search

thin-edge / thin-edge.io

The open edge framework for lightweight IoT devices
https://thin-edge.io
Apache License 2.0
221 stars 54 forks source link

c8y-remote-access-plugin connect fails if c8y proxy is configured to use certificates #2802

Closed reubenmiller closed 6 months ago

reubenmiller commented 7 months ago

Describe the bug

When the c8y.proxy is configured to only accept secure local connections (e.g. cert based authentication), then the c8y-remote-access-proxy will not work, as this component does not use the configured client certificates.

To Reproduce

This is a bit tricky to setup as it requires a very long procedure, so until the c8y-tedge PR is merged, only the broad steps are listed:

  1. Configure thin-edge.io to use certificate based authentication for the c8y.proxy
  2. Try to connect to ssh via Cumulocity's Remote Access WebSSH in the Device Management UI

Expected behavior

The c8y remote access plugin should work when the c8y proxy is configured to use certificate based authentication.

Screenshots

Environment (please complete the following information):

Property Value
OS [incl. version] Debian GNU/Linux 12 (bookworm)
Hardware [incl. revision] Raspberry Pi 5 Model B Rev 1.0
System-Architecture Linux rpi5-d83addab8e9f 6.1.0-rpi7-rpi-2712 #1 SMP PREEMPT Debian 1:6.1.63-1+rpt1 (2023-11-24) aarch64 GNU/Linux
thin-edge.io version tedge 1.0.1

Additional context

Below shows the c8y.proxy settings:

# tedge config list | grep c8y
c8y.proxy.bind.address=192.168.68.72
c8y.proxy.bind.port=8001
c8y.proxy.client.host=192.168.68.72
c8y.proxy.client.port=8001
c8y.proxy.cert_path=/etc/tedge/device-certs/local-certs/rpi5-d83addab8e9f-c8y-mapper.crt
c8y.proxy.key_path=/etc/tedge/device-certs/local-certs/rpi5-d83addab8e9f-c8y-mapper.key
c8y.proxy.ca_path=/etc/ssl/certs

And then MQTT messages related to a c8y remote access operation is shown below along with the error message:

[c8y/s/ds] 530,rpi5-d83addab8e9f,rpizero2-d83add42f121,22,28c342e6-d8f6-431d-a580-7ac3987ab269
[c8y/s/us] 501,c8y_RemoteAccessConnect
[c8y/s/us] 502,c8y_RemoteAccessConnect,"note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value:   × Connecting to Websocket
  ├─▶ host wss://192.168.68.72:8001/c8y/service/remoteaccess/device/28c342e6-
  │   d8f6-431d-a580-7ac3987ab269
  ├─▶ IO error: received fatal alert: CertificateRequired
  ╰─▶ received fatal alert: CertificateRequired
', crates/core/tedge/src/main.rs:50:58
note: run with `RUST_BACKTRACE=1` environme"
reubenmiller commented 6 months ago

I can confirm that thin-edge.io 1.0.2~175+g8df1b7d now works when using a secure mosquitto MQTT broker setup. The Cumulocity IoT Cloud Remote Access feature now works as expected, the following setups were checked:

  1. WebSSH and NativeSSH directly to the gateway device
  2. WebSSH and NativeSSH to a child device via the gateway device (see screenshot below)
image