure/edge_certs/certs/new-edge-device-full-chain.cert.pem".
Aug 03 10:07:40 lx-daec-01 iotedged[5905]: 2018-08-03T08:07:40Z [INFO] - Configuring the Device private key using "/home/azure/edge_certs/private/new-edge-device.key.pem".
Aug 03 10:07:40 lx-daec-01 iotedged[5905]: 2018-08-03T08:07:40Z [INFO] - Configuring the trusted CA certificates using "/home/azure/edge_certs/certs/azure-iot-test-only.root.ca.cert.pem"

Is there any way to debug this issue (to see where the certificates are not loaded).

I also tried some steps to validate that the certificates are working:

openssl verify -CAfile ${HOME}/edge_certs/certs/azure-iot-test-only.root.ca.cert.pem \
               -untrusted ${HOME}/edge_certs/certs/azure-iot-test-only.intermediate.cert.pem \
               ${HOME}/edge_certs/certs/new-edge-device.cert.pem

openssl verify -CAfile ${HOME}/edge_certs/certs/new-edge-device-full-chain.cert.pem \
                       ${HOME}/edge_certs/certs/new-edge-device-full-chain.cert.pem

openssl verify -CAfile ${HOME}/edge_certs/certs/azure-iot-test-only.root.ca.cert.pem \
               -untrusted ${HOME}/edge_certs/certs/azure-iot-test-only.intermediate.cert.pem \
               ${HOME}/edge_certs/private/new-edge-device.key.pem

openssl rsa -modulus -noout -in ${HOME}/edge_certs/private/new-edge-device.key.pem | openssl md5 ;\
openssl x509 -modulus -noout -in ${HOME}/edge_certs/certs/new-edge-device-full-chain.cert.pem | openssl md5  | uniq

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

johscheuer commented 6 years ago

After clean up the certificates in the hsm directory I got a little bit further (executed on the same device that should act as transparent gateway):

openssl s_client -connect $(hostname):8883 -CAfile ${HOME}/edge_certs/certs/azure-iot-test-only.root.ca.cert.pem -showcerts
CONNECTED(00000003)
depth=4 CN = Azure IoT Hub CA Cert Test Only
verify return:1
depth=3 CN = Azure IoT Hub Intermediate Cert Test Only
verify return:1
depth=2 CN = edge-node.ca
verify return:1
depth=1 CN = iotedged workload ca
verify return:1
depth=0 CN = lx-daec-01.services.kapp.inovex.de
verify return:1
---
...
---
Server certificate
subject=/CN=lx-daec-01.services.kapp.inovex.de
issuer=/CN=iotedged workload ca
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5554 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 431BF7AFEA7BF73EEE1A0FAB660B16566835E25AE2E0744ABD9FE8DED3E865BD
    Session-ID-ctx:
    Master-Key: 42B4BE64C9D4268D63734A7BB86F31EF8D10FA0FA163FBA6625C0E2BA1BFBC69B5522C192598A0F6B1D1FBA5383B0796
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 29 22 4a e7 1a 84 45 5d-fa 33 3a 23 35 8a 29 06   )"J...E].3:#5.).
    0010 - 2f 56 11 00 52 b2 82 ca-0f 5b 98 6b bc 2a 84 14   /V..R....[.k.*..
    0020 - 23 44 99 0a 23 d7 88 c5-95 c2 59 36 a7 1c a5 bc   #D..#.....Y6....
    0030 - de 08 6f 2f 01 c8 d0 1d-c4 d1 30 71 c3 41 9f fa   ..o/......0q.A..
    0040 - 88 12 ab c8 74 9b 84 15-8d a9 25 40 7c 37 56 6d   ....t.....%@|7Vm
    0050 - cb 89 8f 63 d5 91 f9 41-83 ce 49 b9 00 61 de 02   ...c...A..I..a..
    0060 - 98 0d 0c ac 85 6e 7d f3-70 24 f8 fc c8 95 a9 c3   .....n}.p$......
    0070 - ba 92 9f 48 08 92 c7 ff-c7 5c 2f bc 7d 0e 14 9f   ...H.....\/.}...
    0080 - c9 3a 88 36 65 82 6b 72-26 57 06 42 0d b6 2b 1b   .:.6e.kr&W.B..+.
    0090 - ae af 45 24 bb 53 f4 d8-1c 77 8f a4 79 8f 57 f1   ..E$.S...w..y.W.

    Start Time: 1533297930
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Before I executed the following steps:

sudo systemctl stop iotedge
sudo rm /var/lib/iotedge/hsm/cert_keys/*
sudo rm /var/lib/iotedge/hsm/certs/*
sudo systemctl restart iotedge

But if I try it from a remote device:

CONNECTED(00000005)
depth=0 CN = azure-edge
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = azure-edge
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = azure-edge
verify error:num=21:unable to verify the first certificate
verify return:1
---
...
---
Server certificate
subject=/CN=azure-edge
issuer=/CN=iotedged workload ca
---
No client certificate CA names sent
---
SSL handshake has read 1697 bytes and written 524 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3B83BD3174B8202F8E03052525EE54E4D69A7AC6BC1E477685AD0CA24F022A2C
    Session-ID-ctx:
    Master-Key: B88458406CBBCC6E4EE7F48CE8716151E4130127CA1E83039CD48E6AEB8CD10F604A676E4C27567CE9A3BE0D0B592CD5
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 01 84 fa 8d f7 08 02 33-c2 3f 84 e5 20 6f 99 34   .......3.?.. o.4
    0010 - 6d 47 46 df 08 f8 d4 7e-f5 5d fa 75 f3 67 78 3c   mGF....~.].u.gx<
    0020 - 4f aa 57 59 25 99 78 17-d1 e5 ff 2a 16 fc f5 7e   O.WY%.x....*...~
    0030 - 69 8d df 05 10 d1 57 63-47 fc 51 fa b7 23 bd bc   i.....WcG.Q..#..
    0040 - 3e 35 59 36 87 e1 50 5c-8f 53 57 36 d6 d4 cc 8f   >5Y6..P\.SW6....
    0050 - 58 08 96 0c 98 67 bd 72-db b9 24 23 9e cf 3e 50   X....g.r..$#..>P
    0060 - ce 60 eb 09 58 f1 48 77-d2 0d 8e e4 17 e0 58 44   .`..X.Hw......XD
    0070 - c5 32 3d 6d a0 11 53 89-f5 27 9c 90 33 37 52 52   .2=m..S..'..37RR
    0080 - db 85 33 74 0e 33 f4 ba-4a b6 7e 64 39 31 44 a8   ..3t.3..J.~d91D.
    0090 - 13 93 de a5 35 16 bf 2a-30 c8 86 4b 36 0a 78 3f   ....5..*0..K6.x?

    Start Time: 1533298369
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
Mike-Ubezzi-MSFT commented 6 years ago

@johscheuer Thanks for the feedback. We are actively investigating and will get back to you soon but, can you try your manual test in a slightly different way by using -CApath instead of -CAfile, and adjusting your certs path accordingly.

Example: openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443

In the meantime, I am going to do some investigation internally. Thanks, Mike

Mike-Ubezzi-MSFT commented 6 years ago

@johscheuer The other option is this, if client authentication is enabled:

openssl s_client -cert ./client-cert.pem -key ./client-key.key -CApath /etc/ssl/certs/ -connect foo.example.com:443

The other possible issue is that the subject lines do not match between the CA and the certificate being signed, in the case of a CA signed root certificate. Not sure if there would be an issue in the case of a self-signed certificate. The issuer subject value in the certificate(cert.pem) must equal the subject of issuer (CA.pem).

