problem connection device to Azure iot-hub

Question

problem connection device to Azure iot-hub

Eric F 1

Hello,

We are a designer and manufacturer of electronic devices for industrial customers.
Since 1 year we have one of our products that sends analysis datas to an endpoint Azure iot-hub via MQTT protocol.

The connection security is based on shared symmetrical keys.
Everything was going well until last week.

Since this date the connection is always refused, (error x10085 NXD_MQTT_ERROR_NOT_AUTHORIZED).
We are still using the only Root CA Baltimore certificate, as the migration campaign on the Azure side does not start until June 1, 2022...

When I simule device with Node.js with a computer the connection is OK and message are received by iot-hub.

I don't understand why my device connect anymore. The Hostname, Device Id and primary key are corrects and unchanged since 1 year... The horloge sytem of my device is k too.

Someone can help me?

Thanks in advance.
Eric

AshokPeddakotla-MSFT 35,971 Reputation points Moderator

2022-03-30T06:41:15.793+00:00

@Eric F Welcome to Microsoft Q&A forum!

Could you please share the complete error logs? Is your device disconnects and connects automatically?

Did you check this post already?

Also, double check if your shared symmetric keys have set any expiration policy?

For MQTT, some SDKs rely on IoT Hub to issue the disconnect when the SAS token expires to know when to refresh it. So,

No action needed if using IoT SDK for connection using the device connection string. IoT SDK regenerates the new token to reconnect on SAS token expiration.

The default token lifespan is 60 minutes across SDKs; however, for some SDKs the token lifespan and the token renewal threshold is configurable. Additionally, the errors generated when a device disconnects and reconnects on token renewal differs for each SDK. To learn more, and for information about how to determine which SDK your device is using in logs, see MQTT device disconnect behavior with Azure IoT SDKs.
Eric F 1 Reputation point

2022-03-30T09:23:40.51+00:00

Hello,

Thank you for your answer and your welcome message.
The device is not connecting at all anymore, (it was still working before last week).
We are using Azure RTOS APIs on Renesas Synergy microcontroller.
The connection fails when calling the API function :

(the status return is indeed equal to NX_SUCCESS, but the error is returned in the variable mqtt_connack_packet_return_code which is equal to 5, which means unauthorized client connection...
I have seen the article about the migration of the Baltimore certificate to Digicert, but it is only planned for June 1st (we are preparing the updates during April).
I don't see any indication on a possible expiration date of the symmetric keys and when I use the virtual machine (javascript code or RasberryPI simulator), the connection is established correctly.
For information, our device does not connect to an SNTP server to synchronize the time, but to its own clock system programmed on UTC time.

Regards,
Eric

2 answers

Your answer

AshokPeddakotla-MSFT 35,971 Reputation points Moderator

2022-03-30T06:41:15.793+00:00

@Eric F Welcome to Microsoft Q&A forum!

Could you please share the complete error logs? Is your device disconnects and connects automatically?

Did you check this post already?

Also, double check if your shared symmetric keys have set any expiration policy?

For MQTT, some SDKs rely on IoT Hub to issue the disconnect when the SAS token expires to know when to refresh it. So,

No action needed if using IoT SDK for connection using the device connection string. IoT SDK regenerates the new token to reconnect on SAS token expiration.

The default token lifespan is 60 minutes across SDKs; however, for some SDKs the token lifespan and the token renewal threshold is configurable. Additionally, the errors generated when a device disconnects and reconnects on token renewal differs for each SDK. To learn more, and for information about how to determine which SDK your device is using in logs, see MQTT device disconnect behavior with Azure IoT SDKs.
Eric F 1 Reputation point

2022-03-30T09:23:40.51+00:00

Hello,

Thank you for your answer and your welcome message.
The device is not connecting at all anymore, (it was still working before last week).
We are using Azure RTOS APIs on Renesas Synergy microcontroller.
The connection fails when calling the API function :

(the status return is indeed equal to NX_SUCCESS, but the error is returned in the variable mqtt_connack_packet_return_code which is equal to 5, which means unauthorized client connection...
I have seen the article about the migration of the Baltimore certificate to Digicert, but it is only planned for June 1st (we are preparing the updates during April).
I don't see any indication on a possible expiration date of the symmetric keys and when I use the virtual machine (javascript code or RasberryPI simulator), the connection is established correctly.
For information, our device does not connect to an SNTP server to synchronize the time, but to its own clock system programmed on UTC time.

Regards,
Eric

Answer 1

Eric F 1

Hello,

I managed to solve my problem by replacing the UTC clock of my system by a clock synchronized by an NTP server.

However our system was working for a year until last week...
Does anyone know if a change in the timestamp constraints for the TLS connection has been ported to Azure-iot-hub?

Thanks in advance!

Eric

AshokPeddakotla-MSFT 35,971 Reputation points Moderator

2022-03-31T13:22:26.857+00:00

@Eric F Glad to hear you are unblocked with a work around. Appreciate for sharing it here.

Does anyone know if a change in the timestamp constraints for the TLS connection has been ported to Azure-iot-hub?

Not sure about this change. Let me check internally with our team and update you as earliest. Appreciate your time and patience.
LEELADHAR LADIA 1 Reputation point

2022-03-31T14:30:04.637+00:00

Correct, I also has same kind of issue and got resolved by changing clock to my system.
Eric F 1 Reputation point

2022-03-31T17:09:35.8+00:00

Thank you for your test.

If I understand correctly, you confirm that there was a change in the iot-hub timestamp?

Which clock did you use?

My workaround problem is only an intermediate solution, our client, for security reasons, does not want an internet connection other than the MQTT device-to-cloud connection. Cloud-to-device messages are even forbidden...
It is therefore not possible to synchronize the clock of our system via the NTP server...

Thanks again for your help,
Eric

Answer 2

AshokPeddakotla-MSFT 35,971 Moderator

@Eric F I further enquired about the change and below is the response from our team.

The error does not seem to be related to Baltimore certificate, which is still valid at this time. If the MQTT error is being thrown it implies the TLS handshake was already successful. Are you using our SDK or MQTT library? It could be related to token refresh

Additionally, security tokens are limited in time validity and scope.

// Set expiration in seconds
var expires = (Date.now() / 1000) + expiresInMins * 60;

Because the expiration is set by the device, the clock difference between IoT Hub and the device should be minimum. I think the default expiration time of Azure IoT SDK is about 1 hour. So wrong timezone / wrong clock setting causes the unauthorized error.

Please see Control access to IoT Hub using Shared Access Signatures and security tokens

Do let us know if you have any further queries.

Eric F 1 Reputation point

2022-04-01T15:54:35.207+00:00

Hi Ashok Peddakotla,

thank you very much for your help!

Effectivly, I had programmed (a year ago), a fixed date of expiration of the SaS in the code of the device...
I modified it, now this SaS expiration will be postponed at each connection.

Have a good day,

Eric
AshokPeddakotla-MSFT 35,971 Reputation points Moderator

2022-04-01T16:08:11.963+00:00
@Eric F Glad to hear you are unblocked now. Feel free to reach out to us if you have any other queries.

------------------------------------------

Please don't forget to click on 'Accept Answer' button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how

Want a reminder to come back and check responses? Here is how to subscribe to a notification

If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators

Share via

problem connection device to Azure iot-hub

2 answers

Your answer