Issue of SSL certificate while connecting to hono

[Hariprasath-TE]

Hi, following your documentation we used hono sandbox environment for registering and feeding tenant & device details. It worked fine. Whereas, now we are using our cloud server's hono deployed using c2e package, with which we are facing SSL certificate issue while connecting. While running the below command, as per your doc, to provision device details at the hono's device registry after making due changes in the environment variables of the create-config-hono.sh file with our server's corresponding IP and ports, we faced curl(60) SSL certificate error.

./create-config-hono.sh --tenant MY_TENANT_ID --device-id MY_DEVICE_ID --device-pwd MY_PWD --provision

Failing to resolve that, we tried for an insecure connection. The changes done in the config file (create-config-hono.sh) is as below

Now we ran, docker compose --env-file ./config/hono/hono.env -f ./fms-blueprint-compose.yaml -f ./fms-blueprint-compose-hono.yaml up --detach When we checked the logs of FMS-forwarder, we got

Since, I made device registry connection insecure, where else should i make changes to make entire connection insecure. How can i resolve the MQTT connection failed error when connecting FMS forwarder to hono. Can you provide any thoughts/help on this?

[sophokles73]

The MQTT client that the FMS Forwarde ruses for connecting to Hono's MQTT adapter needs to be configured to trust the certificate that your MQTT adapter sends. That is a two step process:

1. the client needs to be able to establish a chain of trust from the server cert to a trusted root CA certificate
2. on of the server certificate's SANs or CN need to match the hostname that the client used to connect to the server (MQTT adapter)

The first step usually requires configuring the client with a PEM file that contains the signing authority's certificate. You can set TRUST_STORE_PATH variable in config/hono/mqtt-client.env to the path to that PEM file.

How to handle the second step depends on what kind of server certificate you are using and where and where you deployed your Hono instance. Are you running a local (e.g. minikube based) installation of Hono or have you deployed it to e.g. a managed k8s cluster on Azure?

Please also consider https://meta.stackoverflow.com/questions/285551/why-should-i-not-upload-images-of-code-data-errors

[sophokles73]

This might require #24 to be implemented.

[Hariprasath-TE]

In the create-config-hono.sh file I given the below configuration to send data from fms forwarder to local installed hono. set -e

HONO_HOST="7.232.12.248" HONO_REGISTRY_PORT="31443" HONO_TENANT_ID="" HONO_TENANT_CA="" HONO_DEVICE_ID="" HONO_DEVICE_PASSWORD="" HONO_DEVICE_CERT="" HONO_DEVICE_KEY="" HONO_KAFKA_BROKERS="" HONO_KAFKA_SECURE_PORT=9094 HONO_KAFKA_USER="ditto-c2e" HONO_KAFKA_PASSWORD="verysecret" TRUST_STORE_PATH="/etc/ssl/certs/ca-certificates.crt" ENABLE_HOSTNAME_VALIDATION="false" OUT_DIR="." PROVISION_TO_HONO=""

Once done these configuration i ran the create-config-hono.sh file and then ran the regarding docker-compose file. Every container get started but when i check the forwarder container logs it was giving mqtt connection failed error. and this is the forwarder logs which i got, [2023-11-21T06:55:01Z INFO fms_forwarder::mqtt_connection] using username and password for authenticating to MQTT endpoint [2023-11-21T06:55:01Z INFO fms_forwarder::mqtt_connection] connecting to MQTT endpoint at mqtts://7.232.12.248:30883 [2023-11-21T06:55:01Z INFO fms_forwarder] starting FMS forwarder [2023-11-21T06:55:01Z INFO fms_forwarder::vehicle_abstraction] creating client for kuksa.val Databroker at http://databroker:55556 [2023-11-21T06:55:01Z INFO fms_forwarder::vehicle_abstraction] driver two's working state has changed to status DRIVER_AVAILABLE [2023-11-21T06:55:01Z INFO fms_forwarder::vehicle_abstraction] parking brake engaged: false [2023-11-21T06:55:01Z INFO fms_forwarder::vehicle_abstraction] driver one's working state has changed to status DRIVE [2023-11-21T06:55:01Z INFO fms_forwarder::vehicle_abstraction] driver two has logged out [2023-11-21T06:55:01Z INFO fms_forwarder::vehicle_abstraction] driver one has logged out [2023-11-21T06:55:02Z WARN fms_forwarder::mqtt_connection] attempt to connect to MQTT endpoint failed with error code -1, retrying ... [2023-11-21T06:55:06Z INFO fms_forwarder::vehicle_abstraction] timer has fired

Where I miss configured, Why this error occuring i don't know even after making ENABLE_HOSTNAME_VALIDATION="false" . would you please help me to sort out this error and give me the steps for right configuration.

