NEED HELP WITH FOTA VIA DEVICE PROVISIONING ON MY NRF7002DK - AZURE FOTA - IOT HUB

Hi,

When you repeatedly edit the ticket, it makes it hard for us to follow the history and development of the issue.

In one of your previous images, it looked like you were able to download the new image. Has that changed, or do I remember the old image incorrectly?

113 is ECONNABORTED, with the explanation "Software caused connection abort". My first guess is that something is wrong with the credentials you have written to the device.

Best regards,

Didrik

Hi Didrik,

I hope this message finds you well. I'm reaching out to discuss the Azure IoT Hub + DPS + FOTA sample that your team provided. We appreciate your efforts in sharing this resource. However, we're encountering some challenges in implementing it effectively.

Our team has been diligently working to follow the sample, particularly regarding the use of DPS as the provisioning point and the FOTA for firmware updates. Unfortunately, the current documentation doesn't seem to provide the level of detail necessary for us to replicate the process successfully.

To enhance our understanding and expedite the deployment, it would be immensely helpful if you could confirm that someone from your team has successfully tested this sample. Could you try it yourself? Moreover, could you provide a step-by-step guide detailing the Azure configurations and processes your team followed? Specific areas where we require further clarity include:

1. The Kconfig settings necessary for integrating with DPS and FOTA.
2. The exact Azure certificates used in the setup, what certificate and rootCA were used where.
3. The configurations related to CONFIG_FOTA_SEC_TAG, CONFIG_MQTT_HELPER_SEC_TAG, and CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG.

Given the current state of the documentation, I'm concerned that others attempting to use your sample might face similar roadblocks. Comprehensive guidance would not only benefit our team but also enhance the overall utility of the sample for everyone involved.

If providing such detailed information is not feasible, we might consider developing a custom wrapper around the Azure library to meet our needs. However, I'm optimistic that with your team's expertise and support, we can effectively utilize the existing resources.

Thank you in advance for your attention to this matter. I look forward to your response and any additional insights your team can offer to facilitate a smoother implementation process on our end.

Best regards,
Actif

Hello Jan Tore,

Thank you for providing such a detailed answer to my query. As it turns out, it ended up being a separate ticket, and I have included the link to it in case you want to check it out.

Azure IoT Hub sample, integration of DPS and FOTA not working 

I wanted to bring to your attention the issue we often face while using the Nordic sample. There is a significant gap in explaining the steps involved, which can sometimes hinder our understanding of the product. While I understand that your team cannot support all external platforms and solutions, I believe that comprehensive documentation of your product's workings is essential for customers to keep up with your product and team.

A complete and thorough walkthrough of your sample would be highly beneficial for both Nordic and its customers. Your product would gain faster traction, and we, as customers, could experience the benefits of the Nordic platform without facing constant development delays and other problems.

For instance, your Azure IoT hub sample doesn't touch on the Azure platform usage, but your team did have to interact with it to validate your solution. How can we expect to replicate your solution architecture if it is not explicitly described and explained? Joining a solution diagram could also be beneficial.

Thank you for taking the time to read my message.

Regards,
Vincent

Thanks for your feedback, Vincent! It's valuable for us to understand how to make the documentation better.

In the Azure IoT Hub sample docs, there's a link to the Azure IoT Hub library documentation where Iot Hub setup is presented: https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/libraries/networking/azure_iot_hub.html#prereq-connect-to-azure-iot-hub

There, we link to Azure's own documentation on how to set up an account and IoT Hub, which is how we do it ourselves when testing: https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-create-through-portal

In addition, our own docs have some additional details on the credentials part and how to use Azure's portal and tools to add those. The challenge with this, is that it can get outdated and out of sync with Azure's side of things. We've tried to hit a good compromise here, between pointing to external sources that are always up to date and adding some guidance to Azure's docs, but we might have missed the target.

I tested the Azure Iot Hub sample today for nRF7002 DK on NCS v2.5.1, with DPS and FOTA. It worked accoring to the explanations in the sample docs. I did note some improvements that we will make to the docs for the next NCS release (v2.6.0), related to credentials and where we place the links mentioned above.

If you still have issues with Azure IoT Hub + DPS + FOTA, please raise a new ticket and I will follow up. If you do that, please enable the following Kconfig options to get some more logging and share the logs:

Best regards,

Jan Tore

Hello, Thank you for your nice explanation it is appreciated.

I use the same certificates for DPS and FOTA, it works with DPS, so I get the telemetry and for FOTA I get the error mentioned above.

I'm using blob storage to host my binary file that I need to flash later via FOTA, do I need to specify a certificate from the blob storage server, or is the DPS certificate used directly by blobstorage?

