-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS Authentication issue with ModuleClient #7323
Comments
A little update on this issue. I created my own module and ended up in the same situation. It is clearly a chain validation issue but it seems it is only happening with .NET (the blob storage module is written in .NET as the Temperature Sensor one). So, I crafted my own module and I hooked a custom certificate chain validation using the mqtt settings:
In the validation method, I print out everything I can about the incoming server (edge gateway) certificate:
and I get this back:
Which in the end confirms the initial exception I had with the marketplace modules. However, when I use openssl directly from within the container and connect to the exact same endpoint, it doesn't reveal any problem:
Similarly, curl -v also doesn't have any problem:
So, I'm not sure how to fix this! |
@stephaneey The edgehub server root certificate would be in the trust bundle that is provided to the modules, not in the os trusted roots, so it is surprising that the curl/openssl requests succeeded. This looks to be an issue with the modules not reading the trust bundle. Did you ever try simulated temperature sensor without any custom validation code? I don't think your custom validation logic is referencing it at all.
Here's some info on the trust bundle, and note in the example when openssl -connect is used it passes in the trust bundle file: https://learn.microsoft.com/en-us/azure/iot-edge/iot-edge-certs?view=iotedge-1.5#self-signed-root-ca-specificity |
Hi @lfitchett , Thanks for your answer but let me clarify a few things:
So, the only real questions are:
Thanks |
Hi @lfitchett, Although the article you mentioned is talking about the device, not modules, you still pointed me to the right direction. I already tried to do what was done in the article but there was an important flaw in my config: my trusted bundle was not valid. So, in my
where I should have been doing this:
My bundle was actually not a bundle....I changed this in the config.toml, followed by sudo iotedge config apply and voilà! So, long story short, no need to inject any cert or to pass any CA to the module container, just use the right bundle. I got probably confused by the fact that everything was working fine...where we could have expected that passing a bundle that is not actually a bundle would have caused the iotedge check to fail or at least to warn about this. In any case, thanks! Cheers |
Expected Behavior
ModuleClient should be able to connect to IoTHub without issue.
Current Behavior
TLS Exception is encountered with whatever module. Sending regular messages from child devices through the IoT Edge Runtime in Transparent Gateway mode works, only the module part does not.
Here is a sample exception from the Temperature Sensor module:
Steps to Reproduce
Provide a detailed set of steps to reproduce the bug.
Context (Environment)
Output of
iotedge check
Output of
iotedge system status
Device Information
Runtime Versions
docker version
]:Logs
Here is the entire support bundle zip for the past hour that includes the above mentioned exception but I couldn't find anything else relevant.
https://seyiot.blob.core.windows.net/logs/support_bundle_2024_07_11_05_46_40_UTC.zip
Additional Information
Certificates are not expired. I've seen many issues similar to this one where the Edge CA renewal was not scheduled. I'm not in this situation (as visible in the attached support bundle).
The text was updated successfully, but these errors were encountered: