2

I’m trying to get the downstream device communication with Azure gateway scenario. Raspberry Pi is the IoT device and I am using Jetson nano as Edge Device, I have tried both symmetric method and self signed, both seems a failure. Please help me with this. I tried from this azure tutorial https://learn.microsoft.com/en-us/azure/iot-edge/how-to-authenticate-downstream-deviceand I tried send_message.py and send_message_x509.py from here:https://github.com/Azure/azure-iot-sdk-python/tree/master/azure-iot-device/samples/async-hub-scenariosAnd Im using azure-iot-test-only.root.ca.cert.pem (ROOTCA), iot-edge-device-downedge-full-chain.cert.pem (device cert), and iot-edge-device-downedge.key.pem (device key) as the credentials inside the .py script... and hostname as the edge gatewat hostname.. But it’s a failure. This command works fine and returns OK status:

" openssl s_client -connect mygateway.contoso.com:8883 -CAfile /certs/azure-iot-test-only.root.ca.cert.pem -showcerts"

But still .py returns with TLS authentication error as follows

TLS handshake failed., System.AggregateException: One or more errors occurred. (Authentication failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, ArraySegment`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
   --- End of inner exception stack trace ---
---> (Inner Exception #0) System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
   --- End of inner exception stack trace ---

Please let me know how to resolve this error, or any alterative code to achieve the same.

Improve this question

1 Answer 1

Reset to default
0

did you modify send_message.py to add in the edge devices trusted root ca certificate (azure-iot-test-only.root.ca.cert.pem) as a trusted cert? to use that python SDK in a leaf device, you have to use an overload of the create_from_connection_string function that lets you pass in the edge devices root ca certificate (in order for the SDK to 'trust' it).

for example, I modified the first few lines of send_message.py to this and it works (after copying over the root ca cert to my leaf device)

async def main():
    # Fetch the connection string from an enviornment variable
    conn_str ="<your connection string, including GatewayHostName>"

    #change this path to YOUR cert -- just left mine in as an example...
    certfile = open("/home/stevebus/edge/certs/azure-iot-test-only.root.ca.cert.pem")
    root_ca_cert = certfile.read()

    # Create instance of the device client using the connection string

device_client= IoTHubDeviceClient.create_from_connection_string(connection_string=conn_str,server_verification_cert=root_ca_cert)

this works for me...

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

quick correction... the sample that i modified was not "send_message.py", but rather "simple_send_message.py" here -> github.com/Azure/azure-iot-sdk-python/blob/master/…
Thank you for your response, I will try this and get back in sometime.
@SteveBusby-MSFT any idea on this github.com/Azure/azure-iot-sdk-python/issues/969. Only difference in this issue is its done using x509 and not connection string.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.