Azure IoT Edge aziot-identityd service fails due to user not authorized to modify cert device-id

Question

I'm facing an issue with my Azure IoT Edge device, where the aziot-identityd service fails to start.

• Environment: Ubuntu 20.04
• IoT Edge Runtime: aziot-identity-service=1.4.3-1 aziot-edge=1.4.9-1

I am using x509 device certificate to authenticate to the enrollment group of the Device Provisioning Service on Azure.

The error message suggests that user 994 is not authorized to modify the cert device-id. Here are the relevant logs:

Apr 20 10:42:50 M6ZZ2553 systemd[1]: Started Azure IoT Edge daemon.
Apr 20 10:42:50 M6ZZ2553 aziot-edged[19042]: 2023-04-20T10:42:50Z [INFO] - Starting Azure IoT Edge Daemon
Apr 20 10:42:50 M6ZZ2553 aziot-edged[19042]: 2023-04-20T10:42:50Z [INFO] - Version - 1.4.9
Apr 20 10:42:50 M6ZZ2553 aziot-edged[19042]: 2023-04-20T10:42:50Z [INFO] - Obtaining Edge device provisioning data...
Apr 20 10:42:50 M6ZZ2553 systemd[1]: Started Azure IoT Identity Service.
Apr 20 10:42:50 M6ZZ2553 aziot-identityd[19046]: 2023-04-20T10:42:50Z [INFO] - Starting service...
Apr 20 10:42:50 M6ZZ2553 aziot-identityd[19046]: 2023-04-20T10:42:50Z [INFO] - Version - dev build
Apr 20 10:42:50 M6ZZ2553 aziot-identityd[19046]: 2023-04-20T10:42:50Z [INFO] - Provisioning starting. Reason: Startup
Apr 20 10:42:50 M6ZZ2553 systemd[1]: Started Azure IoT Certificates Service.
Apr 20 10:42:50 M6ZZ2553 aziot-certd[19050]: 2023-04-20T10:42:50Z [INFO] - Starting service...
Apr 20 10:42:50 M6ZZ2553 aziot-certd[19050]: 2023-04-20T10:42:50Z [INFO] - Version - dev build
Apr 20 10:42:50 M6ZZ2553 aziot-certd[19050]: 2023-04-20T10:42:50Z [INFO] - Starting server...
Apr 20 10:42:50 M6ZZ2553 aziot-certd[19050]: 2023-04-20T10:42:50Z [INFO] - <-- GET /certificates/device-id?api-version=2020-09-01 {"host": "certd.sock"}
Apr 20 10:42:50 M6ZZ2553 aziot-certd[19050]: 2023-04-20T10:42:50Z [INFO] - !!! parameter "id" has an invalid value
Apr 20 10:42:50 M6ZZ2553 aziot-certd[19050]: 2023-04-20T10:42:50Z [INFO] - !!! caused by: not found
Apr 20 10:42:50 M6ZZ2553 aziot-certd[19050]: 2023-04-20T10:42:50Z [INFO] - --> 400 {"content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 systemd[1]: Started Azure IoT Keys Service.
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - Starting service...
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - Version - dev build
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - Loaded libaziot-keys with version 0x02000000
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - Starting server...
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - <-- POST /keypair?api-version=2020-09-01 {"content-type": "application/json", "host": "keyd.sock", "content-length": "56"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - --> 200 {"content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - <-- POST /parameters/algorithm?api-version=2020-09-01 {"content-length": "248", "content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - --> 200 {"content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - <-- POST /parameters/rsa-modulus?api-version=2020-09-01 {"content-length": "248", "content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - --> 200 {"content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - <-- POST /parameters/rsa-exponent?api-version=2020-09-01 {"content-length": "248", "content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - --> 200 {"content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - <-- POST /parameters/algorithm?api-version=2020-09-01 {"content-length": "248", "content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - --> 200 {"content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - <-- POST /parameters/rsa-modulus?api-version=2020-09-01 {"content-length": "248", "content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - --> 200 {"content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - <-- POST /parameters/rsa-exponent?api-version=2020-09-01 {"content-length": "248", "content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - --> 200 {"content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - <-- POST /encrypt?api-version=2020-09-01 {"content-length": "355", "content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-keyd[19057]: 2023-04-20T10:42:50Z [INFO] - --> 200 {"content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-certd[19050]: 2023-04-20T10:42:50Z [INFO] - <-- POST /certificates?api-version=2020-09-01 {"content-type": "application/json", "host": "certd.sock", "content-length": "951"}
Apr 20 10:42:50 M6ZZ2553 aziot-certd[19050]: 2023-04-20T10:42:50Z [INFO] - !!! user 994 is not authorized to modify the cert device-id
Apr 20 10:42:50 M6ZZ2553 aziot-certd[19050]: 2023-04-20T10:42:50Z [INFO] - --> 401 {"content-type": "application/json"}
Apr 20 10:42:50 M6ZZ2553 aziot-identityd[19046]: 2023-04-20T10:42:50Z [ERR!] - Failed to provision with IoT Hub, and no valid device backup was found: internal error
Apr 20 10:42:54 M6ZZ2553 aziot-identityd[19046]: 2023-04-20T10:42:54Z [ERR!] - service encountered an error
Apr 20 10:42:54 M6ZZ2553 aziot-identityd[19046]: 2023-04-20T10:42:54Z [ERR!] - caused by: internal error
Apr 20 10:42:54 M6ZZ2553 aziot-identityd[19046]: 2023-04-20T10:42:54Z [ERR!] - caused by: could not create certificate
Apr 20 10:42:54 M6ZZ2553 aziot-identityd[19046]: 2023-04-20T10:42:54Z [ERR!] - caused by: user 994 is not authorized to modify the cert device-id
Apr 20 10:42:54 M6ZZ2553 aziot-identityd[19046]: 2023-04-20T10:42:54Z [ERR!] -    0: <backtrace::capture::Backtrace as core::default::Default>::default
Apr 20 10:42:54 M6ZZ2553 aziot-identityd[19046]:              at root/.cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.56/src/capture.rs:401:9
Apr 20 10:42:54 M6ZZ2553 aziot-identityd[19046]:    1: <aziotd::error::Error as core::convert::From<aziotd::error::ErrorKind>>::from
Apr 20 10:42:54 M6ZZ2553 aziot-identityd[19046]:              at eve-tools/iot-identity-service/aziotd/src/error.rs:36:20
Apr 20 10:42:54 M6ZZ2553 systemd[1]: aziot-identityd.service: Main process exited, code=exited, status=1/FAILURE
Apr 20 10:42:54 M6ZZ2553 systemd[1]: aziot-identityd.service: Failed with result 'exit-code'.

Anyone has any idea what am I missing?

I tried to play with the permissions all over the place but without success. To eliminate the possibility of a bad permission on a given file, I've run:

• chmod 777 -R /etc/aziot/
• chmod 777 -R /var/lib/aziot/

Side note: This edge works perfectly when I used it with tpm based provisioning on the DPS.

Answer 1

Solution:

The error message turned out to be misleading. The actual issue was a typo in the certificate name.

To resolve the issue, ensure that the "device-id" certificate in /etc/aziot/certd/config.d/00-super.toml has the correct path. However, keep in mind that this file is automatically generated by the

iotedge config apply

command based on the /etc/aziot/config.toml file.

In case someone else encounters the same error message, this information might help you understand that the error could be misleading and that you should check the certificate names and paths in the configuration files.