• State Not Answered
  • Replies 13 replies
  • Subscribers 75 subscribers
  • Views 288 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 343551
Options

Azure IoT hub Documentation/Sample not working on nRF9160

Cedric A.

Hey folks,

i have to use the nrf9160 board to create a PoC for a project of our company. The main topic of the PoC is not important here because i cant even connect to an Azure IoT Hub.

I use the code of the nrf sdk sample with the Toolchain version 2.9 : sdk-nrf/samples/net/azure_iot_hub at main · nrfconnect/sdk-nrf

The code runs in a west workspace.

The LTE Connection works fine so far.

The board is able to build everything (it was hard to reach this point).

I use the Visual Studio extension to work with nrf.

I know that the Problem is the Certificate, i followed the documentation to generate and provision the Certificates.

After everything is done i get this error =>

************************************************************************************************************************************

*** Booting nRF Connect SDK v2.9.0-7787b2649840 ***
*** Using Zephyr OS v3.7.99-1f8f3dc29142 ***
[00:00:00.253,784] <inf> azure_iot_hub_sample: Azure IoT Hub sample started
[00:00:00.253,845] <inf> azure_iot_hub_sample: Bringing network interface up and connecting to the network
[00:00:00.525,634] <inf> azure_iot_hub_sample: Device ID: XXXXXXXXX
[00:00:00.525,695] <inf> azure_iot_hub_sample: Host name: XXXXXXXXXXXXXXXXX
+CEREG: 2,"67C0","01AA1300",7
+CSCON: 1
+CGEV: ME PDN ACT 0,0
+CNEC_ESM: 50,0
%MDMEV: SEARCH STATUS 2
+CEREG: 5,"67C0","01AA1300",7,,,"00001010","01011111"
[00:00:05.561,889] <inf> azure_iot_hub_sample: Network connectivity established and IP address assigned
[00:00:05.562,011] <inf> azure_iot_hub_sample: Connected to network
[00:00:05.562,805] <inf> azure_fota: Current firmware version: 0.0.0-dev
[00:00:05.562,835] <inf> azure_iot_hub_sample: Azure IoT Hub library initialized
[00:00:05.562,835] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_CONNECTING
[00:00:07.714,813] <inf> azure_iot_hub_sample: Connection request sent to IoT Hub
[00:00:07.798,614] <err> azure_iot_hub: Connection was rejected with return code 5
[00:00:07.798,645] <wrn> azure_iot_hub: Is the device certificate valid?
[00:00:07.798,645] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_CONNECTION_FAILED
[00:00:07.798,675] <inf> azure_iot_hub_sample: Error code received from IoT Hub: 5
[00:00:07.799,896] <wrn> azure_iot_hub: DISCONNECT, result: -111
[00:00:07.799,926] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_DISCONNECTED
[00:00:07.799,926] <err> mqtt_helper: Cloud MQTT input error: -111
+CEREG: 5,"67C0","01AA1302",7,,,"00001010","01011111"
********************************************************************************************************************************

I made sure to set the 

CONFIG_MQTT_HELPER_SEC_TAG
CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG
To the chosen values, this is the stuff i get from nrfcredstore COM11 list:
Secure tag Key type SHA
4242 ROOT_CA_CERT 0E0A61E2E78D28EEA66B15A9B10C1F4E5E8AD379FEA9131D02EC4A2473F9AB9C
4242 CLIENT_CERT 36AF6EF65D6EC7E800F407E7B7239301D3A359B81FC5475DED8851D87E5B6905
4242 CLIENT_KEY 2F38805AF55755FFEDFE71CC2D38C7AAA7AD20633BCA49E920796CEB768D5B8C
4343 ROOT_CA_CERT 44866CF6914A1AD1100147FA8432387FD5E63A5B5DFDD5A967A507AFEB78639B

The Device i created in the IoT Hub uses x509_ca like mentioned in the documentation.

I even tried the self signed or Connection string but nothing worked.... i varied the creation of the Certificate in some ways but nothing led to success.
Does somebody know how to fix it ? I read some post in this Dev Zone but nothing helped.
Parents
  • 0

    Hello, 

    I'm currently looking into this and hope to have more answers by end of tomorrow.

    Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    Thank you, btw i think i should mention that i dont use the Device Provisioning from Azure.

  • 0 in reply to Øyvind

    Hello, no i could not get further.  I did everything according to the guide multiple times but i still get the error maybe i wipe the board and try it again.

  • 0 in reply to Cedric A.

    Hello, sorry for the inconvenience this is causing. We are scratching our heads for this one. Could you please wipe the board, and then follow each step one more time but this time please log everything in details to share with us. Please generate a new device in Azure and start with a clean slate. 

    I can convert this ticket to a private ticket in order to not share sensitive information outside.

  • 0 in reply to Øyvind

    Hello, no problem i will do that but i am on vacation right now. I will start nex week and post everything i do step by step.

  • 0 in reply to Cedric A.

    Hey! No worries! Enjoy your vacation Slight smile 

    Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    What i did:

     

    Device:

     

    • I opened up the Programmer via nrf connect for Desktop.
    • Clicked on Reset.
    • Then i downloaded the latest firmware (nrf9160dk_mfw-1.3.7_sdk-2.8.0) and selected the zip in the unpacked folder.
    • I clicked write.
    • Then i moved on to start with the guide in the Documentation.

       

      Documentation: Azure IoT Hub

       

      • I skipped setting up Azure IoT Hub because i already have one.
      • Due to the skip for the IoT Hub i also skip Step 2, 3, and 4 because i dont want to use Device Provisioning.
      • Starting now with step 5 generating certificates
      • I generate the root CA with  cert_tool.py root_ca
      • Then i generate the sub_ca with cert_tool.py sub_ca

       

      • Then i followed the steps designed for "without DPS"
      • I uploaded the root CA "az iot hub certificate create --hub-name <hub_name> --name RandomTest --path ca/root-ca-cert.pem"
      • This results in an output with Etag, Name, certificate and so on.
      • I use the etag for the next command to get the verification code : az iot hub certificate generate-verification-code --hub-name <hub_name> --name <cert_name> --etag "<etag_from_prev_command>"
      • This results in the same kind of json with other values, i wrote down the verificationcode.
      • I generate a new private key via cert_tool.py client_key
      • I create a CSR with the verification code as common name "cert_tool.py csr --common-name <verification_code>"
      • I sign the csr with the root ca "cert_tool.py sign_root"
      •  
        • Then i upload the verification certificate "az iot hub certificate verify --hub-name <hub_name> --name <cert_name> --etag "<etag_from_generate_verification_code>" --path certs/client-cert.pem" which means for me i use the etag resulting from this command i used before
          • I get a json as result but this will not be used anyway so what ever.
          • I then followed the instruction for "nrf91: Modem generated private key" because why not.

           

          • So i gathered a list of keys with the "nrfcredstore com11 list" command resulting in the desired list:
          • The 4242 and 4343 secure tags are my creation so i delete them again just to be sure resulting in this list :
          • I ignored the nordic stuff.
          • Then i generate the whole stuff :  "nrfcredstore <serial port> generate <sec tag> certs/client-csr.der"
          • Then i converted the CSR From DER to PEM format "openssl req -inform DER -in certs/client-csr.der -outform PEM -out certs/client-csr.pem"
          • Then i sign the CSR (i guess because the command doesnt give it away) "Cert_tool.py sign"
            • While ignoring the useless note because it tells me that things may vary and i should see the documentation but no link is provided (could be improved).
            • Then i extract the CN (Whatever it is) with "openssl x509 -in certs/client-cert.pem -noout -subject". As far as i know i dont need the CN at all so i dont know why i should take note or extract it at all.
            • With the CN i combine the device certificate and the sub ca with "cat certs/client-cert.pem ca/sub-ca-cert.pem > certs/client-cert-chain.pem"

             

            Azure:

            • I register a new device via CLI : "az iot hub device-identity create -n <iothub_name> -d <device_id> --am x509_ca"
            • Resulting in a json
            • I provision the Baltimore and Digicert CA via CLI: "nrfcredstore <serial port> write <sec tag> ROOT_CA_CERT DigiCertGlobalRootG2.crt.pem", "nrfcredstore <serial port> write <secondary sec tag> ROOT_CA_CERT BaltimoreCyberTrustRoot.crt.pem"
            • I used 130 and 129 for the security tag.
            • I use the tags for the prj.config

             

            • So i configured all variables
            • I skiped every other following step because it seems useless to me.

