IoT Edge 1.2 connectivity check debugging
I've installed Edge Runtime 1.2 on Debian 11. I realize it is not a Tier 1 system but there are packages provided for it.
My Edge device successfully provisions to IoT Central (not Hub, but Central).
I'm not able to use this device as a gateway, I get an "Error in the IoTHub Client due to TLS exchanges" from my downstream device. It can successfully connect to a gateway running Edge Runtime 1.1 though, so I don't think there is any error on the downstream device. Here is the error:
INFO:azure.iot.device.common.mqtt_transport:Creating client for connecting using MQTT over TCP
INFO:azure.iot.device.iothub.aio.async_clients:Connecting to Hub...
INFO:azure.iot.device.common.mqtt_transport:Connect using port 8883 (TCP)
INFO:azure.iot.device.common.mqtt_transport:Forcing paho disconnect to prevent it from automatically reconnecting
INFO:azure.iot.device.common.pipeline.pipeline_stages_mqtt:transport.connect raised error
INFO:azure.iot.device.common.pipeline.pipeline_stages_mqtt:Traceback (most recent call last):
File "/Users/myuser/.venv/lib/python3.10/site-packages/azure/iot/device/common/mqtt_transport.py", line 390, i
n connect
rc = self._mqtt_client.connect(
File "/Users/myuser/.venv/lib/python3.10/site-packages/paho/mqtt/client.py", line 914, in connect
return self.reconnect()
File "/Users/myuser/.venv/lib/python3.10/site-packages/paho/mqtt/client.py", line 1073, in reconnect
sock.do_handshake()
File "/Users/myuser/.pyenv/versions/3.10.2/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/ssl.py", line 1341,
in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not va
lid for 'my.valid.hostname'. (_ssl.c:997)
Here's my 'sudo iotedge check --verbose'
Configuration checks (aziot-identity-service)
---------------------------------------------
√ keyd configuration is well-formed - OK
√ certd configuration is well-formed - OK
√ tpmd configuration is well-formed - OK
√ identityd configuration is well-formed - OK
√ daemon configurations up-to-date with config.toml - OK
√ identityd config toml file specifies a valid hostname - OK
√ aziot-identity-service package is up-to-date - OK
√ host time is close to reference time - OK
√ preloaded certificates are valid - OK
√ keyd is running - OK
√ certd is running - OK
√ identityd is running - OK
√ read all preloaded certificates from the Certificates Service - OK
√ read all preloaded key pairs from the Keys Service - OK
√ ensure all preloaded certificates match preloaded private keys with the same ID - OK
Connectivity checks (aziot-identity-service)
--------------------------------------------
‼ host can connect to and perform TLS handshake with iothub AMQP port - Warning
Could not retrieve iothub_hostname from provisioning file.
Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information.
Since no hostname is provided, all hub connectivity tests will be skipped.
‼ host can connect to and perform TLS handshake with iothub HTTPS / WebSockets port - Warning
Could not retrieve iothub_hostname from provisioning file.
Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information.
Since no hostname is provided, all hub connectivity tests will be skipped.
‼ host can connect to and perform TLS handshake with iothub MQTT port - Warning
Could not retrieve iothub_hostname from provisioning file.
Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information.
Since no hostname is provided, all hub connectivity tests will be skipped.
√ host can connect to and perform TLS handshake with DPS endpoint - OK
Configuration checks
--------------------
√ aziot-edged configuration is well-formed - OK
√ configuration up-to-date with config.toml - OK
√ container engine is installed and functional - OK
√ configuration has correct URIs for daemon mgmt endpoint - OK
√ aziot-edge package is up-to-date - OK
√ container time is close to host time - OK
‼ DNS server - Warning
Container engine is not configured with DNS server setting, which may impact connectivity to IoT Hub.
Please see https://aka.ms/iotedge-prod-checklist-dns for best practices.
You can ignore this warning if you are setting DNS server per module in the Edge deployment.
caused by: Could not open container engine config file /etc/docker/daemon.json
caused by: No such file or directory (os error 2)
‼ production readiness: logs policy - Warning
Container engine is not configured to rotate module logs which may cause it run out of disk space.
Please see https://aka.ms/iotedge-prod-checklist-logs for best practices.
You can ignore this warning if you are setting log policy per module in the Edge deployment.
caused by: Could not open container engine config file /etc/docker/daemon.json
caused by: No such file or directory (os error 2)
‼ production readiness: Edge Agent's storage directory is persisted on the host filesystem - Warning
The edgeAgent module is not configured to persist its /tmp/edgeAgent directory on the host filesystem.
Data might be lost if the module is deleted or updated.
Please see https://aka.ms/iotedge-storage-host for best practices.
‼ production readiness: Edge Hub's storage directory is persisted on the host filesystem - Warning
The edgeHub module is not configured to persist its /tmp/edgeHub directory on the host filesystem.
Data might be lost if the module is deleted or updated.
Please see https://aka.ms/iotedge-storage-host for best practices.
‼ Agent image is valid and can be pulled from upstream - Warning
skipping because of previous failures
√ proxy settings are consistent in aziot-edged, aziot-identityd, moby daemon and config.toml - OK
Connectivity checks
-------------------
‼ container on the default network can connect to upstream AMQP port - Warning
skipping because of previous failures
‼ container on the default network can connect to upstream HTTPS / WebSockets port - Warning
skipping because of previous failures
‼ container on the default network can connect to upstream MQTT port - Warning
skipping because of previous failures
‼ container on the IoT Edge module network can connect to upstream AMQP port - Warning
skipping because of previous failures
‼ container on the IoT Edge module network can connect to upstream HTTPS / WebSockets port - Warning
skipping because of previous failures
‼ container on the IoT Edge module network can connect to upstream MQTT port - Warning
skipping because of previous failures
How could I debug the "host can connect to and perform TLS handshake with iothub MQTT port" and "upstream MQTT port" issue, which I think is the culprint? Is the "Could not retrieve iothub_hostname from provisioning file." fine, since my gateway connects to IoT Central using symmetric key authentication?
Edit: The command
openssl s_client -connect mygateway.contoso.com:8883 -CAfile <CERTDIR>/certs/azure-iot-test-only.root.ca.cert.pem -showcerts
from https://learn.microsoft.com/en-us/azure/iot-edge/how-to-connect-downstream-device?view=iotedge-2020-11 seems to run fine from my downstream machine