I've been trying to set up an IOTEdge Device as transparent gateway to forward leaf-telemetry to IOTHub via IOTEdge. I've followed and read through the steps in the official Azure documentations. I'm going to just summarize what it did
- Have a working IotEdgeDevice
- Download the IotEdge Tools(for testing purposes only from the zip file)
- Copy the hostname name from /etc/iotedge/config.yaml (from the host iotEdge Device) and create certificates from certificates generation tool/bash-scripts provided for testing purposes
- Move the Root-cert, intermediatte cert, and key to Iot-Edge-Device and set their absolute paths (/home/user/certs/xxx.pem) in the config.yaml at iotedge(/etc/iotedge/ )
- Restart IotEdge with systemctl(because why not)
- Copy the RootCA to Leaf-Device(A rasberry pi in my case)
- I know I had to do EITHER of the two but i ended up doing both of these (Point 8 and 9)
- Install Root.Ca in OS (Copying rootCA.pem file into /usr/local/share/ca-certificates/ ) then running sudo update-ca-certificates. At this point the TSL handshake command (openssl s_client -connect) was giving verified OK so I decided to directly to not mention/link the Root-CA via SDK- but I had the authentication failure already at this point.
- Using Root-CA via a python SDK (example python program https://github.com/Azure/azure-iot-sdk-python/blob/master/device/samples/edge_downstream_client.py ). So at this point I have the working CA-cert installed in my OS and I have it linked via tha python-SDK too. Still it won't connect(PS the test command via bash returns Verified OK)
PS the hostname in connection string that I'm using in the leafDevice is an IP address(The DNS seem to be messing it up and the name given in config.yaml's host doesnt seem to be resolvable here even when from another device on network we can ping to that. So I just decided to mention the IP-address behind that hostname -belongs to IOTEdge). Also I had the IOTEdgeDevice set as the Parent Device of Leaf while creating it in portal and I had chosen the authentication to be symmetric to save myself all the manual X509 mess for testing purposes
The errors I'm getting from the edgeHub container logs are multiple. I am listing a few of them
- Error authenticating token for hmspi because the audience hostname
192.168.100.14 does not match IoTHub hostname mps-hms.azure-devices.net or the EdgeHub hostname
edgeuser-virtual-machine.
- Client hmspi in device scope not authenticated locally.
2019-07-19 05:29:13.979 +00:00 [WRN]
- 0x05 not Authorized
It is to mention here that the time in docker container(EdgeHub) is not the same as either that of EdgeDevice or LeafDevice(these two timeZones are same, set to GMT+5 while the docker container EdgeHub seems to have the timezone UTC- i think its the same as where the iotEdgeHub is located on Azure Servers- but I doubt it creates the problem since the bash test command with openSSL with certificates returns a "Verified Ok"). Any input would be HIGHLY appreciated as I seem to be stuck trying to fix this now.
Update : **So I changed the connection string from shorter version **
HostName=myGatewayDevice;DeviceId=myDownstreamDevice;SharedAccessKey=xxxyyyzzz
to
HostName=myiothub.azure-devices.net;DeviceId=myDownstreamDevice;SharedAccessKey=xxxyyyzzz;GatewayHostName=myGatewayDevice
It does work now but I'm confused why it wouldn't since I already have a parent/child relation between EdgeDevice and my LeafDevice (as mentioned here https://learn.microsoft.com/en-us/azure/iot-edge/how-to-authenticate-downstream-device you can use the shorter version of connection string when a parent/child is set. I'm using the python SDK----I did resolve my DNS too however there's no way of knowing if the data is just going through the direct IOT HUB connection ignoring the gatewayHostname parameter or if its utilizing the gatewayHostName parameter and sending it via gateway)
