• State Verified Answer
  • Replies 14 replies
  • Subscribers 74 subscribers
  • Views 2087 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 322220
Options

Help Needed: Integrating Certificates with azure_iot_hub Sample on nRF7002DK for Azure Connection

Nickf_tw

I am an undergrad student who is working on an IoT project utilizing the nRF7002DK board. I am very new to the Nordic NRF SDK and I'm attempting to use the azure_iot_hub sample code to connect my board to my Azure IoT Hub using WiFi. However, I'm facing challenges with the integration of the necessary security certificates into the code. Specifically, I'm unsure about the steps required to add the CA certificate, client certificate, and private key to the project configuration.

I am using v2.5.0 SDK and Toolchains.

I attempted to upload the certificates onto the board utilizing the Nordic Cellular Monitor, only to discover that this approach is exclusively compatible with the nRF91 series, making it useless for the nRF7002DK.

After some research, I added these Kconfig options to my prj.conf: 

CONFIG_MQTT_HELPER_PROVISION_CERTIFICATES=y
CONFIG_MQTT_HELPER_CERTIFICATES_FILE="mqtt-certs.h"
CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG=-1
I will include all files I am using in this code. (Note: I have replaced all my sensitive information such as passwords and certificates with a general name for security)
prj.conf:

#
# Copyright (c) 2020 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

# General config
CONFIG_REBOOT=y

# Logging
CONFIG_LOG=y
CONFIG_LOG_MODE_DEFERRED=y


# Network
CONFIG_NETWORKING=y
CONFIG_NET_NATIVE=y
CONFIG_NET_IPV4=y
CONFIG_NET_CONNECTION_MANAGER=y

# Azure IoT Hub library
CONFIG_AZURE_IOT_HUB=y
CONFIG_AZURE_IOT_HUB_DEVICE_ID="deviceid"
# Host name must be configured if DPS is not used
CONFIG_AZURE_IOT_HUB_HOSTNAME="hostname"
# Change the security tag to the tag where Azure IoT Hub certificates
# are provisioned
CONFIG_MQTT_HELPER_SEC_TAG=10
CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG=-1
CONFIG_MQTT_HELPER_STACK_SIZE=8192
CONFIG_MQTT_HELPER_PROVISION_CERTIFICATES=y
CONFIG_MQTT_HELPER_CERTIFICATES_FILE="mqtt-certs.h"
# Uncomment to get more verbose logging when debugging
CONFIG_AZURE_IOT_HUB_LOG_LEVEL_DBG=y

# MQTT - Maximum MQTT keepalive timeout specified by Azure IoT Hub
CONFIG_MQTT_KEEPALIVE=1767

# cJSON
CONFIG_CJSON_LIB=y

# Settings, needed for Azure Device Provisioning Service
CONFIG_FLASH=y
CONFIG_FLASH_MAP=y
CONFIG_FCB=y
CONFIG_SETTINGS=y
CONFIG_SETTINGS_FCB=y
CONFIG_MPU_ALLOW_FLASH_WRITE=y

nrf7002dk_nrf5340_cpuapp.conf

#
# Copyright (c) 2023 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

# General
CONFIG_POSIX_CLOCK=y
CONFIG_HW_STACK_PROTECTION=y
CONFIG_HW_ID_LIBRARY=y
CONFIG_HW_ID_LIBRARY_SOURCE_NET_MAC=y
CONFIG_DK_LIBRARY=y

# Heap and stacks
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
CONFIG_HEAP_MEM_POOL_SIZE=153600
CONFIG_NET_RX_STACK_SIZE=2048

# Set newlib C to prevent build error complaining that string.h is not supported
CONFIG_NEWLIB_LIBC_FLOAT_PRINTF=y

# Wi-Fi
CONFIG_WIFI=y
CONFIG_WIFI_NRF700X=y
CONFIG_WIFI_LOG_LEVEL_ERR=y
CONFIG_WIFI_MGMT_EXT=y
CONFIG_WIFI_CREDENTIALS=y
CONFIG_WIFI_CREDENTIALS_BACKEND_SETTINGS=y
CONFIG_WIFI_CREDENTIALS_STATIC=y
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y
CONFIG_NVS=y
CONFIG_SETTINGS=y
CONFIG_SETTINGS_NVS=y

