• State Not Answered
  • Replies 21 replies
  • Subscribers 75 subscribers
  • Views 591 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 343551
Options

Azure IoT hub Documentation/Sample not working on nRF9160

Cedric A.

Hey folks,

i have to use the nrf9160 board to create a PoC for a project of our company. The main topic of the PoC is not important here because i cant even connect to an Azure IoT Hub.

I use the code of the nrf sdk sample with the Toolchain version 2.9 : sdk-nrf/samples/net/azure_iot_hub at main · nrfconnect/sdk-nrf

The code runs in a west workspace.

The LTE Connection works fine so far.

The board is able to build everything (it was hard to reach this point).

I use the Visual Studio extension to work with nrf.

I know that the Problem is the Certificate, i followed the documentation to generate and provision the Certificates.

After everything is done i get this error =>

************************************************************************************************************************************

*** Booting nRF Connect SDK v2.9.0-7787b2649840 ***
*** Using Zephyr OS v3.7.99-1f8f3dc29142 ***
[00:00:00.253,784] <inf> azure_iot_hub_sample: Azure IoT Hub sample started
[00:00:00.253,845] <inf> azure_iot_hub_sample: Bringing network interface up and connecting to the network
[00:00:00.525,634] <inf> azure_iot_hub_sample: Device ID: XXXXXXXXX
[00:00:00.525,695] <inf> azure_iot_hub_sample: Host name: XXXXXXXXXXXXXXXXX
+CEREG: 2,"67C0","01AA1300",7
+CSCON: 1
+CGEV: ME PDN ACT 0,0
+CNEC_ESM: 50,0
%MDMEV: SEARCH STATUS 2
+CEREG: 5,"67C0","01AA1300",7,,,"00001010","01011111"
[00:00:05.561,889] <inf> azure_iot_hub_sample: Network connectivity established and IP address assigned
[00:00:05.562,011] <inf> azure_iot_hub_sample: Connected to network
[00:00:05.562,805] <inf> azure_fota: Current firmware version: 0.0.0-dev
[00:00:05.562,835] <inf> azure_iot_hub_sample: Azure IoT Hub library initialized
[00:00:05.562,835] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_CONNECTING
[00:00:07.714,813] <inf> azure_iot_hub_sample: Connection request sent to IoT Hub
[00:00:07.798,614] <err> azure_iot_hub: Connection was rejected with return code 5
[00:00:07.798,645] <wrn> azure_iot_hub: Is the device certificate valid?
[00:00:07.798,645] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_CONNECTION_FAILED
[00:00:07.798,675] <inf> azure_iot_hub_sample: Error code received from IoT Hub: 5
[00:00:07.799,896] <wrn> azure_iot_hub: DISCONNECT, result: -111
[00:00:07.799,926] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_DISCONNECTED
[00:00:07.799,926] <err> mqtt_helper: Cloud MQTT input error: -111
+CEREG: 5,"67C0","01AA1302",7,,,"00001010","01011111"
********************************************************************************************************************************

I made sure to set the 

CONFIG_MQTT_HELPER_SEC_TAG
CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG
To the chosen values, this is the stuff i get from nrfcredstore COM11 list:
Secure tag Key type SHA
4242 ROOT_CA_CERT 0E0A61E2E78D28EEA66B15A9B10C1F4E5E8AD379FEA9131D02EC4A2473F9AB9C
4242 CLIENT_CERT 36AF6EF65D6EC7E800F407E7B7239301D3A359B81FC5475DED8851D87E5B6905
4242 CLIENT_KEY 2F38805AF55755FFEDFE71CC2D38C7AAA7AD20633BCA49E920796CEB768D5B8C
4343 ROOT_CA_CERT 44866CF6914A1AD1100147FA8432387FD5E63A5B5DFDD5A967A507AFEB78639B

The Device i created in the IoT Hub uses x509_ca like mentioned in the documentation.

I even tried the self signed or Connection string but nothing worked.... i varied the creation of the Certificate in some ways but nothing led to success.
Does somebody know how to fix it ? I read some post in this Dev Zone but nothing helped.
Parents
  • 0

    Hello, 

    I'm currently looking into this and hope to have more answers by end of tomorrow.

    Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    Thank you, btw i think i should mention that i dont use the Device Provisioning from Azure.

  • 0 in reply to Øyvind

    i just tried to redo the step of Device creation but with the twist that i use the CN as DeviceID but it did not change the outcome Disappointed

  • 0 in reply to Cedric A.

    Hello, are you seeing the same outcome as first reported? Could you please share full logs from the last try?

