weixin_39952800
weixin_39952800
2020-12-29 02:50

Edge device DPS X.509 group enrollment error

Expected Behavior

Edge device starts

Current Behavior

Edge device dosen't start

Steps to Reproduce

Provide a detailed set of steps to reproduce the bug.

I use the following manual: https://github.com/Azure/iotedge/blob/master/doc/rc/how-to-auto-provision-x509-certificates.md

  1. ./certGen.sh create_root_and_intermediate
  2. dps->certificates->add->azure-iot-test-only.root.ca.cert.pem
  3. create verification cert: ./certGen.sh create_verification_certificate F80...
  4. dps->certificates->azure-iot-test-only.root.ca.cert->upload iot-device-verification-code.cert.pem
  5. Deploy-IoTEdge: . {Invoke-WebRequest -useb https://aka.ms/iotedge-win} | Invoke-Expression; ` Deploy-IoTEdge
  6. ./certGen.sh create_edge_device_identity_certificate edge-test-device
  7. Initialize-IoTEdge: . {Invoke-WebRequest -useb https://aka.ms/iotedge-win} | Invoke-Expression; `Initialize-IoTEdge -Dps -ScopeId XXXXXX -X509IdentityCertificate D:\tmp\certs\iot-edge-device-identity-edge-test-device.cert.pem -X509IdentityPrivateKey D:\tmp\private\iot-edge-device-identity-edge-test-device.key.pem

Context (Environment)

Output of iotedge check

Click here


PS C:\Users\EW_Build_adm\Desktop\IotEdge1.0.9-rc5> iotedge check --iothub-hostname XXXXXXXXXXX.azure-devices.net --verbose
Configuration checks
--------------------
√ config.yaml is well-formed - OK
√ config.yaml has well-formed connection string - OK
√ container engine is installed and functional - OK
√ Windows host version is supported - OK
√ config.yaml has correct hostname - OK
× config.yaml has correct URIs for daemon mgmt endpoint - Error
    Error: could not execute list-modules request: an error occurred trying to connect: No connection could be made because the target machine actively refused it. (os error 10061)
        caused by: docker returned exit code: 1, stderr = Error: could not execute list-modules request: an error occurred trying to connect: No connection could be made because the target machine actively refused it. (os error 10061)
‼ latest security daemon - Warning
    Installed IoT Edge daemon has version 1.0.9~rc5 but 1.0.8 is the latest stable version available.
    Please see https://aka.ms/iotedge-update-runtime for update instructions.
√ host time is close to real time - OK
√ container time is close to host time - OK
√ DNS server - OK
√ production readiness: identity certificates expiry - OK
‼ production readiness: certificates - Warning
    The Edge device is using self-signed automatically-generated development certificates.
    They will expire in 87 days (at 2020-05-26 09:18:42 UTC) causing module-to-module and downstream device communication to fail on an active deployment.
    After the certs have expired, restarting the IoT Edge daemon will trigger it to generate new development certs.
    Please consider using production certificates instead. See https://aka.ms/iotedge-prod-checklist-certs for best practices.
√ production readiness: container engine - OK
√ production readiness: logs policy - OK
× production readiness: Edge Agent's storage directory is persisted on the host filesystem - Error
    Could not check current state of edgeAgent container
        caused by: docker returned exit code: 1, stderr = Error: No such object: edgeAgent
× production readiness: Edge Hub's storage directory is persisted on the host filesystem - Error
    Could not check current state of edgeHub container
        caused by: docker returned exit code: 1, stderr = Error: No such object: edgeHub

Connectivity checks
-------------------
√ host can connect to and perform TLS handshake with DPS endpoint - OK
√ host can connect to and perform TLS handshake with IoT Hub AMQP port - OK
√ host can connect to and perform TLS handshake with IoT Hub HTTPS / WebSockets port - OK
√ host can connect to and perform TLS handshake with IoT Hub MQTT port - OK
√ container on the IoT Edge module network can connect to IoT Hub AMQP port - OK
√ container on the IoT Edge module network can connect to IoT Hub HTTPS / WebSockets port - OK
√ container on the IoT Edge module network can connect to IoT Hub MQTT port - OK

18 check(s) succeeded.
2 check(s) raised warnings.
3 check(s) raised errors.

