I am trying to setup Azure IoT Edge as transparent gateway to which I want to connect directly via MQTT (without any IoT SDKs).
###---Short Version---###
I want to connect directly to IoT Edge via MQTT like this to IoT Hub. What is the host, username and password for connection via symmetric keys to connect to the IoT Edge Gateway?
###---Long Version---###
The communication should work like this: Device (MQTT) -> Azure IoT Edge -> Azure IoT Central.
I started with provisioning the Device to Azure IoT Central and was able to connect there directly. I used a .NET sample to provision the devices on Azure IoT Central and get the Iot-Hub name. Then I created the SAS Token to connect directly with a MQTT client to Azure IoT Central (assigned IoT-Hub)
I used the following credentials:
"ClientID": "plc2"
"Host": "mqtts://iotc-x-x-x-x-x.azure-devices.net"
"Port": "8883"
"Username": "iotc-x-x-x-x-x.azure-devices.net/plc2/?api-version=2021-04-12"
"Password": "SharedAccessSignature sr=iotc-x-x-x-x-x.azure-devices.net%2Fdevices%2Fplc2&sig=P......D&se=1652037456"
I created the SAS Token following this documentation for MQTT direct device connection: SAS Token structure
As ressourceUri for creating SAS Token I used the following: "iotc-x-x-x-x-x.azure-devices.net.azure-devices.net/devices/plc2"
For testing I used MQTTX windows client with the Azure Baltimore Root CA Certificate and the credentials explained and everything was fine.
The problem
Now I want the communication to run via the Azure IoT Edge as transparent gateway. I followed following documentation from Microsoft:
Created the demo certificates from Microsoft
Configured "config.toml" -> Set the hostname to: iotedge-prod1
Provisioned the device in Azure IoT Central -> Set its gateway to the Edge device
Used a sample Manifest file for edge where the ports are open and upstream is allowed
On my windows pc created a host file entry with "192.168.0.100 iotedge-prod1"
Ping is ok for the new hostname of the edge device
Generated a .PKCS12 certificate from the .PEM certificate for the windows machine
But now I cannot connect via my MQTT Client -> It says Username or Password wrong
My big question
What does the MQTT connection data to the Edge device look like? The structure with Edge Hub I have not yet understood I think. I tried many combinations of credentials but I didn't get it
"ClientID": "plc2" --> Should be ok
"Host": "mqtts://iotedge-prod1" --> In my opinion the IP-Adress is important right?
"Port": "8883" --> Same like before for TLS
"Username": "iotedge-prod1.iotc-x-x-x-x-x.azure-devices.net/plc2/?api-version=2021-04-12" or just "iotedge-prod1/plc2/?api-version=2021-04-12" --> What must the username be like?
"Password": "SharedAccessSignature sr=iotc...." --> Same thing for the password. Which information is necessary in the SAS Token? Is the ressourceUri for creation: "iotedge-prod1.myHub.azure-devices.net/devices/plc2" or just "iotedge-prod1/devices/plc2" or anything different?
I hope I could explain halfway understandable what my problem is.
Additional information:
Edge-config_toml.jpg
Edge-IoTCentral.jpg
Edge-Manifest (MS Docs)
The username and password in case of direct connection to IoT Central or via IoT Edge as transparent gateway will be the same. This is because IoT Edge will pass through the token to IoTHub for attestation.
Only change required will be the Host, which should be mqtts://hostname or ip
Ensure in MQTTX client the Certificate is selected as Self signed and provide path of the Test Root CA, no need for client cert and key. The parent of the device also needs to be correctly set in IoT Central.
e.g. the deviceId here is mqttclient and iotedge gateway is raspi###
Check edgeHub log to see if you are getting connection attempt with "iotedge logs -f edgeHub' from MQTTX client
One possible problem also was that the certificate hierachy was not ok. If Azure IoT Edge is installed there are some certificates installed. After using the demo certificates from Azure the hierarchy should be mainly the same like in the documentation from Microsoft - starting with "Azure ... Test Only"
Demo Azure Certificate Hierarchy
Related
I am trying to connect to an Azure IoT Hub directly using MQTT using this method:
https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-mqtt-support#using-the-mqtt-protocol-directly-as-a-device
I am using MQTT explorer for windows: https://mqtt-explorer.com/
I enter the following details. My ioTHub is called IoTHub and my device is called device, so as per the documentation:
Protocol: mqtt://
Host: iothub.azure-devices.net/?api-version=2018-06-3430
Port: 8883
Validate Cert: Off
Encryption: Off
Username: iothub.azure-devices.net/device/?api-version=2018-06-30
Password: SharedAccessSignature sr=iothub.azure-devices.net&sig=XXXXXXXXXXXXXXXXXXXredactedXXXXXXXXXXXXXXXXXXXX&se=1642603375&skn=iothubowner
No ports are blocked from my location. The connection fails and says disconnected from server.
If I try with TLS encryption it says not authorised.
How can I access the IoTHub using MQTT?
You're on the right track! One small detail is missing, in the docs
Quote:
For the ClientId field, use the deviceId.
The client ID can be set using the advanced settings, as seen in the two screenshots below:
As for TLS Encryption, it's required. Switch it on and you should be able to connect.
Edit:
As you mentioned in the comment, the connection string was also wrong. You need the Shared Access Signature for a device. An easy way of generating one is by using the az cli. When you run the command below, you provide the connection string of your device (you can get it from the portal) and it will create the Shared Access Signature for you.
az iot hub generate-sas-token --connection-string "HostName=iot-Hub.azure-devices.net;DeviceId=deviceId;SharedAccessKey=foo"
I am new to this, but i am using AWS IOT CORE with esp8266. So, here i am connecting esp8266 to mqtt broker which is on AWS cloud and sending data to it. Which mean my esp8266 is a client which is connected to a broker AWS IOT CORE.