With this, I am going to look into this tutorial and see about reproducing the issue. Thanks, MIke

johscheuer commented 6 years ago

Thanks for your response I will try the options today and will report the output (but actually I think this isn't an authentication problem).

johscheuer commented 6 years ago

I noticed that one missing step is the proof of possession: https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md#step-3---proof-of-possession after doing this step and executing the following steps:

sudo systemctl stop iotedge
sudo rm /var/lib/iotedge/hsm/cert_keys/*
sudo rm /var/lib/iotedge/hsm/certs/*
sudo systemctl restart iotedge

The modules running on the edge gateway are able to communicate with the edge hub. I will test if I'm able to connect with an Edge Device to the gateway.

johscheuer commented 6 years ago

The actual strange thing is that I get different responses:

Executed on the machine running the transparent edge gateway:

/iotedge/certs$ openssl s_client -connect  lx-daec-01.services.kapp.inovex.de:8883 -CAfile /usr/local/share/ca-certificates/azure-iot-test-only.root.ca.cert.pem.crt -showcerts
CONNECTED(00000003)
depth=4 CN = Azure IoT Hub CA Cert Test Only
verify return:1
depth=3 CN = Azure IoT Hub Intermediate Cert Test Only
verify return:1
depth=2 CN = edge-node
verify return:1
depth=1 CN = iotedged workload ca
verify return:1
depth=0 CN = salish
verify return:1
---
Certificate chain
 0 s:/CN=salish
   i:/CN=iotedged workload ca
-----BEGIN CERTIFICATE-----
MIIDuzCCAaOgAwIBAgIENxTN6DANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRp
b3RlZGdlZCB3b3JrbG9hZCBjYTAeFw0xODA4MDYxMjE2MjFaFw0xODA5MDUxMjEx
MjhaMBExDzANBgNVBAMMBnNhbGlzaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAK3XUeu6gbHHyj9EZ2m9cRHYpF8WT6MIxgZ9ct50ydWnntAh0mDz3lf9
f0PtYDD2CC1ZaQjVNKasoD6ZDPjVaydltQ8s8IPPmUwKK70Fs0H+GmliqqnX8JkN
vZqsOt+V+QlcK1GFi/W3csIWlctF3A8q5ZH0hh4Em9rySc7PJCf16n4wWAbAdwUP
+ESeavowSjoIt7JcW1zmI6ySa0x7UOSTxbnyrMZ7oGaO8/3U0DzNAnrclMIe8YSx
Wzdw+/XeFRFAE/oVSwx14DVQgB6WQJXIyoU0fdU91A/ixLnKVI7U+DcB3XvAt0CF
L1mrWyJSOntAm/2ec7VQJrkYGoimNmsCAwEAAaMNMAswCQYDVR0TBAIwADANBgkq
hkiG9w0BAQsFAAOCAgEA0T1SItPqyLL+Etld1h9rsex1q/RlcJmigM4ru3lP+nFu
Tfpx+/Tpp4oaNMky9I95xVwcJXsqYzuy1H+Z+rcFI+NnRReFygGvzZvHUsTZJHpP
dp+LZxjEf7pQxjjiL1s9GjQnZ8EqGNhm/XusbV0Dg8bwzmi6GoRhHKtjUvh8QlBE
KS4Tw15GDp0opZFYwtIAFHqtxlNgdhvkqqmOwGFrnOKajBXJJmHztNoNWG/7VAoO
DWrxZSIYqSledDcdjCEomo1CqGKkO2D5FgLSE7JFbYwJ5E7QTN7BvZkP38ffzYfa
EfX5/JWcE4FntPCw8l7lFe1R8yhBAqJWQ9VQZArelHNMd/rUqz84fxUFa1j2Wgiq
fl1tgIiccm+tT5JN+L9gPEnEGQB2pWHIq9GYsrmWLwcj7nRqFad8En+TatpKKmd4
Jn8/ZKhmmrfLysCYkAqyx2OaKN2dPWT80Jd6NZOYY3AZS3xhmYKIfpkkoR2rxkEc
BYEpTA/r9//mdRV7eEpHPlpzTTjHtUQmruYW62wtYOW2JvPCnzE98XOWwrLeEXq5
ovHC9XT+wKNzG4a2a9mlkGKgdlAv1MXX/RBE3VSRsaypyrTh1zRDOcb8ZhUGej9G
Hm23/LujbYrKZclG4LCrVC4nVjvxq0hHXb0AE3LHiazxDKdL2wmS2Pp+SZOaLF8=
-----END CERTIFICATE-----
 1 s:/CN=Azure IoT Hub Intermediate Cert Test Only
   i:/CN=Azure IoT Hub CA Cert Test Only
-----BEGIN CERTIFICATE-----
MIIFPDCCAySgAwIBAgIBATANBgkqhkiG9w0BAQsFADAqMSgwJgYDVQQDDB9BenVy
ZSBJb1QgSHViIENBIENlcnQgVGVzdCBPbmx5MB4XDTE4MDgwNjEyMTEyMloXDTE4
MDkwNTEyMTEyMlowNDEyMDAGA1UEAwwpQXp1cmUgSW9UIEh1YiBJbnRlcm1lZGlh
dGUgQ2VydCBUZXN0IE9ubHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQC5y7ix4dti7oRDLNvuFjbo22wqUy4K8/LS43PHTbEnNKp2WJB09U1WfZMYlzV1
L9QjvRKw6EopjPWNw4JiqgTzC/Tzbv8CcCOXZr2fh2Of6i7+REchUrA6VL1VxooF
c7YudssJWVti8qzBpK2ZCaHdTyTa/K/QUviYz+zI3zLQGWALlljtsuz6x9UMwLGL
ay+Obsn81hkkHH346ptDMIbIdD242s4gFdTHX8OhZUbqXXHNKnS9nH0pLAcdr8oo
InHlUmQ5Lpgtw9k4l/8lyyMKe9N0rBD6XHbuTNDXwA06AkqVAHTldpP/nv+5y1Qg
SejaTd5DY4unqV2PQt7YaHUK8SP4JNNFdL1og7eymCrMTEIMqkb1iN9SsevtSC8r
dKaawi/G1HPjSmmvxxlKtaTUfTEWNHPeeBtHA0tH7ngJieEZjG4Gsgfvi2U4/AgP
z8LGpxPiiWmwWnnz8W8iNhQGExmraSRXkZrMyL6HbEe6xoEJY25oXEuo1GMqup+Z
L96dlVxslBSAOeknxGWkaDdmEUTMIWilBxmEbjU4gyOn07ww2Ii0zA7Ml7NxptkG
m/QvUP9hmnio8TDhY+Ojc/uG9XrLxg3KBMQItfcyj9nC8wdFLDYYC2HFLdfjDSqT
X2y6tovMTu/qm6eSS0183qm3A69YTfRFUHpVFhiXiVMzSQIDAQABo2MwYTAdBgNV
HQ4EFgQU9YHL6b3Dsx1O/tp7JW+NLYHsjBUwHwYDVR0jBBgwFoAU6ASBQO/RKTDj
V1zUjHVtoCf5nKQwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJ
KoZIhvcNAQELBQADggIBAHzjHfXwLHsKuRIE5pyXVvypyUUmsoVLFtWweduL4JDT
dWeUbD6e6hVeBdr0iwLB+d39RZoqwR+gkN4dtRVPuyIESSQC+2nrPuN6sOoADr5T
WxtdYMcSXQw2CzCSRTbEc/tyFvLbVcFixsIH1j3EAPBJT+IOac7hiWsCa4u8ZVgH
GwG+y6UAtj5x0gmlEoPOaMCzGbtWeX7w+0Y1USH+BKQmnwxqjM0X9UuAyCG4KPMQ
yL0k411Xxtdt+7UHGneyvUqmTLRHQ+z2JiHTjzxKtmjHeq//bmM/zoVzTFUATRCZ
8v8/CIi51DdTyGGmGZ6q/LfzBtVwQy9vSLIGGzyXY9HCH7OTB3mKqpX+oA8yVSlt
kffIP1r4XHzdLTdWuTWgEu/DoxPYXWPiuxkgYeZ9l6vg3fJeCu/UzRLOiXyKbkVD
XiLBRFwwPF58RcbOdAR4sv2OZ6BoeRwdgsJeOTvCCkIUIDSXK2mwKK8IIzGADzpc
xGCAwpBTXCesMthUxGbGHclgpBFnhzRRxmFlSyYS27KIlXd1LwRbNJP9wsF5gT2Z
QV+hrB0nfjnprF7t3FoCX/9dGkkpFLo9cRIc/nIU+AK9trXh3fZWlVJxrtt61or0
8x7PG18AGZf5YBphTd0P9WCDXAyvbalqjyfxXn1NCJS4TG/PYz62HKcI9HvU1o9d
-----END CERTIFICATE-----
 2 s:/CN=edge-node
   i:/CN=Azure IoT Hub Intermediate Cert Test Only
-----BEGIN CERTIFICATE-----
MIIFJjCCAw6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDDClBenVy
ZSBJb1QgSHViIEludGVybWVkaWF0ZSBDZXJ0IFRlc3QgT25seTAeFw0xODA4MDYx
MjExMjhaFw0xODA5MDUxMjExMjhaMBQxEjAQBgNVBAMMCWVkZ2Utbm9kZTCCAiIw
DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALjDOv7R3qQKY+vvmYqFwLmuUoaS
tDoAmjG9O0bhVR6KwStX72yvhyEhEHvRGvCc+I+wiqkI7xSC6vJ6inNBPG3jbw08
jVG0eHMwXgcq3k94O9r2jDayj7g/Ydzc1a07hvTQBRN0G8G7I9vHuQg5t2ewsy97
hI0kvpxxvqLQSHiO0e8y9uFGpRkwPL5QjbjfajzSy7Ej5kIN6LXFiDBwbbS24QIs
WYzWgWMeUeygComUORFMXKLh7yiM39c21q678EpaOIcOJ19JILLqA7rufgKySsdJ
Xms1dkg7lbDNMn11b9lTMrhNxO5f/8NZwi7bNJj2K4D20M2J6ZYvv4FKxDKHAE2f
2e5iZh8wBYkzC24ZaallsJk1ToM5asbRe0YnjleX7GofGNGVJshjxO/ib2odepYT
spfCnR8qUVZK5Pb9Aj4W9lvkAz00JEojGYBxLt+VztEgZ8z5xBkJTn8r8AsGWnsC
Q9vwbXjsMSLIWaZYG+TBXNSbXu3FhektBk2Lbk82PmN930QSIPTk7qiBzk5R9eSc
3sCQjInE9M/TPrq2BDqdJTN+c9xlV10aRXkhlZ/UkB1khf1wjZMWl2+yr0usT3Ok
5/1qhiIpDxDx+gyBsKOF5g23XFQaaTGOPcYLnwOyj8jk7gIqz2JFIrEwzVvE6jRe
UN5cceDBH4RLWXtZAgMBAAGjYzBhMB0GA1UdDgQWBBQV0gbDgWOSsaoVXxdZ0eCB
Cfw1JzAfBgNVHSMEGDAWgBT1gcvpvcOzHU7+2nslb40tgeyMFTAPBgNVHRMBAf8E
BTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAV6of4bJH
wzvoLK38HpfengLHoLFzPZi/ZSwxHnSnRHySLhkdqZomV3K5XsTL/s2kz/CJTd2L
aNi5I1io4FX5LrZMkdO1dYm2Jzq1MaHwnJBBefTeMvbEfV5VJr8oojLJXuskKw55
mGg/TzGJnCJJPqnrQ5QQaD4BYplZXZhOlf0QuHd7jCQj4CQmYAazwubPytr2JGRy
pftaea0x0yKTHJhMe9Yk+MPvPhoUEiTnoW+MDoRCGgQiGyMOXpOkEkCt29Xqd5T0
IO+Mo3R05Q7rK8r0NZlRJ+3Rbn6khVTmD6mzRaBUOASfoH7ms+xDb9TFfCY0XCPT
xyD1EVT6ROIBTFoiGbRap+ydzK2B2Zk2BW99itB7CmOagvt+jeCiRWQos9eT5fJY
tMhy0WDFZaapVnM5QUzfcNYmaPubEYl3xr7v6L6L69CytnLZCnWitJA9wNalWuv4
mueWiNeAj1Q1mc0Xp2HICHrWVY440qNKA5f7fCcuYYaeawYNxzJ+OKoAoT5vus8L
jaf0lMik7OdTDbM5WxwA8SR0QyPIRTBK7AxCTuWy/PCHMs1ahf/EMJEkfOumgo3U
K7ItFmtiYazOyvMTexN0qW7kCYLBkdCk/58kX+eMwu/s2hsfL7HiHspKsvtC3m25
txHV1URHxxWrgU2RXOuOiZ68LcSmgeLY/Hc=
-----END CERTIFICATE-----
 3 s:/CN=iotedged workload ca
   i:/CN=edge-node
-----BEGIN CERTIFICATE-----
MIIExzCCAq+gAwIBAgIEYPVUDDANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAll
ZGdlLW5vZGUwHhcNMTgwODA2MTIxNjExWhcNMTgwOTA1MTIxMTI4WjAfMR0wGwYD
VQQDDBRpb3RlZGdlZCB3b3JrbG9hZCBjYTCCAiIwDQYJKoZIhvcNAQEBBQADggIP
ADCCAgoCggIBAOKudf4JZlG5KskoVkrayLAx0qJND6+Qzj+T/q3FMSq8XKwgtvH/
drVtfXMylOHX1hdx+QyogT2JB7DpHcDc0LSBBOjEPgoxr0ji20bFkS0rTbyyU+mQ
bVIl5aE1X0NbBI5MCIYLj9ZkJZp/ML9RnQ524H0kHTb3xkdpmGR6z5ADWZJ30C90
LBo/lp3IPy8fbXljW4+IO/k8+w45Vt+6SiSlntQoggLMxnk6r4PWtPuQGlUDIDMF
yXLWP8nfG65ztryVRfzzObQqOuV9Wdnl+7mRf5enocFkMsHCBygQFrREXdkqB54H
JO99utEfHwHZ94725+lx+W9HKCraPwzBtio9I48StACZMLLCTgyQeKVej/+8RAPk
Zn2PupqkOrVbyQ6MCmTkhWzsLfCRpWPprDJ95L3zvtd0o8BjKJaWPQj0OsxJMtyA
3Xw0OpPlwcwO6xAschJUMu6Yd2pleHkXbBNcPwY0cA/tljOE3SircNkCs6BP9O2P
bf5K4ovKDRZc4ixP374AGvVKDFoexvVt96HkDv2jD9jOSnMzG9Lbhu9lrrMwlLph
yT3zZ/sGbj3vx5vwUU3z87G9lBEfU4fsVCuGfe8JXYa0iOuoVSbTVrHULh7N6veL
XICL2brH2pbw+NQ39HrOMVgSdTFLloG80UVvwt3BpoqpvTgpg+hbEhT5AgMBAAGj
FjAUMBIGA1UdEwEB/wQIMAYBAQECAQAwDQYJKoZIhvcNAQELBQADggIBAIBoQiyx
uTUne62+KU8ZK0TCs3nHFXqbFx9+65BgdPuotgvPFTnHN2QQWCMEFcbSY/GmhUG6
u7o/1WR8Zg3Z93w1M+HK/Xjl4v3s9WQ0catbwpQjhKSoNMrfprCiHVNCYw/ZmoSQ
A/EPeQ9FWpG60Pe5tcvti5NekwjnQDaCcuT/BPqDGWTI8z74VYE4z58CKnaOi/Ox
lIuf5VPxrjnBt2rZzYmxFgpOjcmM2TEBaJ8jL5EKMTIn+tF669HKA+qDf/UG7JtN
oL2umgH0HRsFmRZGPzqO3+DYuNLYn//2phiyKmuFmi7O66MQ5vEwLcLUN63qT3O7
laN1vCkvSFdhNeZq7BKUZE5I5stoaJMYi6DFVCRyDRyvezOGlxAjAh7p6eufiNgP
xD9/ii4ZIlCLwwDBBLaxnYXggTnHSBakaARH4ZMcybu66rqy7ffpDd1Siz1SeZf3
oE39EoYlPSGGuxSLaXctDbgID/DFFY4SrKZM88gaugihZF2tez5m6K8vx6o7Epaq
/PHz1cSV69PRHBENB1K2lYIrObn9QKfA7El6mEo2NVtgHIih3tSsYD9+PzZIdTyA
tO+xGsiCVnbLwXR276xyTE6mBdxa9/Y9bz6BbWDG4QryKDv3TMuX2jXW7AftEv+S
15mfejmCtREKkZ+izt/Q6Jq6txuJPnFXOdMp
-----END CERTIFICATE-----