# WPA
CONFIG_WPA_SUPP=y
CONFIG_WPA_SUPP_LOG_LEVEL_ERR=y

# Zephyr NET Connection Manager connectivity layer
CONFIG_L2_WIFI_CONNECTIVITY=y
CONFIG_L2_WIFI_CONNECTIVITY_AUTO_DOWN=n

# DNS
CONFIG_DNS_RESOLVER=y

# Wi-Fi
CONFIG_WIFI_CREDENTIALS_STATIC_SSID="ssid"
CONFIG_WIFI_CREDENTIALS_STATIC_PASSWORD="password"

# NET sockets
CONFIG_NETWORKING=y
CONFIG_NET_NATIVE=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_L2_ETHERNET=y
CONFIG_NET_IPV4=y
CONFIG_NET_TCP=y
CONFIG_NET_TCP_WORKQ_STACK_SIZE=2048
CONFIG_NET_UDP=y
CONFIG_NET_SOCKETS_OFFLOAD=n
CONFIG_NET_NATIVE=y
CONFIG_NET_DHCPV4=y
CONFIG_NET_CONTEXT_SNDTIMEO=y
CONFIG_NET_CONTEXT_RCVTIMEO=y
CONFIG_NET_MGMT_EVENT_STACK_SIZE=4096

# TLS networking
CONFIG_POSIX_MAX_FDS=14
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_NET_SOCKETS_ENABLE_DTLS=n
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=2

# nRF Security
CONFIG_NRF_SECURITY=y
CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
CONFIG_CC3XX_BACKEND=y

# mbedTLS
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=120000
CONFIG_MBEDTLS_RSA_C=y

# FOTA
CONFIG_AZURE_FOTA=y
CONFIG_AZURE_FOTA_APP_VERSION_AUTO=n
CONFIG_AZURE_FOTA_TLS=y
# Change the security tag to the tag where the certificates are provisioned
# for the server where the FOTA image is hosted
CONFIG_AZURE_FOTA_SEC_TAG=11
CONFIG_BOOTLOADER_MCUBOOT=y
CONFIG_FOTA_DOWNLOAD=y
CONFIG_DFU_TARGET=y
CONFIG_MCUBOOT_IMG_MANAGER=y
CONFIG_IMG_MANAGER=y
CONFIG_STREAM_FLASH=y
CONFIG_FLASH_MAP=y
CONFIG_FLASH=y
CONFIG_IMG_ERASE_PROGRESSIVELY=y
CONFIG_DOWNLOAD_CLIENT=y
CONFIG_DOWNLOAD_CLIENT_STACK_SIZE=4096

# Enable external flash to host MCUBoot secondary partition
CONFIG_SPI=y
CONFIG_SPI_NOR=y
CONFIG_SPI_NOR_SFDP_DEVICETREE=y
CONFIG_PM_OVERRIDE_EXTERNAL_DRIVER_CHECK=y

mqtt-certs.h: 

/*
 * Copyright (c) 2023 Nordic Semiconductor ASA
 *
 * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 */

/*
 *      "-----BEGIN CA CERTIFICATE-----\n"
 *      "-----CERTIFICATE-----\n"
 *      "-----END CA CERTIFICATE-----\n"
 */
static const unsigned char ca_certificate[] = {
#if __has_include("ca-cert.pem")
#include "ca-cert.pem"
#else
"-----BEGIN CERTIFICATE-----\n"
"-----CERTIFICATE-----\n"
"-----END CERTIFICATE-----\n"
#endif
};

