nRF7002 Azure IoT Hub, CA authentication Fail or TLS Connect Fail Error (-22, -116)

RE: nRF7002 Azure IoT Hub, CA authentication Fail or TLS Connect Fail Error (-22, -116)

E_Kan — Thu, 30 Nov 2023 04:03:20 GMT

Yes, but baltimore cybertrust root CA did't work that i said.

RE: nRF7002 Azure IoT Hub, CA authentication Fail or TLS Connect Fail Error (-22, -116)

Sigurd Hellesvik — Wed, 29 Nov 2023 12:01:06 GMT

Looking at our Azure IoT Hub docs, I now see the "IMPROTANT" note:

Does this explain what you need to know?

RE: nRF7002 Azure IoT Hub, CA authentication Fail or TLS Connect Fail Error (-22, -116)

E_Kan — Wed, 29 Nov 2023 01:58:42 GMT

Plus

Please read this blog from MS. It seems like something has expired.

Blog Link : MicroSoft Blog :: Azure IoT TLS: Critical changes are almost here!

RE: nRF7002 Azure IoT Hub, CA authentication Fail or TLS Connect Fail Error (-22, -116)

E_Kan — Wed, 29 Nov 2023 01:43:57 GMT

@Sigurd Hellesvik

Thanks for your reply.

I solved the problem, but I couldn't solve it with the Baltimore CA certificate you provided.

[00:00:07.931,915] <inf> mqtt_helper: innopia : certificates_provision() IN
[00:00:07.931,915] <inf> mqtt_helper: innopia : ca : 1262 private : 1705 / device : 1221 
[00:00:07.931,945] <inf> mqtt_helper: innopia : ca_cert.pem file check ...
[00:00:07.931,945] <inf> mqtt_helper: innopia : ca_certificate.pem PASS || return = 0
[00:00:07.931,976] <inf> mqtt_helper: innopia : private_key.pem file check ...
[00:00:07.931,976] <inf> mqtt_helper: innopia : private_key.pem PASS || return = 0
[00:00:07.932,006] <inf> mqtt_helper: innopia : device_certificate.pem file check ...
[00:00:07.932,006] <inf> mqtt_helper: innopia : device_certificate.pem PASS || return = 0
[00:00:07.932,006] <inf> mqtt_helper: innopia : tls_credential_add 1 successfully added.
[00:00:07.932,037] <inf> mqtt_helper: innopia : certificates_provision() OUT
[00:00:07.932,037] <inf> mqtt_helper: innopia : =============================



[00:00:07.991,760] <err> mqtt_helper: mqtt_connect, error: -2
[00:00:07.991,760] <inf> mqtt_helper: innopia : mqtt_connect, error: -2
[00:00:07.991,790] <err> azure_iot_hub: mqtt_helper_connect failed, error: -2
[00:00:07.991,790] <inf> azure_iot_hub: mqtt_helper_connect() error
[00:00:07.991,821] <dbg> azure_iot_hub: iot_hub_state_set: State transition: STATE_CONNECTING --> STATE_DISCONNECTED
[00:00:07.991,851] <err> azure_iot_hub_sample: azure_iot_hub_connect failed: -2
[00:00:07.991,851] <inf> azure_iot_hub_sample: azure_iot_hub_connect failed: -2

If you enter the Baltimore CyberTrust Root Certificate in ca-cert.pem and build it, the above error (-2) occurs.

...

CONFIG_MQTT_HELPER_SEC_TAG=10
CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG=11

...

However, we confirmed that it worked normally if we added DigiCert Global Root G2 to ca-cert-2.pem and proceeded.

According to what you said, the Baltimore certificate is not still expired, so I'm curious why this is happening.

If you try to build and flash without MQTT_HELPER_SECONDARY_SEC_TAG=11 in the config value, 
an error (-113 Software caused connection abort) occurs.

I think it is mandatory to include the G2 certificate, is that correct? Please confirm.

I am curious as to why this is happening. I think it would be better to guide with G2 CA.
Thank you for your quick reply, and we look forward to your continued interest and replies! 😀👍

RE: nRF7002 Azure IoT Hub, CA authentication Fail or TLS Connect Fail Error (-22, -116)

Sigurd Hellesvik — Tue, 28 Nov 2023 14:56:14 GMT

[quote user="E_Kan"]Can I enter the Baltimore CA key in the ca-cert.pem file here?[/quote]

Yes.

[quote user="E_Kan"]I need a detailed guide on how to add the Baltimore Key to the certificate section in the Azure IoT Hub portal and upload the client key.pem before verifying it.[/quote]

If I am not mistaken, you would not need to upload the Balitmore Key to the Azure IoT Hub. The Baltimore CA key is to verify the TLS for Azures MQTT, so that the device knows it is talking to a valid server.

I recommend the Understand how X.509 CA certificates are used in IoT guide.

RE: nRF7002 Azure IoT Hub, CA authentication Fail or TLS Connect Fail Error (-22, -116)

E_Kan — Tue, 28 Nov 2023 01:17:47 GMT

I will add an additional reply. The link to the guide you mentioned is below. 👍✅

Nordic AzureIotHub Guide 1

Nordic AzureIotHub Guide 2

The guide focuses on guides related to nrf91.
I'm curious because nrf7002 seems to be different.

RE: nRF7002 Azure IoT Hub, CA authentication Fail or TLS Connect Fail Error (-22, -116)

E_Kan — Tue, 28 Nov 2023 01:13:14 GMT

Thank you for quick response. 😀👍

If you look at the Azure IoT Hub guide source code, there are ca-cert.pem, client.pem, and private.pem in the certs folder.

Can I enter the Baltimore CA key in the ca-cert.pem file here?

I need a detailed guide on how to add the Baltimore Key to the certificate section in the Azure IoT Hub portal and upload the client key.pem before verifying it.

According to the Nordic guide, refer to Microsoft's CA creation guide.

However, there is no guide related to Baltimore CA in that guide, so I am confused as to whether I need to create a rootca or just a subca.

RE: nRF7002 Azure IoT Hub, CA authentication Fail or TLS Connect Fail Error (-22, -116)

Sigurd Hellesvik — Mon, 27 Nov 2023 12:07:03 GMT

Hi,

[quote user=""]Does this guide tell you to copy/paste the Baltimore CyberTrust Root Certificate file into the ca-cert.pem file in the certs folder of the "Azure IoT Hub" sample?[/quote]

Which guide? Do you have a link to it?

[quote user=""]

Does this guide tell you to copy/paste the Baltimore CyberTrust Root Certificate file into the ca-cert.pem file in the certs folder of the "Azure IoT Hub" sample?

So, what file should I upload to the Certificates section in Azure IoT Hub?

[/quote]

See nRF Cloud Access Provisioning . This is for nRF Cloud, but the certificate distribution should be the same for Azure as well.
Do you find what you look for here?

[quote user=""]Also, since the Baltimore CyberTrust Root Certificate certificate has expired, there is a guide to change it to a G2 certificate.[/quote]

When i download the Baltimore CuberTrust Root Certificate, it seems like it does not expire until 2025:

Regards,
Sigurd Hellesvik