executed from a remote machine (I trusted the root certificate + added it to the systems certificates + tried -CAfile / -CApath):

openssl s_client -connect  azure-edge:8883 -CAfile ./azure-iot-test-only.root.ca.cert.pem.crt -showcerts
CONNECTED(00000005)
depth=0 CN = azure-edge
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = azure-edge
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = azure-edge
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=azure-edge
   i:/CN=iotedged workload ca
-----BEGIN CERTIFICATE-----
MIIDvzCCAaegAwIBAgIEAt5KgzANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRp
b3RlZGdlZCB3b3JrbG9hZCBjYTAeFw0xODA4MDMwNjI0MDdaFw0xODExMDEwNjA3
MjJaMBUxEzARBgNVBAMMCmF6dXJlLWVkZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDOoHB0UO0kN3sGqnOVZUrTzO/K2SIp7LOY6etRI8VmBMeH3EHZ
65LUHCPATUVxC6bI2iMLiLDIyerXqCqBQWYbNuaOpUH1ZGgRvphPkwxx3uOZ0jOS
alP+APA3QPWtVTkql4Xrqy6tkAtIzp/xrkic8+A3J/2EHDvwscmssfFulc61GlVG
CIkOKjktT3EsNCNRjb9SlQtn59rH7lE+3HeFWGhnna1qPMaPBNIcOSgbRhu5Un45
UMiWtcgourNZ2NGepaDfb8ZlJwDoeTh7Eg33ltFsE7qA3KBN1Y6uMtf1Xs0uix5C
QFw+zDz4CedD2FcJH29/5qZbQEJtQDP6tqWtAgMBAAGjDTALMAkGA1UdEwQCMAAw
DQYJKoZIhvcNAQELBQADggIBAEUXoqMKsHMV9n4Cbx6Jdql8vHhuvFAzH2/N7cem
FRFC/qhQId9un4FAi/clNm/+1gc9fnBZt5tCEdl3oAK7BIuBvAMWhSJ/PMTSoKWL
W9G7uxp4KMFNAqKnAXEs12i6/DC8XjuE2xhlQjU5d/GIaDG4cFCK3rN3HgLqGerW
to9zE3DSgA84HQSHHtxhwQFYjHw8KARjh5th7gwcfsMxMmTONfasmL5+BinlVv+D
dBcy3lPDOLxdQPeb2zyqaLFhk0TnX2Mmcbpta4jMqIEg4uv9tiyxsEq+46PBI9r9
nt2qwHUBK99pmZ4/bkoeebKETpmWJqbMPxiz0A4s9fGO8iRWeXfzSuwJt7N3aQxD
iXj9s2YUYZ3YJWqilbkgCzomYA0XxU/ZvfyCdaMOgDytgrTtwBz3aytilExArhkq
Oz1ZOVOwAJff0GOuSqqYo4m2L5Gdwy+tarsoZhgJ62qk/Fr2ls5Usi9bJf9BWSs6
TxDqJlkWNXYWYD2n5VKH7hZl53k/btaEhQs1wXCtF8pgvVW7QPFt2jBKWN4xil6+
x6+BFJKkqKwAApLp14hFMq7Uf6U6wEqdSBWWJso3X21B7yK3jT7nTbUY4siofr2J
LKusxu1raI63YvXPiO/VzVa114s2zZFYooxf1T+etprj0O5DtivzQAObo3QrMCWa
i2aB
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=azure-edge
issuer=/CN=iotedged workload ca
Mike-Ubezzi-MSFT commented 6 years ago

@johscheuer Have you followed these steps to enable DEBUG output to the logs: Common issues and resolutions for Azure IoT Edge

I suspect that there is an issue with these steps: Installation on the downstream device

Are you using the certificates from the GitHub repo or some other certificates? If you are not using the certificates from the repo, can you use these instead: A C99 SDK for connecting devices to Microsoft Azure IoT services

Those instructions pick-up from here Perquisites.

waltmatthews commented 6 years ago

Having the same issue as described above following the instructions above which included the generation of the certificates. Error with openssl tested both locally and using a remote device. "Verify return code: 21 (unable to verify the first certificate)".

vbadri commented 6 years ago

I am stuck with the error even on the local machine, despite (i) clearing out the stored keys as recommended by @johnscheur, and doing the verification step

vbadri commented 6 years ago

openssl s_client -connect localhost:8883 -CAfile certs/azure-iot-test-only.root.ca.cert.pem

returns

CONNECTED(00000003) depth=2 CN = edge00001 verify error:num=24:invalid CA certificate

Certificate chain 0 s:/CN=edge00001 i:/CN=iotedged workload ca 1 s:/CN=Azure IoT Hub Intermediate Cert Test Only i:/CN=Azure IoT Hub CA Cert Test Only 2 s:/CN=edge00001 i:/CN=Azure IoT Hub Intermediate Cert Test Only 3 s:/CN=iotedged workload ca i:/CN=edge00001 4 s:/CN=edge00001 i:/CN=iotedged workload ca 5 s:/CN=iotedged workload ca i:/CN=edge00001 ...

Start Time: 1533584349
Timeout   : 300 (sec)
Verify return code: 24 (invalid CA certificate)
vbadri commented 6 years ago

Also, not sure it matters, but I'm doing this on a Ubuntu 16.04 platform.

johscheuer commented 6 years ago

@vbadri I also tried Ubuntu 16.04/18.04 on x64

johscheuer commented 6 years ago

@Mike-Ubezzi-MSFT I already enabled the debugging but I didn't find any valuable error/debug logs.

I tried to connect to the port 443 from the remote machine with success:

CONNECTED(00000005)
depth=4 CN = Azure IoT Hub CA Cert Test Only
verify return:1
depth=3 CN = Azure IoT Hub Intermediate Cert Test Only
verify return:1
depth=2 CN = edge-node
verify return:1
depth=1 CN = iotedged workload ca
verify return:1
depth=0 CN = salish
verify return:1
---
Certificate chain
 0 s:/CN=salish
<snip>
---
Server certificate
subject=/CN=salish
issuer=/CN=iotedged workload ca
---
No client certificate CA names sent
---
SSL handshake has read 5595 bytes and written 524 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 9DC4DE399551E66A47E13F2CA9B853C84F8855895084875B95B6B55894B8F4F5
    Session-ID-ctx:
    Master-Key: B988C81E12892E485A6AB759EC85CA32851C2B1600A8FAA2E643D241A6BF5CFCB6E531E31B2C9E32C73936900CC507A3
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 6a dd 9d 3d 5d e1 31 04-38 f8 fa 6c 18 7b 35 75   j..=].1.8..l.{5u
    0010 - 65 4c ba 2a 88 e2 af 48-b2 8f 68 4e 7c ba 52 57   eL.*...H..hN|.RW
    0020 - 55 05 95 11 1e 07 ec 52-5f 09 0c 4e ae 9c 05 29   U......R_..N...)
    0030 - b7 43 64 cc 79 ef a3 f1-c3 00 be db d6 55 2a a4   .Cd.y........U*.
    0040 - 2e ad d1 8c 9d 6e 5a 87-e1 44 f2 bc ca 98 60 0b   .....nZ..D....`.
    0050 - 7f cd 6b 3b 77 4e ce f6-21 f8 b8 53 a9 17 fc eb   ..k;wN..!..S....
    0060 - 0c 92 09 67 22 e5 26 c0-1e 39 73 d2 75 a4 1f d1   ...g".&..9s.u...
    0070 - d1 45 4c e8 37 9e 4b 3f-8a 76 03 ab a6 94 99 f7   .EL.7.K?.v......
    0080 - 2f 85 88 6e 91 f4 19 f6-75 b9 ea 6e a1 d7 6e fe   /..n....u..n..n.
    0090 - 70 77 8b 44 35 84 86 ee-e8 50 08 f6 d4 da d9 d8   pw.D5....P......