    Thanks!

    Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    It is the same output:

    *** Booting MCUboot v2.1.0-dev-12e5ee106034 ***
    *** Using nRF Connect SDK v2.9.0-7787b2649840 ***
    *** Using Zephyr OS v3.7.99-1f8f3dc29142 ***
    I: Starting bootloader
    I: Primary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3
    I: Secondary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3
    I: Boot source: none
    I: Image index: 0, Swap type: none
    I: Bootloader chainload address offset: 0x10000
    *** Booting nRF Connect SDK v2.9.0-7787b2649840 ***
    *** Using Zephyr OS v3.7.99-1f8f3dc29142 ***
    [00:00:00.253,814] <inf> azure_iot_hub_sample: Azure IoT Hub sample started
    [00:00:00.253,875] <inf> azure_iot_hub_sample: Bringing network interface up and connecting to the network
    [00:00:00.525,787] <inf> azure_iot_hub_sample: Device ID: 504e5737-3230-4fa3-80cc-131febc1a6cb
    [00:00:00.525,848] <inf> azure_iot_hub_sample: Host name: TestThisShitIAmOut.azure-devices.net
    +CEREG: 2,"67C0","028A060A",7
    +CSCON: 1
    +CSCON: 0
    +CEREG: 2,"67C0","01AA1300",7
    +CSCON: 1
    +CGEV: ME PDN ACT 0,0
    +CNEC_ESM: 50,0
    %MDMEV: SEARCH STATUS 2
    +CEREG: 5,"67C0","01AA1300",7,,,"00001010","01011111"
    [00:00:29.064,758] <inf> azure_iot_hub_sample: Network connectivity established and IP address assigned
    [00:00:29.064,880] <inf> azure_iot_hub_sample: Connected to network
    [00:00:29.065,673] <inf> azure_fota: Current firmware version: 0.0.0-dev
    [00:00:29.065,704] <inf> azure_iot_hub_sample: Azure IoT Hub library initialized
    [00:00:29.065,704] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_CONNECTING
    [00:00:31.142,822] <inf> azure_iot_hub_sample: Connection request sent to IoT Hub
    [00:00:31.285,430] <err> azure_iot_hub: Connection was rejected with return code 5
    [00:00:31.285,461] <wrn> azure_iot_hub: Is the device certificate valid?
    [00:00:31.285,461] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_CONNECTION_FAILED
    [00:00:31.285,491] <inf> azure_iot_hub_sample: Error code received from IoT Hub: 5
    [00:00:31.286,712] <wrn> azure_iot_hub: DISCONNECT, result: -111
    [00:00:31.286,743] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_DISCONNECTED
    [00:00:31.286,773] <err> mqtt_helper: Cloud MQTT input error: -111

  • 0 in reply to Cedric A.
    Cedric A. said:
    [00:00:31.285,461] <wrn> azure_iot_hub: Is the device certificate valid?

    This still looks like an issue with the certificate, but our experts can't replicate it. There must be a misconfiguration in the certificates either on the server side or device side. 


    Cedric A. said:
    Device ID: 504e5737-3230-4fa3-80cc-131febc1a6cb

    If the device has this device ID on both server and device, and has used the same CN, we are not able to see why it would fail. 

    Cedric A. said:
    dont use the Device Provisioning f

    Did you retry using device provisioning just to see if that changes the outcom?

    Kind regards,
    Øyvind

  • 0 in reply to Øyvind

    What i did now with Deviceprovisioning:

     

    • I deleted the IoT Hub to start from scratch
    • Deleted the Certificates in the Project folder and cleared the credstore

     

    Now following the Documentation:

    • Creating a new IoT hub via "az iot hub create --resource-group <resource_name> --name <hub_name> --sku F1 --partition-count 2"
    • Creating DPS via "az iot dps create --name <dps_name> --resource-group <resource_name>"
    • Linking them both together via "az iot dps linked-hub create --dps-name <dps_name> --hub-name <hub_name> --resource-group <resource_name>"
    • Starting Generating certificates now
    • Generating root ca via "cert_tool.py root_ca"
    • Generating sub CA via "cert_tool.py sub_ca"

     

