IoT Edge 1.2 connectivity check debugging

randomrabbit 121 Reputation points
2022-04-28T10:52:21.717+00:00

I've installed Edge Runtime 1.2 on Debian 11. I realize it is not a Tier 1 system but there are packages provided for it.

My Edge device successfully provisions to IoT Central (not Hub, but Central).

I'm not able to use this device as a gateway, I get an "Error in the IoTHub Client due to TLS exchanges" from my downstream device. It can successfully connect to a gateway running Edge Runtime 1.1 though, so I don't think there is any error on the downstream device. Here is the error:

INFO:azure.iot.device.common.mqtt_transport:Creating client for connecting using MQTT over TCP  
INFO:azure.iot.device.iothub.aio.async_clients:Connecting to Hub...  
INFO:azure.iot.device.common.mqtt_transport:Connect using port 8883 (TCP)  
INFO:azure.iot.device.common.mqtt_transport:Forcing paho disconnect to prevent it from automatically reconnecting  
INFO:azure.iot.device.common.pipeline.pipeline_stages_mqtt:transport.connect raised error  
INFO:azure.iot.device.common.pipeline.pipeline_stages_mqtt:Traceback (most recent call last):  
  File "/Users/myuser/.venv/lib/python3.10/site-packages/azure/iot/device/common/mqtt_transport.py", line 390, i  
n connect  
    rc = self._mqtt_client.connect(  
  File "/Users/myuser/.venv/lib/python3.10/site-packages/paho/mqtt/client.py", line 914, in connect  
    return self.reconnect()  
  File "/Users/myuser/.venv/lib/python3.10/site-packages/paho/mqtt/client.py", line 1073, in reconnect  
    sock.do_handshake()  
  File "/Users/myuser/.pyenv/versions/3.10.2/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/ssl.py", line 1341,  
in do_handshake  
    self._sslobj.do_handshake()  
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not va  
lid for 'my.valid.hostname'. (_ssl.c:997)  

Here's my 'sudo iotedge check --verbose'

Configuration checks (aziot-identity-service)  
---------------------------------------------  
√ keyd configuration is well-formed - OK  
√ certd configuration is well-formed - OK  
√ tpmd configuration is well-formed - OK  
√ identityd configuration is well-formed - OK  
√ daemon configurations up-to-date with config.toml - OK  
√ identityd config toml file specifies a valid hostname - OK  
√ aziot-identity-service package is up-to-date - OK  
√ host time is close to reference time - OK  
√ preloaded certificates are valid - OK  
√ keyd is running - OK  
√ certd is running - OK  
√ identityd is running - OK  
√ read all preloaded certificates from the Certificates Service - OK  
√ read all preloaded key pairs from the Keys Service - OK  
√ ensure all preloaded certificates match preloaded private keys with the same ID - OK  
  
Connectivity checks (aziot-identity-service)  
--------------------------------------------  
‼ host can connect to and perform TLS handshake with iothub AMQP port - Warning  
    Could not retrieve iothub_hostname from provisioning file.  
    Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information.  
    Since no hostname is provided, all hub connectivity tests will be skipped.  
‼ host can connect to and perform TLS handshake with iothub HTTPS / WebSockets port - Warning  
    Could not retrieve iothub_hostname from provisioning file.  
    Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information.  
    Since no hostname is provided, all hub connectivity tests will be skipped.  
‼ host can connect to and perform TLS handshake with iothub MQTT port - Warning  
    Could not retrieve iothub_hostname from provisioning file.  
    Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information.  
    Since no hostname is provided, all hub connectivity tests will be skipped.  
√ host can connect to and perform TLS handshake with DPS endpoint - OK  
  
Configuration checks  
--------------------  
√ aziot-edged configuration is well-formed - OK  
√ configuration up-to-date with config.toml - OK  
√ container engine is installed and functional - OK  
√ configuration has correct URIs for daemon mgmt endpoint - OK  
√ aziot-edge package is up-to-date - OK  
√ container time is close to host time - OK  
‼ DNS server - Warning  
    Container engine is not configured with DNS server setting, which may impact connectivity to IoT Hub.  
    Please see https://aka.ms/iotedge-prod-checklist-dns for best practices.  
    You can ignore this warning if you are setting DNS server per module in the Edge deployment.  
        caused by: Could not open container engine config file /etc/docker/daemon.json  
        caused by: No such file or directory (os error 2)  
‼ production readiness: logs policy - Warning  
    Container engine is not configured to rotate module logs which may cause it run out of disk space.  
    Please see https://aka.ms/iotedge-prod-checklist-logs for best practices.  
    You can ignore this warning if you are setting log policy per module in the Edge deployment.  
        caused by: Could not open container engine config file /etc/docker/daemon.json  
        caused by: No such file or directory (os error 2)  
‼ production readiness: Edge Agent's storage directory is persisted on the host filesystem - Warning  
    The edgeAgent module is not configured to persist its /tmp/edgeAgent directory on the host filesystem.  
    Data might be lost if the module is deleted or updated.  
    Please see https://aka.ms/iotedge-storage-host for best practices.  
‼ production readiness: Edge Hub's storage directory is persisted on the host filesystem - Warning  
    The edgeHub module is not configured to persist its /tmp/edgeHub directory on the host filesystem.  
    Data might be lost if the module is deleted or updated.  
    Please see https://aka.ms/iotedge-storage-host for best practices.  
‼ Agent image is valid and can be pulled from upstream - Warning  
    skipping because of previous failures  
√ proxy settings are consistent in aziot-edged, aziot-identityd, moby daemon and config.toml - OK  
  
Connectivity checks  
-------------------  
‼ container on the default network can connect to upstream  AMQP port - Warning  
    skipping because of previous failures  
‼ container on the default network can connect to upstream HTTPS / WebSockets port - Warning  
    skipping because of previous failures  
‼ container on the default network can connect to upstream MQTT port - Warning  
    skipping because of previous failures  
‼ container on the IoT Edge module network can connect to upstream AMQP port - Warning  
    skipping because of previous failures  
‼ container on the IoT Edge module network can connect to upstream HTTPS / WebSockets port - Warning  
    skipping because of previous failures  
‼ container on the IoT Edge module network can connect to upstream MQTT port - Warning  
    skipping because of previous failures  

How could I debug the "host can connect to and perform TLS handshake with iothub MQTT port" and "upstream MQTT port" issue, which I think is the culprint? Is the "Could not retrieve iothub_hostname from provisioning file." fine, since my gateway connects to IoT Central using symmetric key authentication?

Edit: The command

openssl s_client -connect mygateway.contoso.com:8883 -CAfile <CERTDIR>/certs/azure-iot-test-only.root.ca.cert.pem -showcerts  

from https://learn.microsoft.com/en-us/azure/iot-edge/how-to-connect-downstream-device?view=iotedge-2020-11 seems to run fine from my downstream machine

Azure IoT Edge
Azure IoT Edge
An Azure service that is used to deploy cloud workloads to run on internet of things (IoT) edge devices via standard containers.
580 questions
Azure IoT Central
Azure IoT Central
An Azure hosted internet of things (IoT) application platform.
365 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.