/*
 *      "-----BEGIN PRIVATE KEY-----\n"
 *      "-----KEY-----\n"
 *      "-----END PRIVATE KEY-----\n"
 */
static const unsigned char private_key[] = {
#if __has_include("private-key.pem")
#include "private-key.pem"
#else
"-----BEGIN RSA PRIVATE KEY-----\n"
"-----CERTIFICATE-----\n"
"-----END RSA PRIVATE KEY-----\n"
#endif
};

/*
 *      "-----BEGIN CLIENT CERTIFICATE-----\n"
 *      "-----CERTIFICATE-----\n"
 *      "-----END CLIENT CERTIFICATE-----\n"
 */
static const unsigned char device_certificate[] = {
#if __has_include("client-cert.pem")
#include "client-cert.pem"
#else
"-----BEGIN CERTIFICATE-----\n"
"-----CERTIFICATE-----\n"
"-----END CERTIFICATE-----\n"
#endif
};

#if CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG != -1

/*
 *      "-----BEGIN CA CERTIFICATE-----\n"
 *      "-----CERTIFICATE-----\n"
 *      "-----END CA CERTIFICATE-----\n"
 */
static const unsigned char ca_certificate_2[] = {
#if __has_include("ca-cert-2.pem")
#include "ca-cert-2.pem"
#else
""
#endif
};

/*
 *      "-----BEGIN PRIVATE KEY-----\n"
 *      "-----KEY-----\n"
 *      "-----END PRIVATE KEY-----\n"
 */
static const unsigned char private_key_2[] = {
#if __has_include("private-key-2.pem")
#include "private-key-2.pem"
#else
""
#endif
};

/*
 *      "-----BEGIN CLIENT CERTIFICATE-----\n"
 *      "-----CERTIFICATE-----\n"
 *      "-----END CLIENT CERTIFICATE-----\n"
 */
static const unsigned char device_certificate_2[] = {
#if __has_include("client-cert-2.pem")
#include "client-cert-2.pem"
#else
""
#endif
};

#endif /* CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG != -1 */

nrf7002dk_nrf5340_cpuapp.overlay is the same as the sample.

main.c is the same as the sample.

 

This is how I build the application:

When I build and flash the application, this is the output I receive from my board:

*** Booting nRF Connect SDK v2.5.0 ***
OK
OK
OK
OK
OK
OK
[00:00:00.014,801] <inf> spi_nor: mx25r6435f@0: 8 MiBy flash
[00:00:00.224,029] <inf> fs_nvs: 2 Sectors of 4096 bytes
[00:00:00.224,029] <inf> fs_nvs: alloc wra: 0, fe8
[00:00:00.224,029] <inf> fs_nvs: data wra: 0, 0
*** Booting nRF Connect SDK v2.5.0 ***
[00:00:00.224,456] <inf> azure_iot_hub_sample: Azure IoT Hub sample started
[00:00:00.224,456] <inf> azure_iot_hub_sample: Bringing network interface up and connecting to the network
[00:00:01.595,947] <inf> azure_iot_hub_sample: Device ID: deviceid
[00:00:01.595,977] <inf> azure_iot_hub_sample: Host name: hostname
[00:00:06.848,693] <inf> azure_iot_hub_sample: Network connectivity established and IP address assigned
[00:00:06.849,456] <inf> azure_iot_hub_sample: Connected to network
[00:00:06.850,250] <inf> azure_fota: Current firmware version: 0.0.0-dev
[00:00:06.850,250] <dbg> azure_iot_hub: azure_iot_hub_init: Azure FOTA initialized
[00:00:06.850,280] <dbg> azure_iot_hub: iot_hub_state_set: State transition: STATE_UNINIT --> STATE_DISCONNECTED
[00:00:06.850,311] <inf> azure_iot_hub_sample: Azure IoT Hub library initialized
[00:00:06.850,341] <dbg> azure_iot_hub: iot_hub_state_set: State transition: STATE_DISCONNECTED --> STATE_CONNECTING
[00:00:06.850,372] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_CONNECTING
[00:00:06.850,433] <dbg> azure_iot_hub: azure_iot_hub_connect: User name: hostname/deviceid/?api-version=2020-09-30&DeviceClientType=azsdk-c%2F1.4.0-beta.2
[00:00:06.850,433] <dbg> azure_iot_hub: azure_iot_hub_connect: User name buffer size is 160, actual user name size is: 106
[00:00:07.508,666] <err> mqtt_helper: mqtt_connect, error: -2
[00:00:07.508,697] <err> azure_iot_hub: mqtt_helper_connect failed, error: -2
[00:00:07.508,758] <dbg> azure_iot_hub: iot_hub_state_set: State transition: STATE_CONNECTING --> STATE_DISCONNECTED
[00:00:07.508,880] <err> azure_iot_hub_sample: azure_iot_hub_connect failed: -2