    Start Time: 1533629346
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

but on the MQTTS port 8883:

CONNECTED(00000005)
depth=0 CN = azure-edge
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = azure-edge
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = azure-edge
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=azure-edge
   i:/CN=iotedged workload ca
-----BEGIN CERTIFICATE-----
MIIDvzCCAaegAwIBAgIEAt5KgzANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRp
b3RlZGdlZCB3b3JrbG9hZCBjYTAeFw0xODA4MDMwNjI0MDdaFw0xODExMDEwNjA3
MjJaMBUxEzARBgNVBAMMCmF6dXJlLWVkZ2UwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDOoHB0UO0kN3sGqnOVZUrTzO/K2SIp7LOY6etRI8VmBMeH3EHZ
65LUHCPATUVxC6bI2iMLiLDIyerXqCqBQWYbNuaOpUH1ZGgRvphPkwxx3uOZ0jOS
alP+APA3QPWtVTkql4Xrqy6tkAtIzp/xrkic8+A3J/2EHDvwscmssfFulc61GlVG
CIkOKjktT3EsNCNRjb9SlQtn59rH7lE+3HeFWGhnna1qPMaPBNIcOSgbRhu5Un45
UMiWtcgourNZ2NGepaDfb8ZlJwDoeTh7Eg33ltFsE7qA3KBN1Y6uMtf1Xs0uix5C
QFw+zDz4CedD2FcJH29/5qZbQEJtQDP6tqWtAgMBAAGjDTALMAkGA1UdEwQCMAAw
DQYJKoZIhvcNAQELBQADggIBAEUXoqMKsHMV9n4Cbx6Jdql8vHhuvFAzH2/N7cem
FRFC/qhQId9un4FAi/clNm/+1gc9fnBZt5tCEdl3oAK7BIuBvAMWhSJ/PMTSoKWL
W9G7uxp4KMFNAqKnAXEs12i6/DC8XjuE2xhlQjU5d/GIaDG4cFCK3rN3HgLqGerW
to9zE3DSgA84HQSHHtxhwQFYjHw8KARjh5th7gwcfsMxMmTONfasmL5+BinlVv+D
dBcy3lPDOLxdQPeb2zyqaLFhk0TnX2Mmcbpta4jMqIEg4uv9tiyxsEq+46PBI9r9
nt2qwHUBK99pmZ4/bkoeebKETpmWJqbMPxiz0A4s9fGO8iRWeXfzSuwJt7N3aQxD
iXj9s2YUYZ3YJWqilbkgCzomYA0XxU/ZvfyCdaMOgDytgrTtwBz3aytilExArhkq
Oz1ZOVOwAJff0GOuSqqYo4m2L5Gdwy+tarsoZhgJ62qk/Fr2ls5Usi9bJf9BWSs6
TxDqJlkWNXYWYD2n5VKH7hZl53k/btaEhQs1wXCtF8pgvVW7QPFt2jBKWN4xil6+
x6+BFJKkqKwAApLp14hFMq7Uf6U6wEqdSBWWJso3X21B7yK3jT7nTbUY4siofr2J
LKusxu1raI63YvXPiO/VzVa114s2zZFYooxf1T+etprj0O5DtivzQAObo3QrMCWa
i2aB
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=azure-edge
issuer=/CN=iotedged workload ca
---
No client certificate CA names sent
---
SSL handshake has read 1697 bytes and written 524 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 15A1E1B0F952A0DA8C32749197439BF3C825AD3B3E0C91D545266867B6E0DAA2
    Session-ID-ctx:
    Master-Key: 4BB5F318CCAD9D36C0643C36ED79454EE6C7792E2225C67A452CE1489AD27BF19DCCB392FA0BC0A1276A1070D6C2537E
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 4d e9 1e 44 dc 54 34 70-a0 f3 12 c1 41 66 b1 ab   M..D.T4p....Af..
    0010 - 11 c9 fd f1 2c bb 6d 2a-70 c5 90 a6 e7 dd e0 b5   ....,.m*p.......
    0020 - bc 52 bb 00 9a 52 21 c5-a2 ff d1 19 ea 1f ca c3   .R...R!.........
    0030 - cd 8d 5a 9d 66 6f 5a b4-9a 03 96 56 f7 fa e9 45   ..Z.foZ....V...E
    0040 - 7b 8d 2a 74 40 b8 26 3f-ee 68 1a 41 6c 2f 8f f5   {.*t@.&?.h.Al/..
    0050 - 2a 18 92 4c 38 a2 ad b4-3b dc 45 55 15 56 34 58   *..L8...;.EU.V4X
    0060 - c4 cc 76 1a f6 79 7f 62-d2 a8 ea 4f 2b e0 59 3a   ..v..y.b...O+.Y:
    0070 - cd 5e 4c 8c cb a4 83 18-2e ef 6d 92 5d fc 17 c0   .^L.......m.]...
    0080 - 5a cf 01 9b 6f 6c 13 58-5c 8a 30 e9 e8 6d 54 9c   Z...ol.X\.0..mT.
    0090 - 76 2f 34 35 20 8d e1 5a-eb 17 be 97 66 f9 a5 e0   v/45 ..Z....f...

    Start Time: 1533629491
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

it looks like the edgeHub uses different certificates for TLS and MQTTS (which obviously uses TLS too).

If it helps I would be open for a debugging session and show you what I already tried.

johscheuer commented 6 years ago

Okay, so I got it working (on Ubuntu 16.04 and 18.04) with the following steps:

1.) Install the iotedge runtime and stop the service directly systemctl stop iotedge 2.) Run the certGen.sh script like described in the docu 3.) Execute these steps: https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md#step-3---proof-of-possession (the CA should be verified in the end) 4.) Remove any old generated certificates:

sudo rm /var/lib/iotedge/hsm/cert_keys/*
sudo rm /var/lib/iotedge/hsm/certs/*

5.) Start the edge runtime: sudo systemctl restart iotedge

One important thing here is that the hostname must match. In my scenario we had an DNS record for the gateway that doesn't match the hostname (non-authoritative DNS). This was the issue why I couldn't access the MQTTS remotely (even the error message is misleading).

Thanks for your help!

vbadri commented 6 years ago

@johscheuer, thanks for the heads up. I have run the steps as above and it didn't quite work even on the same machine (i.e., i couldn't verify ssl connection even on the same host). However, one difference I notice is your note abotu the hostname. Could you elaborate? There are three possible places a name is specified

$HOST_NAME : Just your host name $HUB_DEVICE_NAME : The name given to the device on the Azure IoT hub $GATEWAY_DEVICE_NAME: The name specified in the following command.

Which of these must be the same? (For me, the $HUB_DEVICE_NAME and $GATEWAY_DEVICE_NAME are the same)

Also if it is not too much trouble, could you comment on my steps below, or give your actual commands here, suppressing sensitive info of course. This one has been surprisingly tricky. Appreciate the help... 

sudo service iotedge stop
sudo rm /var/lib/iotedge/hsm/cert_keys/*
sudo rm /var/lib/iotedge/hsm/certs/*
SRCDIR=$1
WRKDIR=$2
echo "Copying from "$SRCDIR" to "$WRKDIR
cd $WRKDIR
cp $SRCDIR/tools/CACertificates/*.cnf .
cp $SRCDIR/tools/CACertificates/certGen.sh .
chmod 700 certGen.sh 
./certGen.sh create_root_and_intermediate
DEVICE=$3
echo "Device name "$DEVICE
./certGen.sh create_edge_device_certificate $DEVICE
cat ./certs/new-edge-device.cert.pem ./certs/azure-iot-test-only.intermediate.cert.pem ./certs/azure-iot-test-only.root.ca.cert.pem > ./certs/new-edge-device-full-chain.cert.pem

echo "Upload certs/azure-iot-test-only.root.ca.cert.pem to the azure portal, and get the verification code"
read VERIFICATION_CODE
echo "You entered the code "$VERIFICATION_CODE
echo "Press any key to continue.."
read -n 1 -s
./certGen.sh create_verification_certificate $VERIFICATION_CODE
echo "Now upload certs/verification-code.cert.pem to the portal"
sudo service iotedge start
waltmatthews commented 6 years ago

The key for me was removing the previously generated certificates.
sudo rm /var/lib/iotedge/hsm/cert_keys/ sudo rm /var/lib/iotedge/hsm/certs/ thanks to @johscheuer for your update!

vbadri commented 6 years ago

Hmm, I just noticed taht for vertification I was using

openssl s_client -connect edge00001:8883 -CAfile certs/azure-iot-test-only.root.ca.cert.pem However, I see from @johscheuer's previous comments that I should be using the azure-iot-test-only.root.ca.cert.pem.crt file. I don't see the the .crt file anywhere. Did I miss something in the procedure?