    • Next Steps now in the "With DPS" tab
    • Upload the root ca to the dps instance via "az iot dps certificate generate-verification-code --dps-name <dps_name> --resource-group <resource_name> --certificate-name <cert_name> --etag "<etag_from_prev_command>" and i choose Root_CA as name because i am a verry creative person (not)
    • Take note of the etag for the next command
    • Getting the verification cote and etag of the verification code via "az iot dps certificate generate-verification-code --dps-name <dps_name> --resource-group <resource_name> --certificate-name <cert_name> --etag "<etag_from_prev_command>""
    • Note down the verification code and the etag of the result i get from the command (dont know if the etag of the previous command should be used but i think i have to use one resulting from the verification code command)
    • A
    • Now generating the private key via "cert_tool.py client_key"
    • Create CSR with the verification code as common name via "cert_tool.py csr --common-name <verification_code>"
    • Sign the CSR with the root ca via "cert_tool.py sign_root" and in the output i can see that it says "signing the certificate with CN XXX" and the CN is correct.
    • Upload the verification certificate via "az iot dps certificate verify --dps-name <dps_name> --resource-group <resource_name> --certificate-name <cert_name> --etag "<etag_from_generate_verification_code>" --path certs/client-cert.pem"
    • Little Note from my side i allways used Root_CA as name if <cert_name> is requested because i dont know what i should use instead.
    • Now generate and provisioning device Certificates in the Modem generated private key tab
    • Generate a key pair and obtain a CSR using "nrfcredstore <serial port> generate <sec tag> certs/client-csr.der" where serial port = com11 and a random number as tag
    • Convert CSR from DER to PEM format via "openssl req -inform DER -in certs/client-csr.der -outform PEM -out certs/client-csr.pem"
    • Sign the CSR using subordinate CA via "cert_tool.py sign"
    • Now comes the confusing part, step 6 gives me a command to get the CN frooooom where ? I checked the CN i get from the "openssl x509 -in certs/client-cert.pem -noout -subject" command and the CN from the Previous steps and they dont match so i am not sure which to use

    Due to the fact that i use DPS it dont need it annyways

    • Combine the device certificate and the sub CA via "cat certs/client-cert.pem ca/sub-ca-cert.pem > certs/client-cert-chain.pem"
    • Provision the certificate to the modem via "nrfcredstore <serial port> write <sec tag> CLIENT_CERT certs/client-cert-chain.pem"
    • Register a device via DPS
    • Create an enrollment group using the sub CA via "az iot dps enrollment-group create --dps-name <dps_name> --resource-group <resource_name> --enrollment-id <enrollment_name> --certificate-path ca/sub-ca-cert.pem --provisioning-status enabled --iot-hubs <iothub_url> --allocation-policy static"
    • Provision the server root CA DigiCert and Baltimore via nrfcredstore
    • Setting the security and secondary security tag to the chosen values
    • Setting

    CONFIG_AZURE_IOT_HUB_DPS_ID_SCOPE to the IdScope

    • Setting

    CONFIG_MODEM_JWT=y

    CONFIG_HW_ID_LIBRARY_SOURCE_UUID=y

     

    Resulting in this output:

    [00:00:06.048,034] <inf> azure_iot_hub_sample: Network connectivity established and IP address assigned

    [00:00:06.048,156] <inf> azure_iot_hub_sample: Connected to network

    [00:00:06.048,156] <inf> azure_iot_hub_sample: Starting DPS

    [00:00:06.048,187] <err> azure_iot_hub_dps: Registration ID length is zero, DPS cannot proceed

    [00:00:06.048,187] <err> azure_iot_hub_sample: azure_iot_hub_dps_init failed, error: -14

    [00:00:06.048,217] <err> azure_iot_hub_sample: Failed to run DPS, error: -14, terminating connection attempt

    +CSCON: 0

     

    Some new error whohoo

     

    Trying to fix this error

    • It seems i forgot to set CONFIG_AZURE_IOT_HUB_DEVICE_ID=
    • I try the CN as the Device Id
    • SUCCESS  \O /

     

    [00:02:55.002,471] <inf> azure_iot_hub_sample: Event was successfully sent

    [00:02:55.002,471] <inf> azure_iot_hub_sample: Next event will be sent in 20 seconds

    +CSCON: 1

    +CSCON: 0

Reply
  • 0 in reply to Øyvind

    What i did now with Deviceprovisioning:

     

    • I deleted the IoT Hub to start from scratch
    • Deleted the Certificates in the Project folder and cleared the credstore

     

    Now following the Documentation:

    • Creating a new IoT hub via "az iot hub create --resource-group <resource_name> --name <hub_name> --sku F1 --partition-count 2"
    • Creating DPS via "az iot dps create --name <dps_name> --resource-group <resource_name>"
    • Linking them both together via "az iot dps linked-hub create --dps-name <dps_name> --hub-name <hub_name> --resource-group <resource_name>"
    • Starting Generating certificates now
    • Generating root ca via "cert_tool.py root_ca"
    • Generating sub CA via "cert_tool.py sub_ca"

