The remote certificate is invalid according to the validation procedure

Ali Akbar Qureshi 1 Reputation point
2021-09-09T13:53:26.463+00:00

Hi,

We are currently using a symmetric key to authenticate the devices and these devices are working fine but today at one of the devices we get the following exception:

Failed to connect: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Afterward, the connection was lost, and when we tried to re-connect it prompted for a new certificate after which we were able to re-connect.

Any idea what can be the reason for it and how can we avoid it in the future?

Regards,
Ali Qureshi

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,142 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Sander van de Velde 30,096 Reputation points MVP
    2021-09-10T13:50:58.723+00:00

    Hello @Ali Akbar Qureshi ,

    is this issue related to an Edge device? Can this be related to this?

    Azure IoT Edge uses a separate certificate for securing inter-module communication (together with the edgehub module).

    A 'development' certificate is created by default. This certificate is only valid for 90 days. A restart of the device will generate a new certificate (again valid for 90 days only).

    You need to replace this certificate with a 'production' certificate.

    Please run

    sudo iotedge check  
    

    for more informaton.

    1 person found this answer helpful.
    0 comments No comments

  2. QuantumCache 20,106 Reputation points
    2021-09-13T21:16:17.847+00:00

    Hello @Ali Akbar Qureshi ,

    Adding few more points to Sander's response.

    Recommended Steps

    • Run iotedge check. This tool has specific checks and recommendations for certificate settings.
    • Make sure the hostname setting in /etc/iotedge/config.yaml is a hostname and not an ip address.
    • Update the iotedge runtime to latest

    Recommended Documents
    Understand how Azure IoT Edge uses certificates.

    Question: In case of certificate expiry, why does the edgeHub , runtime and other modules do not stop working.
    "The Edge Hub does not proactively drop established connections when its certificate expires. Any client that successfully connected before the new certificate expired would continue to send data."

    Question: IoT Edge Runtime creates

    • Workload CA certificate with expiry of 1 year
    • Server Certificate with expiry of 90 days

    Now it is expected that after 90 days the Server Certificate should get regenerated or renewed by IoT Edge Runtime and IoT edgeHub?

    Yes, it should be automatic.

    Please comment in the below section so that we can help you further.

    1 person found this answer helpful.