Azure IoT hub Documentation/Sample not working on nRF9160

Hello, 

I'm currently looking into this and hope to have more answers by end of tomorrow.

Kind regards,
Øyvind

Thank you, btw i think i should mention that i dont use the Device Provisioning from Azure.

What i did:

Device:

• I opened up the Programmer via nrf connect for Desktop.
• Clicked on Reset.
• Then i downloaded the latest firmware (nrf9160dk_mfw-1.3.7_sdk-2.8.0) and selected the zip in the unpacked folder.
• I clicked write.
• 
• Then i moved on to start with the guide in the Documentation.

   

  Documentation: Azure IoT Hub

   

  • I skipped setting up Azure IoT Hub because i already have one.
  • Due to the skip for the IoT Hub i also skip Step 2, 3, and 4 because i dont want to use Device Provisioning.
  • Starting now with step 5 generating certificates
  • I generate the root CA with  cert_tool.py root_ca
  • 
  • Then i generate the sub_ca with cert_tool.py sub_ca
  • 

   

  • Then i followed the steps designed for "without DPS"
  • I uploaded the root CA "az iot hub certificate create --hub-name <hub_name> --name RandomTest --path ca/root-ca-cert.pem"
  • This results in an output with Etag, Name, certificate and so on.
  • I use the etag for the next command to get the verification code : az iot hub certificate generate-verification-code --hub-name <hub_name> --name <cert_name> --etag "<etag_from_prev_command>"
  • This results in the same kind of json with other values, i wrote down the verificationcode.
  • I generate a new private key via cert_tool.py client_key
  • I create a CSR with the verification code as common name "cert_tool.py csr --common-name <verification_code>"
  • I sign the csr with the root ca "cert_tool.py sign_root"
  • 
  •  
    • Then i upload the verification certificate "az iot hub certificate verify --hub-name <hub_name> --name <cert_name> --etag "<etag_from_generate_verification_code>" --path certs/client-cert.pem" which means for me i use the etag resulting from this command i used before
    • 
      • I get a json as result but this will not be used anyway so what ever.
      • I then followed the instruction for "nrf91: Modem generated private key" because why not.

    •  

      • So i gathered a list of keys with the "nrfcredstore com11 list" command resulting in the desired list:
      • 
      • The 4242 and 4343 secure tags are my creation so i delete them again just to be sure resulting in this list :
      • 
      • I ignored the nordic stuff.
      • Then i generate the whole stuff :  "nrfcredstore <serial port> generate <sec tag> certs/client-csr.der"
      • 
      • Then i converted the CSR From DER to PEM format "openssl req -inform DER -in certs/client-csr.der -outform PEM -out certs/client-csr.pem"
      • 
      • Then i sign the CSR (i guess because the command doesnt give it away) "Cert_tool.py sign"
      • 
        • While ignoring the useless note because it tells me that things may vary and i should see the documentation but no link is provided (could be improved).
        • 
        • Then i extract the CN (Whatever it is) with "openssl x509 -in certs/client-cert.pem -noout -subject".As far as i know i dont need the CN at all so i dont know why i should take note of it.
        • With the CA i combine the device certificate and the sub ca with "cat certs/client-cert.pem ca/sub-ca-cert.pem > certs/client-cert-chain.pem"

      •  

        Azure:

        • I register a new device via CLI : "az iot hub device-identity create -n <iothub_name> -d <device_id> --am x509_ca"
        • Resulting in a json
        • I provision the Baltimore and Digicert CA via CLI: "nrfcredstore <serial port> write <sec tag> ROOT_CA_CERT DigiCertGlobalRootG2.crt.pem", "nrfcredstore <serial port> write <secondary sec tag> ROOT_CA_CERT BaltimoreCyberTrustRoot.crt.pem"
        • I used 130 and 129 for the security tag.
        • I use the tags for the prj.config
        • 

         

        

        • So i configured all variables
        • I skiped every other following step because it seems useless to me.

         

        After building and flashing i get this error again

        

Hello, and thank you for your valuable feedback. It is clear that some improvement can be done to the documentation. I will forward this internally.

Cedric A. said:

• Then i extract the CN (Whatever it is) with "openssl x509 -in certs/client-cert.pem -noout -subject". As far as i know i dont need the CN at all so i dont know why i should take note or extract it at all.
• With the CN i combine the device certificate and the sub ca with "cat certs/client-cert.pem ca/sub-ca-cert.pem > certs/client-cert-chain.pem"

As stated in step 6 Register a device in Azure IoT Hub, the device ID must match the Common Name (CN) of the certificate. The CN of the certificate is set to the device UUID, and the CN is read out by Azure to identify the device during the TLS handshake.