Mike-Ubezzi-MSFT commented 6 years ago

@vbadri Check the following 'certs' folder in the GitHub repo: Azure/azure-iot-sdk-c

Mike-Ubezzi-MSFT commented 6 years ago

@johscheuer We will now proceed to close this thread. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.

vbadri commented 6 years ago

@Mike-Ubezzi-MSFT -- sorry, still dont' get it. If you look at the script I uploaded, I have followed each step exactly. I still don't see where the .crt file is. I did check the directory you mentioned. It is not mentioned anywhere in the instructions. What am I missing?

Mike-Ubezzi-MSFT commented 6 years ago

@vbadri Which O/S are you using with this tutorial?

vbadri commented 6 years ago

Ubuntu 16.04. The exact steps I am executing are below, FWITW, the exact commands I am executing are below..

sudo systemctl stop iotedge
sudo rm /var/lib/iotedge/hsm/cert_keys/*
sudo rm /var/lib/iotedge/hsm/certs/*
SRCDIR=$1
WRKDIR=$2
echo "Copying from "$SRCDIR" to "$WRKDIR
cd $WRKDIR
cp $SRCDIR/tools/CACertificates/*.cnf .
cp $SRCDIR/tools/CACertificates/certGen.sh .
chmod 700 certGen.sh 
./certGen.sh create_root_and_intermediate
DEVICE=$3
echo "Device name "$DEVICE
./certGen.sh create_edge_device_certificate $DEVICE
cat ./certs/new-edge-device.cert.pem ./certs/azure-iot-test-only.intermediate.cert.pem ./certs/azure-iot-test-only.root.ca.cert.pem > ./certs/new-edge-device-full-chain.cert.pem

echo "Upload certs/azure-iot-test-only.root.ca.cert.pem to the azure portal, and get the verification code"
read VERIFICATION_CODE
echo "You entered the code "$VERIFICATION_CODE
echo "Press any key to continue.."
read -n 1 -s
./certGen.sh create_verification_certificate $VERIFICATION_CODE
echo "Now upload certs/verification-code.cert.pem to the portal"
echo "Press any key to continue, then wait for the iotedge process to restart.."
read -n 1 -s
sudo systemctl restart iotedge
sleep 20
echo "Trying to verify certificate"
openssl s_client -connect  localhost:8883 -CAfile ./certs/azure-iot-test-only.root.ca.cert.pem.crt
``
Mike-Ubezzi-MSFT commented 6 years ago

@vbadri Let me walk through this tutorial. Hang tight. Thanks!

vbadri commented 6 years ago

thanks, mike. happy to have a debug session or provide more logs if it helps

Mike-Ubezzi-MSFT commented 6 years ago

@vbadri I was successful in getting this tutorial deployed. Two things I think may have contributed to your issue:

1) Installation on the downstream device

sudo cp /home/miubezzi/certs/azure-iot-test-only.root.ca.cert.pem /usr/local/share/ca-certificates/azure-iot-test-only.root.ca.cert.pem.crt

sudo update-ca-certificates

2) The device Id value used when creating your IoTEdge Device and the value used for step 2 (Certificate creation):

./certGen.sh create_edge_device_certificate "<gateway device name>"

Output of openssl command: openssl s_client -connect miubezzi-IoT-Hub.azure-devices.net:8883 -CAfile /home/miubezzi/certs/azure-iot-test-only.root.ca.cert.pem -showcerts

CONNECTED(00000003) depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root verify return:1 depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT TLS CA 1 verify return:1 depth=0 CN = *.azure-devices.net verify return:1

