Azure Downstream device to Edge gateway with python

2
votes

I’m trying to get the downstream device communication with Azure gateway scenario. Raspberry Pi is the IoT device and I am using Jetson nano as Edge Device, I have tried both symmetric method and self signed, both seems a failure. Please help me with this. I tried from this azure tutorial https://docs.microsoft.com/en-us/azure/iot-edge/how-to-authenticate-downstream-deviceand I tried send_message.py and send_message_x509.py from here:https://github.com/Azure/azure-iot-sdk-python/tree/master/azure-iot-device/samples/async-hub-scenariosAnd Im using azure-iot-test-only.root.ca.cert.pem (ROOTCA), iot-edge-device-downedge-full-chain.cert.pem (device cert), and iot-edge-device-downedge.key.pem (device key) as the credentials inside the .py script... and hostname as the edge gatewat hostname.. But it’s a failure. This command works fine and returns OK status:

" openssl s_client -connect mygateway.contoso.com:8883 -CAfile /certs/azure-iot-test-only.root.ca.cert.pem -showcerts"

But still .py returns with TLS authentication error as follows

TLS handshake failed., System.AggregateException: One or more errors occurred. (Authentication failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
   --- End of inner exception stack trace ---
   at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount)
   at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, ArraySegment`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions)
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
   --- End of inner exception stack trace ---
---> (Inner Exception #0) System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
   --- End of inner exception stack trace ---

Please let me know how to resolve this error, or any alterative code to achieve the same.

1
pythonazureazure-iot-edge

1 Answers

0
votes

did you modify send_message.py to add in the edge devices trusted root ca certificate (azure-iot-test-only.root.ca.cert.pem) as a trusted cert? to use that python SDK in a leaf device, you have to use an overload of the create_from_connection_string function that lets you pass in the edge devices root ca certificate (in order for the SDK to 'trust' it).

for example, I modified the first few lines of send_message.py to this and it works (after copying over the root ca cert to my leaf device)

async def main():
    # Fetch the connection string from an enviornment variable
    conn_str ="<your connection string, including GatewayHostName>"

    #change this path to YOUR cert -- just left mine in as an example...
    certfile = open("/home/stevebus/edge/certs/azure-iot-test-only.root.ca.cert.pem")
    root_ca_cert = certfile.read()

    # Create instance of the device client using the connection string

device_client= IoTHubDeviceClient.create_from_connection_string(connection_string=conn_str,server_verification_cert=root_ca_cert)

this works for me...