Device Information

  • Host OS: Windows 10 1809
  • Architecture: amd64
  • Windows containers:

Runtime Versions

  • iotedged [run iotedge version]: iotedge 1.0.9~rc5 (97a4d2322f28e64dac2b214ce96bd65c5fa192c4)
  • Edge Agent [image tag (e.g. 1.0.0)]:
  • Edge Hub [image tag (e.g. 1.0.0)]:
  • Docker/Moby [run docker version]: Note: when using Windows containers on Windows, run docker -H npipe:////./pipe/iotedge_moby_engine version instead

Client: Version: 3.0.5 API version: 1.40 Go version: go1.12.1 Git commit: ba9934d4 Built: Thu Apr 18 22:01:41 2019 OS/Arch: windows/amd64 Experimental: false

Server: Engine: Version: 3.0.5 API version: 1.40 (minimum version 1.24) Go version: go1.12.1 Git commit: dbe4a30 Built: Thu Apr 18 22:07:58 2019 OS/Arch: windows/amd64 Experimental: false

Logs

iotedged logs

Get-IoTEdgeLog:
28.02.2020 11:28:39 info: iotedged -- Configuring certificates...
28.02.2020 11:28:39 info: iotedged -- Configuring C:\ProgramData\iotedge as the home directory.
28.02.2020 11:28:39 info: iotedged -- Transparent gateway certificates not found, operating in quick start mode...
28.02.2020 11:28:39 info: iotedged -- Initializing hsm...
28.02.2020 11:28:39 info: iotedged -- Finished configuring provisioning environment variables and certificates.
28.02.2020 11:28:39 info: iotedged::app -- Starting Azure IoT Edge Security Daemon
28.02.2020 11:28:39 info: iotedged::windows -- Initializing iotedged service.
28.02.2020 11:28:39 info: iotedged::app -- Version - 1.0.9~rc5 (97a4d2322f28e64dac2b214ce96bd65c5fa192c4)
28.02.2020 11:28:39 info: iotedged::windows -- Starting iotedged service.
28.02.2020 11:28:39 info: iotedged::app -- Using config file: C:\ProgramData\iotedge\config.yaml
28.02.2020 11:28:39 info: iotedged -- Initializing hsm X509 interface...
28.02.2020 11:28:39 info: iotedged -- Finished initializing hsm.
28.02.2020 11:28:39 info: iotedged -- Starting provisioning edge device via X509 provisioning...
28.02.2020 11:28:39 info: dps::registration -- Starting DPS registration with scope_id "0ne0002C19A", registration_id "edge-test-device"
28.02.2020 11:28:39 info: iotedged -- Finished initializing hsm X509 interface...
28.02.2020 11:28:39 info: iotedged -- Provisioning edge device...
28.02.2020 11:28:39 error: edgelet_utils::logging -- The daemon could not start up successfully: Could not initialize DPS provisioning client
28.02.2020 11:28:39 error: edgelet_utils::logging --    caused by: Could not restore previous provisioning result                                                                   
28.02.2020 11:28:39 error: edgelet_utils::logging --    caused by: Das System kann die angegebene Datei nicht finden. (os error 2)                                                  
28.02.2020 11:28:39 error: iotedged::windows -- Error while running service. Quitting.
28.02.2020 11:28:39 warn: edgelet_utils::logging -- Could not provision device
28.02.2020 11:28:39 warn: edgelet_utils::logging --     caused by: X509 certificate based registration failed                                                                       
28.02.2020 11:28:39 warn: edgelet_utils::logging --     caused by: HTTP request failed: [401 Unauthorized]                                                                          
                    {"errorCode":401002,"trackingId":"99be290e-0f48-4ad7-886b-b3ceb18ff005","message":"CA certificate not found.","timestampUtc":"2020-02-28T10:28:40.1015851Z"}


edge-agent logs


Dosen't run

edge-hub logs


Dosen't run

Additional Information

I also tried the iot-edge-device-identity-edge-test-device-full-chain.cert.pem certificate:

  1. Stop-Service iotedge
  2. Remove the config.yaml
  3. . {Invoke-WebRequest -useb https://aka.ms/iotedge-win} | Invoke-Expression; ` Initialize-IoTEdge -Dps -ScopeId XXXXX -X509IdentityCertificate D:\tmp\certs\iot-edge-device-identity-edge-test-device-full-chain.cert.pem -X509IdentityPrivateKey D:\tmp\private\iot-edge-device-identity-edge-test-device.key.pem
iotedged logs