     

    • Next Steps now in the "With DPS" tab
    • Upload the root ca to the dps instance via "az iot dps certificate generate-verification-code --dps-name <dps_name> --resource-group <resource_name> --certificate-name <cert_name> --etag "<etag_from_prev_command>" and i choose Root_CA as name because i am a verry creative person (not)
    • Take note of the etag for the next command
    • Getting the verification cote and etag of the verification code via "az iot dps certificate generate-verification-code --dps-name <dps_name> --resource-group <resource_name> --certificate-name <cert_name> --etag "<etag_from_prev_command>""
    • Note down the verification code and the etag of the result i get from the command (dont know if the etag of the previous command should be used but i think i have to use one resulting from the verification code command)
    • A
    • Now generating the private key via "cert_tool.py client_key"
    • Create CSR with the verification code as common name via "cert_tool.py csr --common-name <verification_code>"
    • Sign the CSR with the root ca via "cert_tool.py sign_root" and in the output i can see that it says "signing the certificate with CN XXX" and the CN is correct.
    • Upload the verification certificate via "az iot dps certificate verify --dps-name <dps_name> --resource-group <resource_name> --certificate-name <cert_name> --etag "<etag_from_generate_verification_code>" --path certs/client-cert.pem"
    • Little Note from my side i allways used Root_CA as name if <cert_name> is requested because i dont know what i should use instead.
    • Now generate and provisioning device Certificates in the Modem generated private key tab
    • Generate a key pair and obtain a CSR using "nrfcredstore <serial port> generate <sec tag> certs/client-csr.der" where serial port = com11 and a random number as tag
    • Convert CSR from DER to PEM format via "openssl req -inform DER -in certs/client-csr.der -outform PEM -out certs/client-csr.pem"
    • Sign the CSR using subordinate CA via "cert_tool.py sign"
    • Now comes the confusing part, step 6 gives me a command to get the CN frooooom where ? I checked the CN i get from the "openssl x509 -in certs/client-cert.pem -noout -subject" command and the CN from the Previous steps and they dont match so i am not sure which to use

    Due to the fact that i use DPS it dont need it annyways

    • Combine the device certificate and the sub CA via "cat certs/client-cert.pem ca/sub-ca-cert.pem > certs/client-cert-chain.pem"
    • Provision the certificate to the modem via "nrfcredstore <serial port> write <sec tag> CLIENT_CERT certs/client-cert-chain.pem"
    • Register a device via DPS
    • Create an enrollment group using the sub CA via "az iot dps enrollment-group create --dps-name <dps_name> --resource-group <resource_name> --enrollment-id <enrollment_name> --certificate-path ca/sub-ca-cert.pem --provisioning-status enabled --iot-hubs <iothub_url> --allocation-policy static"
    • Provision the server root CA DigiCert and Baltimore via nrfcredstore
    • Setting the security and secondary security tag to the chosen values
    • Setting

    CONFIG_AZURE_IOT_HUB_DPS_ID_SCOPE to the IdScope

    • Setting

    CONFIG_MODEM_JWT=y

    CONFIG_HW_ID_LIBRARY_SOURCE_UUID=y

     

    Resulting in this output:

    [00:00:06.048,034] <inf> azure_iot_hub_sample: Network connectivity established and IP address assigned

    [00:00:06.048,156] <inf> azure_iot_hub_sample: Connected to network

    [00:00:06.048,156] <inf> azure_iot_hub_sample: Starting DPS

    [00:00:06.048,187] <err> azure_iot_hub_dps: Registration ID length is zero, DPS cannot proceed

    [00:00:06.048,187] <err> azure_iot_hub_sample: azure_iot_hub_dps_init failed, error: -14

    [00:00:06.048,217] <err> azure_iot_hub_sample: Failed to run DPS, error: -14, terminating connection attempt

    +CSCON: 0

     

    Some new error whohoo

     

    Trying to fix this error

    • It seems i forgot to set CONFIG_AZURE_IOT_HUB_DEVICE_ID=
    • I try the CN as the Device Id
    • SUCCESS  \O /

     

    [00:02:55.002,471] <inf> azure_iot_hub_sample: Event was successfully sent

    [00:02:55.002,471] <inf> azure_iot_hub_sample: Next event will be sent in 20 seconds

    +CSCON: 1

    +CSCON: 0

Children
No Data
Related
Terms of service