[sophokles73]

Unless your local Hono instance uses "official" certificates, e.g. from Let's Encrypt, you will need to adapt the TRUST_STORE_PATH to point to a file with the root CA certs that have been used to sign your Hono instance's server certificates.

[Hariprasath-TE]

Instead of using Let's Encrypt or any other CA to generate the certificate, shall I use self signed own CA certificate to check it in local itself?

[sophokles73]

If you have used the c2e package Helm chart to install Hono, then you should be able to retrieve the trusted certs store from k8s using something like:

export NS=cloud2edge
export RELEASE=c2e
export TRUSTSTORE_PATH=/tmp/hono-truststore.pem
kubectl get configmaps --namespace ${NS} ${RELEASE}-hono-example-trust-store --template="{{index .data \"ca.crt\"}}" > "${TRUSTSTORE_PATH}"

You then need to use the --trust-store-path when running create-config-hono.sh

[Hariprasath-TE]

I installed c2e package Helm chart. ubuntu@ub:/tmp$ ls -a . c2e_hono_truststore.pem

ubuntu@ub:~$ export NS=c2e ubuntu@ub:~$ export RELEASE=c2e ubuntu@ub:~$ export TRUSTSTORE_PATH=/tmp/c2e_hono_truststore.pem ubuntu@ub:~$ microk8s kubectl get configmaps --namespace ${NS} ${RELEASE}-hono-example-trust-store --template="{{index .data \"ca.crt\"}}" > "${TRUSTSTORE_PATH}" Once I done this one, started configuring the ./create-config-hono.sh file HONO_HOST="6.10.524.41" HONO_REGISTRY_PORT="31443" HONO_TENANT_ID="" HONO_TENANT_CA="" HONO_DEVICE_ID="" HONO_DEVICE_PASSWORD="" HONO_DEVICE_CERT="" HONO_DEVICE_KEY="" HONO_KAFKA_BROKERS="" HONO_KAFKA_SECURE_PORT=32094 HONO_KAFKA_USER="ditto-c2e" HONO_KAFKA_PASSWORD="verysecret" TRUST_STORE_PATH="/tmp/c2e_hono_truststore.pem" ENABLE_HOSTNAME_VALIDATION="false" OUT_DIR="." PROVISION_TO_HONO="" made these configuration and ran this command ./create-config-hono.sh --tenant 5 --device-id 5 --device-pwd 5 --trust-store-path /tmp/c2e_hono_truststore.pem --provision on terminal and then got an error like this

curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

Still i wouldnt able to connect the fms-forwarder with c2e hono. shall i know how to configure this fms-forwarder with c2e hono?

When i tried to troubleshoot this error by creating just a tenant on our server's hono device registry ,using ca-cert flag and its path, by running the below command curl -i -X POST --cacert /tmp/c2e_hono_truststore.pem -H "content-type: application/json" --data-binary '{ "ext": { "messaging-type": "kafka" } }' https://6.10.524.41:31443/v1/tenants

curl: (60) SSL: no alternative certificate subject name matches target host name '3.109.154.59' More details here: https://curl.haxx.se/docs/sslcerts.html

Kindly tell a fix.

[sophokles73]

yes, this is kind of expected. Curl has the same problem as the MQTT client has: it cannot verify the Device Registry's server certificate. You should be able to fix this by means of adding the --inscecure flag to the curl ... commands in the create-config-hono.sh script.

[Hariprasath-TE]

This is fine. I did that. I have to rather create a secure connection and how to do that to bypass the error mentioned above. If possible, please do give the steps.

Say the device provisioning is done using insecure method as you stated above. How to proceed with connecting FMS forwarder to c2e hono via insecure method step-by-step? Please do so with a clear-cut answer.

It would be of great help... Thank you

[sophokles73]

I believe that I have given you all the information necessary to do so. You might want to start educating yourself about the general principles of TLS and how to apply them here. I am sure you will be able to figure it out.