In terms of my CA certificate, I created it using SSL and had it signed. It was also correctly verified on my Azure IoT Hub:

If anyone could provide guidance on how to correctly fix this issue or point me towards relevant documentation or examples? Your help would be greatly appreciated! Thank you so much.

Parents
  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    Thank you for replying! I looked into the doc before and this was the only thing I could find for provisioning certificates to the board:

    The issue is that I cannot do this with the nRF7002DK.

  • 0 in reply to Nickf_tw

    For DPS, you will need to configure the Kconfig options seen in the Kconfig fragment file overlay-dps.conf in the sample folder.

  • 0 in reply to Amanda Hsieh

    I already have the Kconfig file configured like this:

    #
    # Copyright (c) 2022 Nordic Semiconductor ASA
    #
    # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
    #

    CONFIG_AZURE_IOT_HUB_DPS=y

    # The ID scope can be omitted and provided at run time
    CONFIG_AZURE_IOT_HUB_DPS_ID_SCOPE="MY_ID_SCOPE"



    And I added the fragment file while building.
  • 0 in reply to Nickf_tw

    Hi, 

    Please check the format of the certs. The Azure IoT Hub library requires the provisioning of the following certificates and a private key for a successful TLS connection:

    1. Baltimore CyberTrust Root Certificate - Server certificate, used to verify the server’s certificate while connecting.

    2. Public device certificate - generated by the procedures described in Creating Azure IoT Hub certificates , used by Azure IoT Hub to authenticate the device.

    3. The private key of the device.

    It would be nice with a pcap trace and mbedtls logs. 

    -Amanda H.

  • 0 in reply to Amanda Hsieh

    Hey,

    I have decided to not use DPS and to just use the Hostname and Device ID of my IoT Hub for simplicity of solving the issue.

    1) This is how I formatted the Baltimore CyberTrust Root Certificate within the ca-cert-2.pem:

    "-----BEGIN CA CERTIFICATE-----\n"
"MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ\n"
"RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD\n"
"VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX\n"
"DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y\n"
"ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy\n"
"VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr\n"
"mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr\n"
"IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK\n"
"mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu\n"
"XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy\n"
"dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye\n"
"jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1\n"
"BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3\n"
"DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92\n"
"9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx\n"
"jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0\n"
"Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz\n"
"ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS\n"
"R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp\n"
"-----END CA CERTIFICATE-----\n"

    This is how I formatted the DigiCert Global Root G2 Certificate within the ca-cert.pem:

    "-----BEGIN CA CERTIFICATE-----\n"
"MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh\n"
"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH\n"
"MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT\n"
"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n"
"b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG\n"
"9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI\n"
"2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx\n"
"1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ\n"
"q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz\n"
"tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ\n"
"vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP\n"
"BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV\n"
"5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY\n"
"1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4\n"
"NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG\n"
"Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91\n"
"8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe\n"
"pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl\n"
"MrY=\n"
"-----END CA CERTIFICATE-----\n"

    I applied the same format to the client certificate and private key in the sample code.

    2) I followed the exact steps for generating a Root CA, Subordinate CA, Client Certificate, and Device private key. I uploaded the subordinate CA to the Azure IoT Hub and got it verified.

    3) I apologize for the simple questions in advance because I am still very new, how would I implement a pcap trace and mbedtls logs to the code in order to see more details in my logging?