Certificate chain 0 s:/CN=*.azure-devices.net i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 1 -----BEGIN CERTIFICATE----- MIIG9zCCBN+gAwIBAgITewAAAlKxca2x2OFj0gAAAAACUjANBgkqhkiG9w0BAQsF ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDEw HhcNMTcwNTEwMjAxMTI3WhcNMTkwNDMwMjAxMTI3WjAeMRwwGgYDVQQDDBMqLmF6 dXJlLWRldmljZXMubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA n++PLlmfyTAymOioFJ4FFrE6Xvebgh/FS79n4Q7kil3ebvhVJYwdWp1kVj7R0Yo9 FVU5mQMV7WWGi1I0Qa6QtLKv6x5KyqPeRLKRg2WO/HoCBaAFn/PwoyzucFZziqHE 8pdevfBo7Hj1+t8e9RP4hpbiZW4Ibf8cInkDfWaZpcky6NMH0kgVWrEJMPQgLZAK uCYpjpoYSnaywODLTBhQEivK/VNymK5vtaNugUL/7tO9/xC3sKfAswVMiCRVoqZt BWqv02ewJ+obg11PPJDzJwgwZozDbQrQL/e42B6DAhTDl4+J3IubODVq1OpKgCCm 4MJAwdIox2skB6dfATT1WwIDAQABo4ICvjCCArowCwYDVR0PBAQDAgSwMB0GA1Ud JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUGMdcf3+i4n4Z9UkN d1vezuCOye4wXQYDVR0RBFYwVIITKi5henVyZS1kZXZpY2VzLm5ldIIaKi5hbXFw d3MuYXp1cmUtZGV2aWNlcy5uZXSCISouc3UubWFuYWdlbWVudC1henVyZS1kZXZp Y2VzLm5ldDAfBgNVHSMEGDAWgBRYiJ/W3JxIIrcUPv+EiOjmhf/6fTCBrAYDVR0f BIGkMIGhMIGeoIGboIGYhktodHRwOi8vbXNjcmwubWljcm9zb2Z0LmNvbS9wa2kv bXNjb3JwL2NybC9NaWNyb3NvZnQlMjBJVCUyMFRMUyUyMENBJTIwMS5jcmyGSWh0 dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NaWNyb3NvZnQl MjBJVCUyMFRMUyUyMENBJTIwMS5jcmwwgYUGCCsGAQUFBwEBBHkwdzBRBggrBgEF BQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvTWljcm9z b2Z0JTIwSVQlMjBUTFMlMjBDQSUyMDEuY3J0MCIGCCsGAQUFBzABhhZodHRwOi8v b2NzcC5tc29jc3AuY29tMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIfahnWD 7tkBgsmFG4G1nmGF9OtggV2E0t9CgueTegIBZAIBEDBNBgNVHSAERjBEMEIGCSsG AQQBgjcqATA1MDMGCCsGAQUFBwIBFidodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20v cGtpL21zY29ycC9jcHMwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggr BgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAHDTheeJ2+T6PP5MqZ1PYdKpwkVKq gxuZBSM4JEkZpfMuOfAkiSggDBm+Wk4xYUsWCohkSGdnD1Y2rng4t6P/07Tao+RL zlnGWLXVsL3WKdZAL0Vu0tCX1B8jWLsQ6q853stnuFgm2YBddcSA6Yuq7fJf8taK L2f3MUkgSYZ+nWer+wGVTvha0YEru4xkS5NdCzQZsw4kUk9VvVJHvcazIGSOa7FH E4uAYMhZNAFz/XtoygRZbnqAM7hQUDHNCtaveNzQJQX8KIZFYwFbSwcvbBfghFTt TSOEgF4iVRRh/DLGyQgNbbPEeM7sRV3XQ+rxjguCGaiBnqdCyvcQLoahea0e1nZ2 TcrJocYHeYOUT2gpDMHzvbyW4aMY45JjD1018KUrjltJ9EBOP+EIec3Agt3wEg2q rJdBqVmkbivZRVganXdQeqTbcdqXXEaO7BsnKLZS+fpVQd7+QOmiLFZWWehB6FQB F+Xh5GCKy2/eVXvmVuLk3RNjEAxNPEzpbYm33r62Fqw9HYQQ7NwyH0UZsGHc56nv xr9WfKpSl4mpvoMD/CopSaR8/FXkENyYk756mEpBnb5pSCXe/I1U6b9rz9aaVC8Z C87IRjBkIFSzliSoQVT312o4d+C8X1ewL88/lI77KlUk7L1HWaoRO5SWOS09gmTx G7BVqWVt3j+/HTM= -----END CERTIFICATE----- 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 1 i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root -----BEGIN CERTIFICATE----- MIIFtDCCBJygAwIBAgIQCLh6UBu+nNotFk0+OVG/VTANBgkqhkiG9w0BAQsFADBa MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE2 MDUyMDEyNTEyOFoXDTI0MDUyMDEyNTEyOFowgYsxCzAJBgNVBAYTAlVTMRMwEQYD VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy b3NvZnQgQ29ycG9yYXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UE AxMVTWljcm9zb2Z0IElUIFRMUyBDQSAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A MIICCgKCAgEAjvPxhHV3vL7JpPUWpVMrUGCZ3Nh92SS14XJJN0j+2oaTo30dmksQ TXd5fmWpfG424kfUNknQzCQCJxTirnHN2Vd0PBBWGZJKh2L545CNXt7RQRsaph9A oiwejlXXJthoQqvsDd7dXmGVs6xsgc6o4K2vX8qm5FFoLif9VCpxpMy7fpLx9lNR BTHQGYKwymPQ8koAC830aUv0WpZWOSbJnUsKYzQygKUE5eoot8EAwG0a8CjUSo+A rHMZ2PUWL62uCJdiBiz+56XwrUFTf40rMcMUcyHd43hjnFGGtaJIScB5CBVDACuZ uEvgx1cHbMS5plQtAVPyo/KkzNnBVPOIzeRME9OKMyFYrRi/vjmBcDlpN/hbpGPv CQffhxpix5oIxdEdXmJ2Ad1p5ji7RLAtTTrGLoDgYHJb8szmjlw6IR5dsDkrveoT y5bLtmp0jI68DhCfG6VAQY+RXHanDvGqOoe3DHffcWovKGFCLZAPcgWrZ+DBe8uc QJrECghEjHw9uqkOHrHZIr0fX0Fqc1T2ZuKg+aY53tJ382kEv7e7PMST/3IEHLU2 nWh/3/o5T7L2j7kc/63tDhUI44Z88khJd5cW9v0A9k+mXm/nOcBRZT3rsZcw7Oqe c/weLKDfi89zX7UOBkIXJpXs2Kkn0NBllFziP8ooKaUg9MjdXbT/5t0CAwEAAaOC AUIwggE+MB0GA1UdDgQWBBRYiJ/W3JxIIrcUPv+EiOjmhf/6fTAfBgNVHSMEGDAW gBTlnVkwgkdYzKz6CFQ2hns6tQRN8DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud DwEB/wQEAwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUF BwMJMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln aWNlcnQuY29tMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0 LmNvbS9PbW5pcm9vdDIwMjUuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsG AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEB CwUAA4IBAQAwmsadav3vkwgMvoJ3+XagbZ57MCN7qCla9Go+xwsMlt+4S1LkDZw4 7XhjtXPAHB874Kf/f0lRlTK40Jup5c+WA4GA1UphGP7Easbff0FGIpyAZusPQqDk 86Qho5jQenT2jOjD0iuqK84RWRlE51wHCULr1/0VTblvbEQ1Joe6oztosIHnIMl/ EwLzzKufHJVQy65kgLuHCl3OpmuyfeM9NuIpUbcl/NAJ47CtxGIuPn6FJrL2r/dt MXPGGZipcpMCzsoLPTzs2XDogPUWq3hqh03GgTeoCnaBBqjvF2B8cBATPDjXM0zk N2UI+5Gz6BZ2YSpl9ViUs0UB78BPA3u4 -----END CERTIFICATE-----

Server certificate subject=/CN=*.azure-devices.net issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 1

No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Peer signing digest: SHA1 Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 3808 bytes and written 483 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-SHA256 Session-ID: 473400003788FB353537F4F7766ABC5FEBC5707B61CC38F23927E32EFE87A2E2 Session-ID-ctx: Master-Key: DBA704F755F12F6522F5EEC33ABEBFDE3D8E79F15A14BAAE5C2C2348FA348F986970834E2F449BE8201DE3371A86F3AD Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1533680891 Timeout : 300 (sec) Verify return code: 0 (ok)

read:errno=0

vbadri commented 6 years ago

@Mike-Ubezzi-MSFT, Confirming that the certificate test passed.

Thanks for the quick turnaround. Would recommend updating the doc with the above two gotchas for others.

I still have a problem with authentication, but will open a separate ticket on that. I think this part is now clear.

Sprinton commented 4 years ago

Hello,

i'm afraid i'm following the same steps, i pass a different name other than the hosntame in my config.yaml to create the device certificates and still the error below occurs. Appreciate your kind support. using Stretch on Raspberrypi 3.

