Azure IoT Device Provisioning Service – Device Registrations C# SDK – “CA certificate not found”

08056996 15 Reputation points
2024-01-04T15:54:37.07+00:00

Hello Community,

Referring to the sample from the link - https://learn.microsoft.com/en-us/azure/iot-dps/tutorial-custom-hsm-enrollment-group-x509?tabs=windows&pivots=programming-language-csharp

 I am trying to create a restful service that does the following 3 things:

  1. Upload a root ca cert to the DPS instance – using the REST API : https://learn.microsoft.com/en-us/rest/api/iot-dps/dps-certificate/create-or-update?view=rest-iot-dps-2018-01-22&tabs=HTTP
  2. Create enrollment group with X509 attestation (intermediate cert from the chain) using the C#  SDK sample: https://github.com/Azure/azure-iot-sdk-csharp/tree/main/provisioning/service/samples/getting%20started/EnrollmentGroupSample
  3. Register the device using the C# SDK sample : https://github.com/Azure/azure-iot-sdk-csharp/tree/main/provisioning/device/samples/getting%20started/X509Sample

All the above steps are working fine from my local host (WSL - Ubuntu) instance where I am able to communicate to my DPS instance and perform all the 3 actions.

But when I try to deploy my service to azure app service (Linux) instance, steps 1 and 2 work fine but step #3 fails with the following error – “CA Certificate not found” Error code: 401002. Snap below:

User's image

Here is the code snipped I am using, which is pretty much referred to, from the SDK samples:

using var security = new SecurityProviderX509Certificate(leafCert, certChain);  

using ProvisioningTransportHandler transport = CertificateHelper.GetTransportHandler(Microsoft.Azure.Devices.Client.TransportType.Mqtt_WebSocket_Only);  

var deviceClient = ProvisioningDeviceClient.Create(globalDPSEndpoint, idScope, security, transport);  

DeviceRegistrationResult regResult = await deviceClient.RegisterAsync();  

if (regResult.Status != ProvisioningRegistrationStatusType.Assigned)  
{      
  return (false, $"Registration status did not assign a hub, so exiting...");  
}  
else  
{      
  return (true, $"Successfully registered Device:{regResult.DeviceId} to Hub: {regResult.AssignedHub}.");  
}

The exception is generated from the line:

DeviceRegistrationResult regResult = await deviceClient.RegisterAsync();

After much googling, I found that for non-windows environments, the SDK ProvisioningDeviceClient class requires both the leaf cert with private key and the full certificate chain to perform the TLS handshake to register the device. Hence after passing both, it started working from my localhost environment but still failing when deployed to the app service instance.

But, If I try to register the device using the REST api as mentioned here, https://learn.microsoft.com/en-us/rest/api/iot-dps/device/runtime-registration/register-device?view=rest-iot-dps-device-2021-06-01,

via a CURL command and pass the full chain .pfx certificate with the password, the registration is successful. It just doesn’t work from code from inside the app service (linux) environment.

 Some additional things I have found and tried:

  1. https://github.com/Azure/azure-iot-sdk-csharp/issues/63
  2. https://github.com/Azure/azure-iot-sdk-csharp/issues/1040

I am wondering if there is any additional configuration I need to perform in the app service instance for the TLS handshake to be done correctly as the client is not able to find the CA cert to validate the leaf cert from the chain. But again, the same thing works fine from local machine.

Any help on this is much appreciated!

Thanks.

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,124 questions
Azure IoT SDK
Azure IoT SDK
An Azure software development kit that facilitates building applications that connect to Azure IoT services.
208 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. LeelaRajeshSayana-MSFT 13,471 Reputation points
    2024-01-06T01:26:10.0633333+00:00

    Hi @08056996 Just wanted to check if you have included the certificates in you Azure App service app. Based on the error, it suggests that the certificates are not accessible within the App service. Kindly go over the steps provided in the section Import an App Service certificate and try accessing the certificate from the after you import them.

    Once you upload the certificates, inorder to make them accessible in the App service code, add its thumbprint to the WEBSITE_LOAD_CERTIFCATES app setting by running the following command from cloud shell

    az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_LOAD_CERTIFICATES=<comma-separated-certificate-thumbprints>

    You can then use the thumbprint to access the certificate from the code as shown in the example Load certificate in Linux/Windows containers

    Hope this helps. Please let us know in the comments below if you run into any additional issues or need further assistance.

    If the response helped, please do click Accept Answer and Yes for the answer provided. Doing so would help other community members with similar issue identify the solution. I highly appreciate your contribution to the community.

  2. Caldera, Conie 0 Reputation points
    2024-01-06T01:33:51.06+00:00

    Hello @08056996,
    Here are some steps and suggestions I'd give you to troubleshoot and potentially resolve the problem you seem to be having with the TLS handshake and the inability to find the CA certificate when deploying the service to the Azure App Service (Linux):

    Check Certificate Paths: Ensure that the paths to the certificate files are correctly configured in your Azure App Service environment. Double-check the paths to the leaf certificate and the full certificate chain.

    Azure App Service Environment: Ensure that the Azure App Service environment has the necessary permissions to access and read the certificate files. This includes checking file permissions and making sure the application running in the App Service has the required privileges.

    Certificate Loading: Check if the certificates are being loaded correctly in the Linux environment of the Azure App Service. You may add logs or debug statements to print out the loaded certificates before the TLS handshake.

    CA Certificate Bundle: In some cases, you might need to provide the CA certificate bundle explicitly. Ensure that the CA certificate is included in the bundle and is accessible by the application.

    App Service Configuration: Verify that the Azure App Service environment is configured correctly for TLS. Check if there are any specific configurations or restrictions on the App Service that might affect the TLS handshake.

    Environment Variables: Check if there are any environment variables or configuration settings that need to be set in the Azure App Service environment for proper TLS handshake and certificate validation.

    Azure SDK Version: Ensure that you are using the correct version of the Azure IoT SDK in your application. Check for any updates or fixes related to TLS handshake issues in newer versions of the SDK.

    Azure Support: Consider reaching out to Azure Support for assistance. If the issue persists and you've exhausted all troubleshooting steps, Microsoft Azure Support can provide specific guidance based on your Azure subscription and services.

    Remember to log relevant information and errors to get more insights into the problem. Additionally, monitor any logs or diagnostic outputs from the Azure App Service to identify potential issues during the TLS handshake process.

    Wishing you the Best of Luck!