    I appreciate all the help you are giving me!

    -Nick

Reply Children
  • 0 in reply to Amanda Hsieh

    I added 

    CONFIG_MBEDTLS_LOG_LEVEL_DBG=y

    to the nrf7002dk_nrf5340_cpuapp.conf. After building, the output terminal looks like it did not change anything from previous messages:

    *** Booting nRF Connect SDK v2.5.0 ***
OK
OK
OK
OK
OK
OK
[00:00:00.014,801] <inf> spi_nor: mx25r6435f@0: 8 MiBy flash
[00:00:00.224,029] <inf> fs_nvs: 2 Sectors of 4096 bytes
[00:00:00.224,060] <inf> fs_nvs: alloc wra: 0, fe8
[00:00:00.224,060] <inf> fs_nvs: data wra: 0, 0
*** Booting nRF Connect SDK v2.5.0 ***
[00:00:00.224,456] <inf> azure_iot_hub_sample: Azure IoT Hub sample started
[00:00:00.224,487] <inf> azure_iot_hub_sample: Bringing network interface up and connecting to the network
[00:00:01.609,466] <inf> azure_iot_hub_sample: Device ID: DEVICEID
[00:00:01.609,497] <inf> azure_iot_hub_sample: Host name: HOSTNAME
[00:00:05.871,582] <inf> azure_iot_hub_sample: Network connectivity established and IP address assigned
[00:00:05.872,192] <inf> azure_iot_hub_sample: Connected to network
[00:00:05.872,955] <inf> azure_fota: Current firmware version: 0.0.0-dev
[00:00:05.872,955] <dbg> azure_iot_hub: azure_iot_hub_init: Azure FOTA initialized
[00:00:05.873,016] <dbg> azure_iot_hub: iot_hub_state_set: State transition: STATE_UNINIT --> STATE_DISCONNECTED
[00:00:05.873,016] <inf> azure_iot_hub_sample: Azure IoT Hub library initialized
[00:00:05.873,077] <dbg> azure_iot_hub: iot_hub_state_set: State transition: STATE_DISCONNECTED --> STATE_CONNECTING
[00:00:05.873,077] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_CONNECTING
[00:00:05.873,138] <dbg> azure_iot_hub: azure_iot_hub_connect: User name: HOSTNAME/DEVICEID/?api-version=2020-09-30&DeviceClientType=azsdk-c%2F1.4.0-beta.2
[00:00:05.873,168] <dbg> azure_iot_hub: azure_iot_hub_connect: User name buffer size is 160, actual user name size is: 106
[00:00:06.531,738] <err> mqtt_helper: mqtt_connect, error: -22
[00:00:06.531,768] <err> azure_iot_hub: mqtt_helper_connect failed, error: -22
[00:00:06.531,799] <dbg> azure_iot_hub: iot_hub_state_set: State transition: STATE_CONNECTING --> STATE_DISCONNECTED
[00:00:06.531,829] <err> azure_iot_hub_sample: azure_iot_hub_connect failed: -22
  • 0 in reply to Nickf_tw

    For pcap trace, you can use your computer as a hotspot and have the device connect to it over wifi. Then, trace with wirshark on that interface and isolate the TCP stream once captured. 

  • 0 in reply to Amanda Hsieh

    Hey Amanda,

    Sorry for the late response, I got the code to output more errors without using a pcap trace. I reformatted the DigiCert Global Root G2 certificate to this:

    "-----BEGIN CERTIFICATE-----\n"
"MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh\n"
"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH\n"
"MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT\n"
"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n"
"b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG\n"
"9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI\n"
"2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx\n"
"1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ\n"
"q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz\n"
"tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ\n"
"vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP\n"
"BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV\n"
"5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY\n"
"1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4\n"
"NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG\n"
"Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91\n"
"8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe\n"
"pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl\n"
"MrY=\n"
"-----END CERTIFICATE-----\n"

