search

eclipse-leda / leda-distro

Eclipse Leda provides a Yocto-based build setup for SDV.EDGE components
https://eclipse-leda.github.io/leda/
Apache License 2.0
15 stars 7 forks source link

Cloud connector does not connect to Azure IoT Hub #116

Open mikehaller opened 1 year ago

mikehaller commented 1 year ago

When running sdv-provision, creating device certificates and register a new device in Azure IoT Hub, it prints the following error message when running the cloudconnector container:

2023/06/19 07:46:52.869238  [azure-connector]  ERROR  Cannot connect to Hub client_id=52-54-00-12-34-56 err="network Error : x509: certificate signed by unknown authority" mqtt_url=tls://<...>.azure-devices.net:8883

It seems the --caCert=iothub.crt argument for cloud connector is the wrong CA cert for Azure. Documentation or default configuration should be updated.

antaradey-itk commented 1 year ago

Hello,

This error still seems to persist even after manual + sdv-provision.

cloudconn_err_invalid_cert

Steps followed:

  1. Followed the steps mentioned below to create rootca and signed it with the subca. https://learn.microsoft.com/en-us/azure/iot-hub/tutorial-x509-test-certs?tabs=linux
  2. Generated subca.crt
  3. Transferred subca.crt to /data/var/certificates/.
  4. Added the .pem certificates of the rootca, subca and device (all for testing) to Azure IoT certificates section.
  5. Mounted this file to cloudconnector container. "mount_points": [ { "source": "/data/var/certificates/subca.crt", "destination": "/app/subca.crt", "propagation_mode": "rprivate" }, { "source": "/data/var/certificates/device.crt", "destination": "/device.crt", "propagation_mode": "rprivate" }, { "source": "/data/var/certificates/device.key", "destination": "/device.key", "propagation_mode": "rprivate" }
  6. Configured "config": { ... "CA_CERT_PATH=/app/subca.crt" ... }
  7. Run sdv-provision to generate X509 thumbprints. Added the device ID and thumprints to Azure new device.
  8. Restart cloud container.

Note: I see that the sdv-provision is automating the device certificate generation. On comparing the sdv-provision script and Azure client device certificate generation process, I was wondering if the following command is missing:

image.

I also tried created own device certificates and used it directly in the Kanto manifest to restart the containers. Also tried with manual creation of thumbprints using OpenSSL.

vasilvas99 commented 1 year ago

It seems that the issue might be related to this certificate expiring: https://github.com/eclipse-leda/leda-contrib-cloud-connector/blob/main/resources/iothub.crt It gets built into the container and the last build was more than 10 months ago.

kowshikk2 commented 11 months ago

is there any work-around for the cloud-connector to work?