Trouble configuring Gateway device with IBM IoT platform

[pixelet]

Hello, Any one had similar issue that I am running into? I went through the recipe and trying to connect a gateway device instead of device. I have registered both device and gateway on IBM IoT my Raspberry Pi as a gateway device and sense Hat as a device. I have imported all my certs and key required for client connection but getting following exception below:

fs.js:642 return binding.open(pathModule._makeLong(path), stringToFlags(flags), mode); ^

Error: ENOENT: no such file or directory, open 'path to custom server certificate' at Error (native) at Object.fs.openSync (fs.js:642:18) at Object.fs.readFileSync (fs.js:510:33) at initializeMqttConfig (/home/pi/iot-nodejs/dist/util/util.js:87:43) at DeviceClient.BaseClient (/home/pi/iot-nodejs/dist/clients/BaseClient.js:141:64) at new DeviceClient (/home/pi/iot-nodejs/dist/clients/DeviceClient.js:62:80) at Object. (/home/pi/iot-nodejs/samples/deviceSample.js:4:20) at Module._compile (module.js:570:32) at Object.Module._extensions..js (module.js:579:10) at Module.load (module.js:487:32) at tryModuleLoad (module.js:446:12) at Function.Module._load (module.js:438:3) at Module.runMain (module.js:604:10) at run (bootstrap_node.js:383:7) at startup (bootstrap_node.js:149:9) at bootstrap_node.js:496:3 // -----------------------------------------------------

    "server-ca": "path to custom server certificate",
    "client-ca": "/home/pi/certs/rootCA.pem",
    "client-cert": "/home/pi/certs/client.pem",
    "client-key": "/home/pi/certs/client.key",

// ---------------------------------------------------------------

Any help is appreciated

Regards

[pixelet]

Hello, I noticed that the error was complaining about the server-ca cert path so I updated it to match my location where I have certs, but I do not recall seeing steps in recipe to generate server side certs. Also, my device is connecting using my device.json file and not gateway.jason file. Ideally, I would like to connect my Rpi as a gateway rather than regular device. Once I made the above changes to the server-ca path I get the following errors. Seems like it is trying to connect but some TLS handshake issues.

[BaseClient:connect] Connecting to IoTF with host : ssl://9ohyc3.messaging.internetofthings.ibmcloud.com:8883 and with client id : d:9ohyc3:senseHAT:senb827eb06bee4 [BaseClient:onError] Connection Error :: Error: unable to get local issuer certificate { Error: unable to get local issuer certificate at Error (native) at TLSSocket. (_tls_wrap.js:1092:38) at emitNone (events.js:86:13) at TLSSocket.emit (events.js:185:7) at TLSSocket._finishInit (_tls_wrap.js:610:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' } [BaseClient:connect] Iotfclient is offline. Retrying connection [BaseClient:connect] Retry in 3 sec. Count : 1 [BaseClient:onClose] Connection was closed. Disconnected from IoTF [BaseClient:onError] Connection Error :: Error: unable to get local issuer certificate

Please suggest any steps I may have missed when trying to connect Rpi as a gateway device.

Regards

[sathipal]

@pixelet

Thank you for reaching out, There are few things that we would like you to modify,

1. Looking at the exception, you were trying to use DeviceClient to connect a Gateway which is wrong. Please refer to [GatewaySample] https://github.com/ibm-watson-iot/iot-nodejs/blob/master/samples/gatewaySample.js for example.

2. For server certificate, the library uses the default one if the path for server certificate is not provided. i.e, if the property "server-ca" is not defined then the library uses default one. Please try not to define "server-ca" incase if you want to use the default one from WIoTP.

3. In order to connect the Gateway device, the certificate generation requires some change compared to device connection.

For gateways, the CN field format is CN=g:typeId:deviceId, and the SubjectAltName field format is SubjectAltName=email:g:devtype:devid

more information can be found here - https://console.bluemix.net/docs/services/IoT/reference/security/set_up_certificates.html#set_up_certificates

[pixelet]

Thank you Sathipal,

1. I will use example for Gateway - I should have generated my certs using gateway example.
2. I will keep default certs from wIoTp.
3. I should have used g:typeID:deviceId Thanks for the links for additional information. Regards

[pixelet]

Hi Sathish, I went through the steps you mentioned above but running into TLS cert issues. I think IBM may have done away with TLS1.1? Not sure I saw some alert from IBM Cloud maintenance email. Below is the error I am getting this time. I have also provided the steps I took to generate the certs again with proper CN and Gateway device configuration. Thanks

// -------------------------------------------------------------------------------------- [BaseClient:onError] Connection Error :: Error: write EPROTO 1995468640:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/s3_pkt.c:1500:SSL alert number 48 1995468640:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:659:

{ Error: write EPROTO 1995468640:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../deps/openssl/openssl/ssl/s3_pkt.c:1500:SSL alert number 48 1995468640:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:659:

at exports._errnoException (util.js:1020:11)
at WriteWrap.afterWrite (net.js:800:14) code: 'EPROTO', errno: 'EPROTO', syscall: 'write' }

// ---------------- Error END -----------------------------------

// --------------- Steps to generate certs ---------------------- openssl genrsa -out rootCA.key 2048 openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.pem -days 500 -sha256 // ----------------- Certs -------------------------------------

-rw------- 1 pi pi 1679 Feb 23 08:45 rootCA.key -rw-r--r-- 1 pi pi 1460 Feb 23 08:47 rootCA.pem -rw------- 1 pi pi 1679 Feb 23 08:48 client.key -rw-r--r-- 1 pi pi 1106 Feb 23 08:50 client.csr -rw-r--r-- 1 pi pi 17 Feb 23 08:51 rootCA.srl -rw-r--r-- 1 pi pi 1338 Feb 23 08:51 client.pem // -----------------------------------------------------------

[durera]

Closing this issue, the code has been rebuilt almost from scratch in the time this has been open. Happy to work through any issues using the new codebase if this is still relevant,