    The main difference is the "-----BEGIN CA CERTIFICATE-----\n" and "-----END CA CERTIFICATE-----\n" changed to "-----BEGIN CERTIFICATE-----\n" and "-----END CERTIFICATE-----\n"

    Upon doing this, the errors started to change to this:

    *** Booting nRF Connect SDK v2.5.99-dev1 ***
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
OK
[00:00:00.014,923] <inf> spi_nor: mx25r6435f@0: 8 MiBy flash
[00:00:00.228,942] <inf> fs_nvs: 2 Sectors of 4096 bytes
[00:00:00.228,973] <inf> fs_nvs: alloc wra: 0, fe8
[00:00:00.228,973] <inf> fs_nvs: data wra: 0, 0
*** Booting nRF Connect SDK v2.5.99-dev1 ***
[00:00:00.229,400] <inf> azure_iot_hub_sample: Azure IoT Hub sample started
[00:00:00.229,431] <inf> azure_iot_hub_sample: Bringing network interface up and connecting to the network
[00:00:00.234,191] <dbg> mqtt_helper: mqtt_helper_poll_loop: Waiting for connection_poll_sem
[00:00:01.690,551] <inf> wifi_mgmt_ext: Connection requested

[00:00:01.691,833] <inf> azure_iot_hub_sample: Device ID: nRF7002DK
[00:00:01.691,864] <inf> azure_iot_hub_sample: Host name: ProjectEmilia1.azure-devices.net
[00:00:07.493,011] <inf> azure_iot_hub_sample: Network connectivity established and IP address assigned
[00:00:07.493,652] <inf> azure_iot_hub_sample: Connected to network
[00:00:07.494,445] <inf> azure_fota: Current firmware version: 0.0.0-dev
[00:00:07.494,445] <dbg> azure_iot_hub: azure_iot_hub_init: Azure FOTA initialized
[00:00:07.494,506] <dbg> azure_iot_hub: iot_hub_state_set: State transition: STATE_UNINIT --> STATE_DISCONNECTED
[00:00:07.494,506] <inf> azure_iot_hub_sample: Azure IoT Hub library initialized
[00:00:07.494,567] <dbg> azure_iot_hub: iot_hub_state_set: State transition: STATE_DISCONNECTED --> STATE_CONNECTING
[00:00:07.494,598] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_CONNECTING
[00:00:07.494,628] <dbg> mqtt_helper: mqtt_state_set: State transition: MQTT_STATE_UNINIT --> MQTT_STATE_DISCONNECTED
[00:00:07.494,720] <dbg> azure_iot_hub: azure_iot_hub_connect: User name: ProjectEmilia1.azure-devices.net/nRF7002DK/?api-version=2020-09-30&DeviceClientType=azsdk-c%2F1.4.0-beta.2
[00:00:07.494,750] <dbg> azure_iot_hub: azure_iot_hub_connect: User name buffer size is 160, actual user name size is: 106
[00:00:07.494,812] <dbg> mqtt_helper: broker_init: Resolving IP address for ProjectEmilia1.azure-devices.net
[00:00:08.091,735] <dbg> mqtt_helper: broker_init: IPv4 Address found 40.71.14.133 (AF_INET)
[00:00:08.091,827] <dbg> mqtt_helper: mqtt_state_set: State transition: MQTT_STATE_DISCONNECTED --> MQTT_STATE_TRANSPORT_CONNECTING
[00:00:08.585,327] <dbg> mqtt_helper: mqtt_state_set: State transition: MQTT_STATE_TRANSPORT_CONNECTING --> MQTT_STATE_TRANSPORT_CONNECTED
[00:00:08.585,388] <dbg> mqtt_helper: mqtt_state_set: State transition: MQTT_STATE_TRANSPORT_CONNECTED --> MQTT_STATE_CONNECTING
[00:00:08.585,418] <dbg> mqtt_helper: client_connect: Using send socket timeout of 60 seconds
[00:00:08.585,418] <dbg> mqtt_helper: mqtt_helper_connect: MQTT connection request sent
[00:00:08.585,449] <inf> azure_iot_hub_sample: Connection request sent to IoT Hub
[00:00:08.586,181] <dbg> mqtt_helper: mqtt_helper_poll_loop: Took connection_poll_sem
[00:00:08.586,883] <dbg> mqtt_helper: mqtt_helper_poll_loop: Starting to poll on socket, fd: 9
[00:00:08.586,883] <dbg> mqtt_helper: mqtt_helper_poll_loop: Polling on socket fd: 9
[00:00:08.744,903] <dbg> mqtt_helper: mqtt_evt_handler: MQTT mqtt_client connected
[00:00:08.744,964] <dbg> mqtt_helper: mqtt_state_set: State transition: MQTT_STATE_CONNECTING --> MQTT_STATE_DISCONNECTED
[00:00:08.744,964] <err> azure_iot_hub: Connection was rejected with return code 5
[00:00:08.744,995] <wrn> azure_iot_hub: Is the device certificate valid?
[00:00:08.745,025] <dbg> azure_iot_hub: iot_hub_state_set: State transition: STATE_CONNECTING --> STATE_DISCONNECTED
[00:00:08.745,056] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_CONNECTION_FAILED
[00:00:08.745,056] <inf> azure_iot_hub_sample: Error code received from IoT Hub: 5
[00:00:08.751,983] <dbg> mqtt_helper: mqtt_evt_handler: MQTT_EVT_DISCONNECT: result = -111
[00:00:08.752,044] <dbg> mqtt_helper: mqtt_state_set: Skipping transition to the same state (MQTT_STATE_DISCONNECTED)
[00:00:08.752,044] <wrn> azure_iot_hub: DISCONNECT, result: -111
[00:00:08.752,105] <dbg> azure_iot_hub: iot_hub_state_set: Skipping transition to the same state (STATE_DISCONNECTED)
[00:00:08.752,105] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_DISCONNECTED
[00:00:08.752,136] <err> mqtt_helper: Cloud MQTT input error: -111
[00:00:08.752,166] <dbg> mqtt_helper: mqtt_helper_poll_loop: Waiting for connection_poll_sem