I hope to get an anwer as soon as possible :)

I can't guarantee that blob storage and DPS use the same certificates in all instances, but in the common case and today that is the case. Keep in mind, though, that this will not last for long. DPS will soon be transitioning to DigiCert Global Root G2, same as IoT Hub: https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169

That should not be a problem, as you already have that certificate in place in order to be able to connect to the IoT Hub at all.

When it comes to the error that you see, I think this is because CONFIG_AZURE_FOTA_SEC_TAG is pointing to the wrong sec tag. In this case, and provided that your blob storage instance indeed uses Baltimore CyberTrust root CA, it should be set to the sec tag where you have provisioned that certificate:

• If you have placed the Baltimore certificate in "ca-cert.pem", then you should set CONFIG_AZURE_FOTA_SEC_TAG to the same value as CONFIG_MQTT_HELPER_SEC_TAG.
• If the certificate is in "ca-cert-2.pem", CONFIG_AZURE_FOTA_SEC_TAG should be set to the value of CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG.

I can't guarantee that blob storage and DPS use the same certificates in all instances, but in the common case and today that is the case. Keep in mind, though, that this will not last for long. DPS will soon be transitioning to DigiCert Global Root G2, same as IoT Hub: https://techcommunity.microsoft.com/t5/internet-of-things-blog/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169

That should not be a problem, as you already have that certificate in place in order to be able to connect to the IoT Hub at all.

When it comes to the error that you see, I think this is because CONFIG_AZURE_FOTA_SEC_TAG is pointing to the wrong sec tag. In this case, and provided that your blob storage instance indeed uses Baltimore CyberTrust root CA, it should be set to the sec tag where you have provisioned that certificate:

• If you have placed the Baltimore certificate in "ca-cert.pem", then you should set CONFIG_AZURE_FOTA_SEC_TAG to the same value as CONFIG_MQTT_HELPER_SEC_TAG.
• If the certificate is in "ca-cert-2.pem", CONFIG_AZURE_FOTA_SEC_TAG should be set to the value of CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG.

Here's my configuration for FOTA and DPS

CONFIG_AZURE_IOT_HUB_DPS=y

# ID scope can be omitted and supplied at runtime
CONFIG_AZURE_IOT_HUB_DPS_ID_SCOPE=""
CONFIG_AZURE_IOT_HUB_HOSTNAME=""

#We use the device ID in our case
CONFIG_AZURE_IOT_HUB_SAMPLE_DEVICE_ID_USE_HW_ID=n
CONFIG_AZURE_IOT_HUB_DPS_REG_ID="device-0000002"

CONFIG_MQTT_HELPER_PROVISION_CERTIFICATES=y
CONFIG_MQTT_HELPER_SEC_TAG=10
CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG=11
CONFIG_MQTT_HELPER_STACK_SIZE=16384
CONFIG_TLS_MAX_CREDENTIALS_NUMBER=6

# FOTA
CONFIG_AZURE_FOTA=y
CONFIG_AZURE_FOTA_TLS=y
CONFIG_AZURE_FOTA_APP_VERSION_AUTO=n
CONFIG_AZURE_FOTA_APP_VERSION="v0.0.0"

#FOTA TAG
CONFIG_AZURE_FOTA_SEC_TAG=10

# Change the security tag for the tag where certificates are provisioned
# for the server where the FOTA image is hosted
#
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_FOTA_DOWNLOAD=y
CONFIG_DFU_TARGET=y
CONFIG_MCUBOOT_IMG_MANAGER=y
CONFIG_IMG_MANAGER=y
CONFIG_STREAM_FLASH=y
CONFIG_FLASH_MAP=y
CONFIG_FLASH=y
CONFIG_IMG_ERASE_PROGRESSIVELY=y
CONFIG_DOWNLOAD_CLIENT=y
CONFIG_DOWNLOAD_CLIENT_STACK_SIZE=4096

This is how my certificate files are reported
ca-cert-2.pem
private-key.pem
ca-cert.pem
client-cert.pem

You can see the tags
CONFIG_MQTT_HELPER_SEC_TAG=10
CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG=11

and my FOTA TAG
CONFIG_AZURE_FOTA_SEC_TAG=10
at 10 or 11, it doesn't work any more.

I feel like I'm missing something, I'm not sure what.

Do I need to do any configuration on  azure DPS and blobstorage, like a link or something? If so, which ones, as I don't know because I've just created a blobstorage as a resource and put its link  and the path of my .bin in my twin device.

I think we'll need some more information about your blob storage and device twin. You can create a new private ticket and share the content of the firmware object in the device twin, and then we can take it from there.

OK I'LL DO IT NOW!

I JUST CREATE A PRIVATE TICKET, I HOPE TO GET A REPLY AS SOON AS. 

THANKS!