             

            After building and flashing i get this error again

Reply
  • 0 in reply to Øyvind

    What i did:

     

    Device:

     

    • I opened up the Programmer via nrf connect for Desktop.
    • Clicked on Reset.
    • Then i downloaded the latest firmware (nrf9160dk_mfw-1.3.7_sdk-2.8.0) and selected the zip in the unpacked folder.
    • I clicked write.
    • Then i moved on to start with the guide in the Documentation.

       

      Documentation: Azure IoT Hub

       

      • I skipped setting up Azure IoT Hub because i already have one.
      • Due to the skip for the IoT Hub i also skip Step 2, 3, and 4 because i dont want to use Device Provisioning.
      • Starting now with step 5 generating certificates
      • I generate the root CA with  cert_tool.py root_ca
      • Then i generate the sub_ca with cert_tool.py sub_ca

       

      • Then i followed the steps designed for "without DPS"
      • I uploaded the root CA "az iot hub certificate create --hub-name <hub_name> --name RandomTest --path ca/root-ca-cert.pem"
      • This results in an output with Etag, Name, certificate and so on.
      • I use the etag for the next command to get the verification code : az iot hub certificate generate-verification-code --hub-name <hub_name> --name <cert_name> --etag "<etag_from_prev_command>"
      • This results in the same kind of json with other values, i wrote down the verificationcode.
      • I generate a new private key via cert_tool.py client_key
      • I create a CSR with the verification code as common name "cert_tool.py csr --common-name <verification_code>"
      • I sign the csr with the root ca "cert_tool.py sign_root"
      •  
        • Then i upload the verification certificate "az iot hub certificate verify --hub-name <hub_name> --name <cert_name> --etag "<etag_from_generate_verification_code>" --path certs/client-cert.pem" which means for me i use the etag resulting from this command i used before
          • I get a json as result but this will not be used anyway so what ever.
          • I then followed the instruction for "nrf91: Modem generated private key" because why not.

           

          • So i gathered a list of keys with the "nrfcredstore com11 list" command resulting in the desired list:
          • The 4242 and 4343 secure tags are my creation so i delete them again just to be sure resulting in this list :
          • I ignored the nordic stuff.
          • Then i generate the whole stuff :  "nrfcredstore <serial port> generate <sec tag> certs/client-csr.der"
          • Then i converted the CSR From DER to PEM format "openssl req -inform DER -in certs/client-csr.der -outform PEM -out certs/client-csr.pem"
          • Then i sign the CSR (i guess because the command doesnt give it away) "Cert_tool.py sign"
            • While ignoring the useless note because it tells me that things may vary and i should see the documentation but no link is provided (could be improved).
            • Then i extract the CN (Whatever it is) with "openssl x509 -in certs/client-cert.pem -noout -subject". As far as i know i dont need the CN at all so i dont know why i should take note or extract it at all.
            • With the CN i combine the device certificate and the sub ca with "cat certs/client-cert.pem ca/sub-ca-cert.pem > certs/client-cert-chain.pem"

             

            Azure:

            • I register a new device via CLI : "az iot hub device-identity create -n <iothub_name> -d <device_id> --am x509_ca"
            • Resulting in a json
            • I provision the Baltimore and Digicert CA via CLI: "nrfcredstore <serial port> write <sec tag> ROOT_CA_CERT DigiCertGlobalRootG2.crt.pem", "nrfcredstore <serial port> write <secondary sec tag> ROOT_CA_CERT BaltimoreCyberTrustRoot.crt.pem"
            • I used 130 and 129 for the security tag.
            • I use the tags for the prj.config

             

            • So i configured all variables
            • I skiped every other following step because it seems useless to me.

             

            After building and flashing i get this error again

Children
No Data
Related
Terms of service