Get-IoTEdgeLog:
28.02.2020 11:39:27 info: iotedged::app -- Version - 1.0.9~rc5 (97a4d2322f28e64dac2b214ce96bd65c5fa192c4)
28.02.2020 11:39:27 info: iotedged::app -- Using config file: C:\ProgramData\iotedge\config.yaml
28.02.2020 11:39:27 info: iotedged::windows -- Initializing iotedged service.
28.02.2020 11:39:27 info: iotedged::app -- Starting Azure IoT Edge Security Daemon
28.02.2020 11:39:27 info: iotedged -- Initializing hsm...
28.02.2020 11:39:27 info: iotedged -- Finished configuring provisioning environment variables and certificates.
28.02.2020 11:39:27 info: iotedged -- Initializing hsm X509 interface...
28.02.2020 11:39:27 info: iotedged -- Finished initializing hsm.
28.02.2020 11:39:27 info: iotedged -- Configuring C:\ProgramData\iotedge as the home directory.
28.02.2020 11:39:27 info: iotedged::windows -- Starting iotedged service.
28.02.2020 11:39:27 info: iotedged -- Transparent gateway certificates not found, operating in quick start mode...
28.02.2020 11:39:27 info: iotedged -- Configuring certificates...
28.02.2020 11:39:27 info: iotedged -- Starting provisioning edge device via X509 provisioning...
28.02.2020 11:39:27 info: dps::registration -- Starting DPS registration with scope_id "0ne0002C19A", registration_id "edge-test-device"
28.02.2020 11:39:27 info: iotedged -- Finished initializing hsm X509 interface...
28.02.2020 11:39:27 info: iotedged -- Provisioning edge device...
28.02.2020 11:39:27 error: edgelet_utils::logging -- The daemon could not start up successfully: Could not initialize DPS provisioning client
28.02.2020 11:39:27 error: edgelet_utils::logging --    caused by: Could not restore previous provisioning result                                                                   
28.02.2020 11:39:27 error: edgelet_utils::logging --    caused by: Das System kann die angegebene Datei nicht finden. (os error 2)                                                  
28.02.2020 11:39:27 error: iotedged::windows -- Error while running service. Quitting.
28.02.2020 11:39:27 warn: edgelet_utils::logging -- Could not provision device
28.02.2020 11:39:27 warn: edgelet_utils::logging --     caused by: X509 certificate based registration failed                                                                       
28.02.2020 11:39:27 warn: edgelet_utils::logging --     caused by: HTTP request failed: [401 Unauthorized]                                                                          
                    {"errorCode":401002,"trackingId":"f8ce15b3-85a2-45cd-8e6f-a75aafb1d600","message":"CA certificate not found.","timestampUtc":"2020-02-28T10:39:27.4490415Z"}

该提问来源于开源项目:Azure/iotedge

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

4条回答

  • weixin_39915605 weixin_39915605 3月前

    Hello,

    If you are using the 1.0.9-rc5 version of iot edge, you must use the 1.0.9-rc5 version of the windows installer scripts.

    So, instead of using https://aka.ms/iotedge-win, please substitute in https://raw.githubusercontent.com/Azure/iotedge/1.0.9-rc5/scripts/windows/setup/IotEdgeSecurityDaemon.ps1

    For example: . {Invoke-WebRequest -useb https://raw.githubusercontent.com/Azure/iotedge/1.0.9-rc5/scripts/windows/setup/IotEdgeSecurityDaemon.ps1} | Invoke-Expression; ` Initialize-IoTEdge -Dps -ScopeId 0ne0002C19A -X509IdentityCertificate D:\tmp\certs\iot-edge-device-identity-edge-test-device-full-chain.cert.pem -X509IdentityPrivateKey D:\tmp\private\iot-edge-device-identity-edge-test-device.key.pem

    点赞 评论 复制链接分享
  • weixin_39726267 weixin_39726267 3月前

    FYI, we updated the documentation recently to call this out:

    In a release candidate, the PowerShell script that lets you install and manage the IoT Edge security daemon on a Windows device may have different functionality than the latest generally available version. In addition to downloading the IoT Edge .cab file for the RC, also download the IotEdgeSecurityDaemon.ps1 script. Use dot sourcing to run the downloaded script in the current source.

    Please re-open issue if this doesn't fix the problem.

    点赞 评论 复制链接分享
  • weixin_39952800 weixin_39952800 3月前

    Hello, I removed the config.yaml and run Initialize-IoTEdge again with the 1.0.9-rc5 ps script. iotedged fails with the same error message.

    点赞 评论 复制链接分享
  • weixin_39915605 weixin_39915605 3月前

    Circling back to this - We did find (and fix) a bug! Stay tuned for a 1.0.9 update.

    Thanks for the report!

    点赞 评论 复制链接分享