pi@smash3:~ $ openssl s_client -connect SprintHub.azure-devices.net:8883 -CAfile /home/pi/iotedge/git/CERTDIR/certs/azure-iot-test-only.root.ca.cert.pem -showcerts
CONNECTED(00000003)
depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT TLS CA 5
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=*.azure-devices.net
   i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 5
-----BEGIN CERTIFICATE-----
MIIIATCCBemgAwIBAgITLQAF3vIEa6tC5831/wAAAAXe8jANBgkqhkiG9w0BAQsF
ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE
CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgVExTIENBIDUw
HhcNMTkwNDEyMjMwNDQxWhcNMjAwNDEyMjMwNDQxWjAeMRwwGgYDVQQDDBMqLmF6
dXJlLWRldmljZXMubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
04h+8NU4m18dnnn9zWP63B7YZ5ImMrfzYbdKgw0YgszdmiD9776341w5Wjq5qXkX
HuzuuUTeAwUzXN7u6OhRs4qLoWyRy0NW0EXKCzMKh9aCePQ9oGMBwtUyvm9c2nzQ
23qydQuDN1aHZzTIFJwNG4ay6hprrzoIg8YSklpNLzg44d0jOrs3Cxv+E/BwAuBo
9kmGh7azW8kEtPgdDt0wNMM2es4Xmd0w3p16krKkxp9fmxecix9VLyqSV6+xip0+
tJ3SKEBI5DKTchfcdXtS7Fi3q4vsgpXaXqCiMZT9Jwcn9Av6U54MlkpJItGL1ZGo
cnlHluBojTLhPt1QqP146QIDAQABo4IDyDCCA8QwggEGBgorBgEEAdZ5AgQCBIH3
BIH0APIAdwC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAWoT1O7N
AAAEAwBIMEYCIQCnWQgfxTJAqtYwE8LQ+eVzecqg3mTHI5lRwAJ3AbR8LQIhALjD
RvJZs0G5MdP70j+RBILe+yo8noWkDX3340S0oMB/AHcAVYHUwhaQNgFK6gubVzxT
8MDkOHhwJQgXL6OqHQcT0wwAAAFqE9TwJgAABAMASDBGAiEAxBnxMDNAy10MYbC+
nhAHDnETH/UaSYzxyxX9j69dphECIQC7U+xBpmE3reimJPyyJDBrVLIPyLBIbcIJ
6vvRnyFHqTAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMB
MD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIfahnWD7tkBgsmFG4G1nmGF9Otg
gV2E0t9CgueTegIBZAIBHTCBhQYIKwYBBQUHAQEEeTB3MFEGCCsGAQUFBzAChkVo
dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9NaWNyb3NvZnQlMjBJ
VCUyMFRMUyUyMENBJTIwNS5jcnQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLm1z
b2NzcC5jb20wHQYDVR0OBBYEFM89iELuWsvBsvLmFJShxDo0OqbFMAsGA1UdDwQE
AwIEsDBdBgNVHREEVjBUghMqLmF6dXJlLWRldmljZXMubmV0ghoqLmFtcXB3cy5h
enVyZS1kZXZpY2VzLm5ldIIhKi5zdS5tYW5hZ2VtZW50LWF6dXJlLWRldmljZXMu
bmV0MIGsBgNVHR8EgaQwgaEwgZ6ggZuggZiGS2h0dHA6Ly9tc2NybC5taWNyb3Nv
ZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0El
MjA1LmNybIZJaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3Js
L01pY3Jvc29mdCUyMElUJTIwVExTJTIwQ0ElMjA1LmNybDBNBgNVHSAERjBEMEIG
CSsGAQQBgjcqATA1MDMGCCsGAQUFBwIBFidodHRwOi8vd3d3Lm1pY3Jvc29mdC5j
b20vcGtpL21zY29ycC9jcHMwHwYDVR0jBBgwFoAUCP4ln3TqhwTCvLuOqDhfM8bR
bGUwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUA
A4ICAQBUZmsie9JE69PJDCIwJ48/NUl/AqZjiCi776nDvrT3qIQNhlD2MmXFpUzd
6ILDcc64/sSvw2PIFerz5KndY/OAsDNHuR4u+1aM+aChwseLYXUXK4BNtZ4g0YnC
2Bxyj5VYyhkBQIP4rN5myuwi3KEqY3q46uGij82h0enMDyjaeP+wUdcd2Qow9D3A
O4NYXdUMKqW2U0KpCsKYaQH6B7CogarMpypSbcExDUYNgyNkuI/cxJY5//SgQI16
dXAHEF7zz3rK7GNRnPmWxvEnlX2rTtYrEzRgfk0aLluqmCkXvth2pAw61ZBhCP/6
h+flYF8viRXXiIo8YUqmvvKNSRFTY1VAQ6zK36ya4FRXzzy8YaC1U9qQkwzYJs3o
9fzFjfYvOk0kKSdPvae/n+28caMA8xF0lP6BODsGdYjj4gP3ZT92XOCpmrywq2zI
Ve+fiEUQ96ctnZcA0MPfIpOxJRcjIxpgs37xTmyhDSPUBAeKxQ2v6X/98yQgvSUo
COtCB3YbMc3rtNA3V35PMG4sJPlpwluop0AhNsVM/+9i7FUCEkEkDo02mcke+oJx
E9ABjFH8ehR9NVhwX9S0AZgTcWhiiNl7ezF+K7Y8WO2/HEu5WqXSTJI683nJJn9E
oVpouVq81X4jubxQG4WBAU5jPNYU2KibHfazdcTlmDzoDgcRkQ==
-----END CERTIFICATE-----
 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 5
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
-----BEGIN CERTIFICATE-----
MIIFtDCCBJygAwIBAgIQCIjNUl8ZJERNFKWCkd65UjANBgkqhkiG9w0BAQsFADBa
MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl
clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTE2
MDUyMDEyNTMwM1oXDTI0MDUyMDEyNTMwM1owgYsxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
b3NvZnQgQ29ycG9yYXRpb24xFTATBgNVBAsTDE1pY3Jvc29mdCBJVDEeMBwGA1UE
AxMVTWljcm9zb2Z0IElUIFRMUyBDQSA1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAmt+BXDuPrul5lrmaeaeB8jnaVShGIwLFgmYHthXe/Zw6GpuRCdJm
jwuJF/hxhyF/ONM/miUAtzXQq/gIejbzUFvfKykn3qTdJJL69MZwjTYqmvCA3jX6
HkKdCYGq1QcKFqXFWkJtQr4eQoK0VzCZW0Ur1I/TCgbGc5Ok4YPvxb8FJ6d4zbML
4J4iFvOY3KYU6MyU1yP50FCZu7ULEJXx3wLpj46dVpk82I/TWPtckn49e/hQSVr3
EHt3+OZKkEpVUt6UrXQJoGRXLM0HkJ8WrZXD0Qa68e9sBbUErKncGzGbDi0ZlQRP
3mbLrTVyrxmCCLIUOhZfsDyb240MsALWJh/oFXHE7/ljOUOM6cKSLqHCoDAlDpYn
X56jK4LWEL08GR6mh/5VITpcQfwBmMwvkv9mOLS4ZpwPEmhLSqyGu16Y/56mnFNs
MxGk0K5SR9eLj/GWrLkpmo8s8a1kGMMmuwBk3lBwwLvsxmuu06DvwPFcDfLMelna
GDMvWRCtZxQsXyJDSkTh6N3g51UWTgnvA0wMSFBa8APfju9jyltnh0NALAa2Hw8+
U8BmP9cUFeYIYphIfoPlp7VdUS1ULWH9NF3Ut4DN0n3OsSQ785dsbBPeihfJivVI
lUL3EpDjEBf2oQDFNiplkZ4F7EIuWriZG//UTrX6ZlXZg46/CCmN+gsCAwEAAaOC
AUIwggE+MB0GA1UdDgQWBBQI/iWfdOqHBMK8u46oOF8zxtFsZTAfBgNVHSMEGDAW
gBTlnVkwgkdYzKz6CFQ2hns6tQRN8DASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1Ud
DwEB/wQEAwIBhjAnBgNVHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUF
BwMJMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln
aWNlcnQuY29tMDoGA1UdHwQzMDEwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0
LmNvbS9PbW5pcm9vdDIwMjUuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsG
AQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEB
CwUAA4IBAQA+8s8wpXq/HmrfOVgYKDzDne7ngcVL/Gf2vx9ON9re8K/uivkDe2Bn
dMc72v8rSuv9VHUTi+XCgRK6UhIguimKOs1DJMzVFwX+nBY/c+BtQcB2PfKrSMVZ
YmS6RE8KGII/Qeo/GDpY56AwV3X10WoxFLaUmWXatugB3uSr+7Xz5RkKGF+kAlfe
tlwmb3P+Lgn1CEPED8ckf50oZ2Wh3FvwOv34cIXnpU8k3kI/HUQ7XYUGhR0eHNTZ
TlHk/R4RFsyeANmXGpfjZceGNRtTdr4y0SxBSUujPpMMW3dXBzA8NYuM0WmiJ/pV
6KudEB7RF9+6bInTyVvXC5SIqdi0ldeO
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.azure-devices.net
issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT TLS CA 5
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 4110 bytes and written 386 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA256
    Session-ID: 56220000C56104A1AD9032C45159E036C7E0050F30DA074B9D04E52B7BB51482
    Session-ID-ctx:
    Master-Key: 1BF2D466FEA46E6635B31A96DF24B14B884E8D7D4387521FD5B18AD7366EFC9B41F1A79F07793B05C0CBCB9A19EF8262
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1578675706
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
Sprinton commented 4 years ago

Hello,

i discovered the error below in the logs

running the command

journalctl -u iotedge --no-pager --no-full

- Configuring certificates...
Jan 10 21:03:32 smash3 iotedged[12817]: 2020-01-10T19:03:32Z [INFO] - Transparent gateway certificates not found, operating in quick start mode...
Jan 10 21:03:32 smash3 iotedged[12817]: 2020-01-10T19:03:32Z [INFO] - Finished configuring certificates.
Jan 10 21:03:32 smash3 iotedged[12817]: 2020-01-10T19:03:32Z [INFO] - Initializing hsm...

i made sure that iotedge has access to where the certificates are, still the error occurs.

i also find the error below

: 2020-01-10T19:03:47Z [WARN] - Could not stop module edgeHub
Jan 10 21:03:47 smash3 iotedged[12817]: 2020-01-10T19:03:47Z [WARN] -         caused by: Target of operation already in this state

i tried solving the error using the below with no success

sudo systemctl stop iotedge
sudo rm /var/lib/iotedge/hsm/cert_keys/*
sudo rm /var/lib/iotedge/hsm/certs/*
sudo systemctl restart iotedge