Cedric A. said:

Starting now with step 5 generating certificates

Just to clarify, you are following step 5 Generate and provision device certificates using nRF91: Script generated private key or nRF91: Modem generated private key?

Kind regards,
Øyvind

Øyvind said:

The CN of the certificate is set to the device UUID, and the CN is read out by Azure to identify the device during the TLS handshake.

From the output it is clear that you using modem generated and this is using a CN based on UUID

This means that the device ID must be the UUID in Azure IoT Hub.

Can you please test and verify?

Kind regards,
Øyvind

I used modem generated private key.
So do i get this right ? after the step for the CN i note down the CN and create a device in azure with the CN as Device id ?

i just tried to redo the step of Device creation but with the twist that i use the CN as DeviceID but it did not change the outcome

i just tried to redo the step of Device creation but with the twist that i use the CN as DeviceID but it did not change the outcome

Hello, are you seeing the same outcome as first reported? Could you please share full logs from the last try?

Thanks!

Kind regards,
Øyvind

It is the same output:

*** Booting MCUboot v2.1.0-dev-12e5ee106034 ***
*** Using nRF Connect SDK v2.9.0-7787b2649840 ***
*** Using Zephyr OS v3.7.99-1f8f3dc29142 ***
I: Starting bootloader
I: Primary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3
I: Secondary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3
I: Boot source: none
I: Image index: 0, Swap type: none
I: Bootloader chainload address offset: 0x10000
*** Booting nRF Connect SDK v2.9.0-7787b2649840 ***
*** Using Zephyr OS v3.7.99-1f8f3dc29142 ***
[00:00:00.253,814] <inf> azure_iot_hub_sample: Azure IoT Hub sample started
[00:00:00.253,875] <inf> azure_iot_hub_sample: Bringing network interface up and connecting to the network
[00:00:00.525,787] <inf> azure_iot_hub_sample: Device ID: 504e5737-3230-4fa3-80cc-131febc1a6cb
[00:00:00.525,848] <inf> azure_iot_hub_sample: Host name: TestThisShitIAmOut.azure-devices.net
+CEREG: 2,"67C0","028A060A",7
+CSCON: 1
+CSCON: 0
+CEREG: 2,"67C0","01AA1300",7
+CSCON: 1
+CGEV: ME PDN ACT 0,0
+CNEC_ESM: 50,0
%MDMEV: SEARCH STATUS 2
+CEREG: 5,"67C0","01AA1300",7,,,"00001010","01011111"
[00:00:29.064,758] <inf> azure_iot_hub_sample: Network connectivity established and IP address assigned
[00:00:29.064,880] <inf> azure_iot_hub_sample: Connected to network
[00:00:29.065,673] <inf> azure_fota: Current firmware version: 0.0.0-dev
[00:00:29.065,704] <inf> azure_iot_hub_sample: Azure IoT Hub library initialized
[00:00:29.065,704] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_CONNECTING
[00:00:31.142,822] <inf> azure_iot_hub_sample: Connection request sent to IoT Hub
[00:00:31.285,430] <err> azure_iot_hub: Connection was rejected with return code 5
[00:00:31.285,461] <wrn> azure_iot_hub: Is the device certificate valid?
[00:00:31.285,461] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_CONNECTION_FAILED
[00:00:31.285,491] <inf> azure_iot_hub_sample: Error code received from IoT Hub: 5
[00:00:31.286,712] <wrn> azure_iot_hub: DISCONNECT, result: -111
[00:00:31.286,743] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_DISCONNECTED
[00:00:31.286,773] <err> mqtt_helper: Cloud MQTT input error: -111

Cedric A. said:

[00:00:31.285,461] <wrn> azure_iot_hub: Is the device certificate valid?

This still looks like an issue with the certificate, but our experts can't replicate it. There must be a misconfiguration in the certificates either on the server side or device side. 

Cedric A. said:

Device ID: 504e5737-3230-4fa3-80cc-131febc1a6cb

If the device has this device ID on both server and device, and has used the same CN, we are not able to see why it would fail. 

Cedric A. said:

dont use the Device Provisioning f

Did you retry using device provisioning just to see if that changes the outcom?

