Azure IoT Hub authentication with DPS

RE: Azure IoT Hub authentication with DPS

Mariano Goluboff — Wed, 30 Apr 2025 17:19:32 GMT

To close the loop here (after a remote debug session):

The issue here is the use of Native TLS with the following config:

CONFIG_MQTT_HELPER_NATIVE_TLS=y

Removing that from prj.conf made it so that the MQTT connection is made. The reason is that to use the certificates stored in the nRF91's modem, TLS needs to be handled by the modem (offloaded, not native).

RE: Azure IoT Hub authentication with DPS

Mariano Goluboff — Wed, 30 Apr 2025 11:40:59 GMT

In step 8 in the instructions, it says that the combined device and subordinate certificates should be provisioned:

and <sec tag> is the previously chosen unused security tag.

This is the sec tag that was chosen in step 2:

Select a security tag that is not yet in use. This security tag must match the value set in the CONFIG_MQTT_HELPER_SEC_TAG Kconfig option.

And step 3 creates the key pair in that security tag. It sounds like you might have a new tag (15) which has the device certificate, but not the generated key or configured as the helper sec tag.

I think it might be helpful if you remove all the certificates in sec tags 10 through 15 and start the process again. Make sure to follow each step exactly as written.

RE: Azure IoT Hub authentication with DPS

Colibri — Tue, 29 Apr 2025 21:48:27 GMT

I added it under a new tag (15), changed the primary tag as 15 in prj.conf, but the error remains the same

RE: Azure IoT Hub authentication with DPS

Mariano Goluboff — Tue, 29 Apr 2025 20:32:05 GMT

I don't think the subordinate certificate needs to be loaded in a separate sec tag. It needs to be combined with the device certificate into a single file:

cat certs/client-cert.pem ca/sub-ca-cert.pem > certs/client-cert-chain.pem

And then the combined file uploaded as the client certificate

RE: Azure IoT Hub authentication with DPS

Colibri — Tue, 29 Apr 2025 19:41:49 GMT

Sorry I forgot to mention it but I had noticed this issue too and already corrected it, but the error remains the same (with or without DPS, with or without CONFIG_MQTT_HELPER_PROVISION_CERTIFICATES).

Here are the current certificates:

# 10: root certificate
# 11: subordinate certificate (root)
# 13: Root CA certificate: DigiCert Global Root G2
# 14: Root CA certificate: Baltimore CyberTrust Root Certificate
# 11/13/14: client certificates for device XXXXX

Command "nrfcredstore COM6 list" returns:

Secure tag - Key type - SHA
10 ROOT_CA_CERT C6871D...
11 ROOT_CA_CERT 60A9DB...
11 CLIENT_CERT D96C03...
13 ROOT_CA_CERT 0E0A61...
13 CLIENT_CERT D96C03...
14 ROOT_CA_CERT 44866C...
14 CLIENT_CERT D96C03...
16842753 ROOT_CA_CERT 2C4395...
16842753 CLIENT_CERT 276934...
16842753 CLIENT_KEY 091305...
4294967292 NORDIC_PUB_KEY 672E2F...
4294967293 NORDIC_ID_ROOT_CA 2C4395...
4294967294 DEV_ID_PUB_KEY 4375EE...

RE: Azure IoT Hub authentication with DPS

Mariano Goluboff — Tue, 29 Apr 2025 18:16:00 GMT

According to step 7 of the instructions, the device certificate and the subordinate CA certificate chain should be combined into a single file and provisioned into the security tag in CONFIG_MQTT_HELPER_SEC_TAG. But it looks like the client and subordinate are stored in two different security tags.

Could you run through the instructions step by step, and then see what the output of nrfcredstore <serial port> list is? You should only need to use two of them.

Mariano

RE: Azure IoT Hub authentication with DPS

Colibri — Mon, 28 Apr 2025 13:43:18 GMT

I am still waiting for your feedback on this... I have tried adding CONFIG_MQTT_HELPER_PROVISION_CERTIFICATES=y in the prj.conf, with associated tag in Kconfig, but the error remains the same as it was both with or without DPS (error mqtt -107)

RE: Azure IoT Hub authentication with DPS

Colibri — Wed, 23 Apr 2025 22:26:22 GMT

The version seems to be mfw_nrf91x1_2.0.2 (response to AT+CGMR). I don't mind not using DPS if simpler, but in both cases I am stuck right now.

RE: Azure IoT Hub authentication with DPS

Michal — Wed, 23 Apr 2025 21:57:10 GMT

Hello,

Which Modem FW are you on?

I will check if we have some information on using DPS.

Best regards,

Michal

RE: Azure IoT Hub authentication with DPS

Colibri — Tue, 22 Apr 2025 16:29:13 GMT

I have tried to put my certificates on the same tag (add client certificate on tags 11, 13 & 14 then change CONFIG_MQTT_HELPER_SEC_TAG and CONFIG_MQTT_HELPER_SECONDARY_SEC_TAG accordingly), the error remains with using DPS. If I set CONFIG_AZURE_IOT_HUB_DPS=n, now the error is

[00:00:13.457,305] <inf> azure_iot_hub_sample: Azure IoT Hub library initialized
[00:00:13.457,366] <dbg> azure_iot_hub: iot_hub_state_set: State transition: STATE_DISCONNECTED --> STATE_CONNECTING
[00:00:13.457,397] <inf> azure_iot_hub_sample: AZURE_IOT_HUB_EVT_CONNECTING
[00:00:13.457,397] <err> azure_iot_hub: Failed to get user name, az error: 0x80010002
[00:00:13.457,458] <dbg> azure_iot_hub: iot_hub_state_set: State transition: STATE_CONNECTING --> STATE_DISCONNECTED
[00:00:13.457,458] <err> azure_iot_hub_sample: azure_iot_hub_connect failed: -14