    6177.azure_iot_hub.zip

    Immediately I started to check all my certificates and followed each step of the guide to creating them and would still receive the same error.

    I saw a post that suggested removing the Baltimore Cyber Trust Root completely because Azure IoT Hub is now migrated. However, after running I still had the same error.

    With my client certificate and private certificate, I have created a test CA and a corresponding key. I did not go into any more detail of creating subordinate CA's and Client certs because I do not care about the security of the device at the moment, I just want to get a simple message sent to my IoT Hub as the sample does. 

    I verified this CA and used it as my client-cert.pem and used the key as my private-key.pem.

    I still received the same error and would appreciate more help!

    I will also link my entire project to this in a .zip file so that you could see if I am missing anything.

    Thank you so much,

    Nick

  • +1 in reply to Nickf_tw

    Hi Nick,

    Sorry for the delay. I was out of the office last week.  

    We just updated the Azure IoT docs to improve the onboarding/cert generation process. Please try the NCS v2.6.0 and have a look at that. We now provide CI commands + scripts to set up a device to Azure IoT hub. Instead of the previous manual process.

    https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/libraries/networking/azure_iot_hub.html

    I would also recommend connecting with the "standard" unmodified sample in NCS first, before running your code if altered.

    The new docs just changed from using the Azure UI to using the command line. The script is only used to generate and sign certificates.

    Nickf_tw said:
    I verified this CA and used it as my client-cert.pem and used the key as my private-key.pem.


    It sounds like you use your test CA certificate as the dev certificate:
    That will not work. You need to sign the device certificate with the test CA, and you also mention modifying the PEM file tokens by hand. That’s definitely not recommended.

    -Amanda H.

  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    No worries about the delay, I have followed the link that you have sent me step by step using DPS. I deleted all of my old certificates and added the new ones to the code. I also am using the standard sample with no modifications and it finally worked!

    Thank you so much for all of your help,

    Nick

Related
Terms of service