Kind regards,
Øyvind

What i did now with Deviceprovisioning:

• I deleted the IoT Hub to start from scratch
• Deleted the Certificates in the Project folder and cleared the credstore

Now following the Documentation:

• Creating a new IoT hub via "az iot hub create --resource-group <resource_name> --name <hub_name> --sku F1 --partition-count 2"
• Creating DPS via "az iot dps create --name <dps_name> --resource-group <resource_name>"
• Linking them both together via "az iot dps linked-hub create --dps-name <dps_name> --hub-name <hub_name> --resource-group <resource_name>"
• Starting Generating certificates now
• Generating root ca via "cert_tool.py root_ca"
• Generating sub CA via "cert_tool.py sub_ca"

• Next Steps now in the "With DPS" tab
• Upload the root ca to the dps instance via "az iot dps certificate generate-verification-code --dps-name <dps_name> --resource-group <resource_name> --certificate-name <cert_name> --etag "<etag_from_prev_command>" and i choose Root_CA as name because i am a verry creative person (not)
• Take note of the etag for the next command
• Getting the verification cote and etag of the verification code via "az iot dps certificate generate-verification-code --dps-name <dps_name> --resource-group <resource_name> --certificate-name <cert_name> --etag "<etag_from_prev_command>""
• Note down the verification code and the etag of the result i get from the command (dont know if the etag of the previous command should be used but i think i have to use one resulting from the verification code command)
• A
• Now generating the private key via "cert_tool.py client_key"
• Create CSR with the verification code as common name via "cert_tool.py csr --common-name <verification_code>"
• Sign the CSR with the root ca via "cert_tool.py sign_root" and in the output i can see that it says "signing the certificate with CN XXX" and the CN is correct.
• Upload the verification certificate via "az iot dps certificate verify --dps-name <dps_name> --resource-group <resource_name> --certificate-name <cert_name> --etag "<etag_from_generate_verification_code>" --path certs/client-cert.pem"
• Little Note from my side i allways used Root_CA as name if <cert_name> is requested because i dont know what i should use instead.
• Now generate and provisioning device Certificates in the Modem generated private key tab
• Generate a key pair and obtain a CSR using "nrfcredstore <serial port> generate <sec tag> certs/client-csr.der" where serial port = com11 and a random number as tag
• Convert CSR from DER to PEM format via "openssl req -inform DER -in certs/client-csr.der -outform PEM -out certs/client-csr.pem"
• Sign the CSR using subordinate CA via "cert_tool.py sign"
• Now comes the confusing part, step 6 gives me a command to get the CN frooooom where ? I checked the CN i get from the "openssl x509 -in certs/client-cert.pem -noout -subject" command and the CN from the Previous steps and they dont match so i am not sure which to use

Due to the fact that i use DPS it dont need it annyways

• Combine the device certificate and the sub CA via "cat certs/client-cert.pem ca/sub-ca-cert.pem > certs/client-cert-chain.pem"
• Provision the certificate to the modem via "nrfcredstore <serial port> write <sec tag> CLIENT_CERT certs/client-cert-chain.pem"
• Register a device via DPS
• Create an enrollment group using the sub CA via "az iot dps enrollment-group create --dps-name <dps_name> --resource-group <resource_name> --enrollment-id <enrollment_name> --certificate-path ca/sub-ca-cert.pem --provisioning-status enabled --iot-hubs <iothub_url> --allocation-policy static"
• Provision the server root CA DigiCert and Baltimore via nrfcredstore
• Setting the security and secondary security tag to the chosen values
• Setting

CONFIG_AZURE_IOT_HUB_DPS_ID_SCOPE to the IdScope

• Setting

CONFIG_MODEM_JWT=y

CONFIG_HW_ID_LIBRARY_SOURCE_UUID=y

Resulting in this output:

[00:00:06.048,034] <inf> azure_iot_hub_sample: Network connectivity established and IP address assigned

[00:00:06.048,156] <inf> azure_iot_hub_sample: Connected to network

[00:00:06.048,156] <inf> azure_iot_hub_sample: Starting DPS

[00:00:06.048,187] <err> azure_iot_hub_dps: Registration ID length is zero, DPS cannot proceed

[00:00:06.048,187] <err> azure_iot_hub_sample: azure_iot_hub_dps_init failed, error: -14

[00:00:06.048,217] <err> azure_iot_hub_sample: Failed to run DPS, error: -14, terminating connection attempt

+CSCON: 0

Some new error whohoo

Trying to fix this error

• It seems i forgot to set CONFIG_AZURE_IOT_HUB_DEVICE_ID=
• I try the CN as the Device Id
• SUCCESS  \O /

[00:02:55.002,471] <inf> azure_iot_hub_sample: Event was successfully sent

[00:02:55.002,471] <inf> azure_iot_hub_sample: Next event will be sent in 20 seconds

+CSCON: 1

+CSCON: 0

Cedric A. said:

SUCCESS  \O /

I would assume that we finally got you through the process, meaning that we can close this case?