SO, my main question is that when i connect single esp8266 to AWS IOT CORE then i need some certificates like CA, CERTI & Private key etc.. These file's provide secure TLS connection of esp8266 with AWS MQTT IOT core. But now i want to connect 2x esp8266 with the same Mqtt Broker with same Topic but most essentially with same TLS certificates that i generated earlier for esp8266 (1). So is it possible to use those same certificates to provide secure TLS connection to both esp8266 at the same time.
Need a answer to that in a described manner. Do help me out here.
For reference i used this project to connect my esp8266 with AWS IOT CORE through MQTT
https://electronicsinnovation.com/how-to-connect-nodemcu-esp8266-with-aws-iot-core-using-arduino-ide-mqtt/
No, client certificates are used to uniquely identify each connecting client.
You need to use a separate certificate per device.
I'm attempting to connect a Quectel BG96 cellular modem to Azure IoT Hub using MQTT directly (no SDK), but keep getting disconnected immediately after attempting to connect.
I've tested:
Connecting to my IoT Hub using a python paho MQTT script.
Connecting from my cellular modem to a Mosquitto server using SSL encryption and username and password.
Both of which work.
When I try to connect to IoT Hub I can open the connection but when I try and connect to the MQTT server I immediately get disconnected.
Are there any caveats when using MQTT in IoT Hub. Also, is there an easy way to get access to the connection logs in IoT Hub?
I had the same problem here with BG96 and Azure IoTHub.
My solution with this modem is to force the MQTT version to "v4", according to the AT MQTT Manual. Try using AT+QMTCFG="version",<"yourtcpconnectionid">,4 then open the connection and authenticate.
I have auto provisioned a bunch of IoT devices via Azure IoT DPS. The devices are registered at my IoT hub. All devices have an X.509 certificate authentication.
What I now want to do is to send messages to the devices. All certificates are available and I can connect with the DeviceClient to the device at the hub. This is the method of the Azure IoT Java SDK I am using:
public static DeviceClient createFromSecurityProvider(String uri, String deviceId, SecurityProvider securityProvider, IotHubClientProtocol protocol) throws URISyntaxException, IOException
It takes SecurityProviderX509Cert as parameter.
However, each DeviceClient has its own physical connection. What I want is to use AMQP multiplexing by using this constructor:
public DeviceClient(String connString, TransportClient transportClient) throws URISyntaxException
This doesn't work with X.509 devices. In the connection string I've used the shared access key from my shared access policy from the hub but got an exception:
Unauthorized: Device 'xxx' at IotHub 'yyy' does not have PrimaryKey or SecondaryKey
I assume that will only work if I register the device with symmetric keys. However, those devices cannot be enrolled automatically via Azure DPS. I can only enroll devices with X.509 or TPM.
So how do I get the trick to connect multiple X.509 devices over a single AMQPS connection?
It seems that Azure IoT Hub SDK for Java does not support multiplexing for X.509 devices.
You can post a requirement for this feature on github(https://github.com/Azure/azure-iot-sdk-java/issues).
I am trying to connect my NodeMCU ESP-12N to Azure IoT hub.
I have created client with code like this:
esp8266 = mqtt.Client(DEVICE, 240, USER, PASSWD)
and receiving error on calling esp8266:connect
PANIC: unprotected error in call to Lua API (init.lua:127: ssl not
available)
When I previously have connect my Arduino, then it was important to flash Wi-Fi with SSL certificate. However I can't do it with NodeMCU (or more right to say - don't know how).
I can get certificates with:
openssl s_client -showcerts -connect ArduinoDemoHub.azure-devices.net:8883
When I have add (thank you #MarcelStör for hint, I have tried previously net.cert.verify)
tls.cert.verify([[
-----BEGIN CERTIFICATE-----
MIIGsTCCBJmgADJKJFdWgAIQF5Koy/50vI3cQAAAAhAXjANBgkqhkiG9w0BAQsF
......
lz3ZDUcyzRgG6TRtA3SjASEUlJMt3f7xuI2nNpt8p5gy9pXuRw==
-----END CERTIFICATE-----
]])
tls.cert.verify(true)
I'v received another error:
Error Connecting: -5
UPDATE:
There is another similar topic, and I have set time, but still without result.
UPDATE 2:
Here are some links that I trying to use:
Use Azure IoT Hub without client libraries (MQTT)
Sending Device-to-Cloud (D2C) Messages
sankarcheppali gitHub with samples
Here is official Link
Communicate with your IoT hub using the MQTT protocol
that tells:
To use the MQTT protocol directly, your client must connect over
TLS/SSL. Attempts to skip this will fail with connection errors.
This link also provides username that is different from old code samples:
{iothubhostname}/{device_id}/api-version=2016-11-14
TLS/SSL by default is disabled in the firmware build configuration. CLIENT_SSL_ENABLE in user_config.h must be uncommented before compiling/building the firmware.
The easiest is to use the cloud builder at https://nodemcu-build.com (by yours truly) and check the TLS checkbox.
Also, all TLS/SSL related functions in the net module (you use net.cert.verify) were extracted into the tls module a while ago. Unless there's convincing arguments for not using a current firmware build I suggest you try the dev branch. When you enable "TLS/SSL support" in the builder you get the tls module automatically.
UPDATE: There is nice article about Azure IoT hub and certificates: Certificate between IoT hub and devices connection
I have created SAS with help of Device Explorer, that is looks like:
SharedAccessSignature sr={your hub name}.azure-devices.net%2Fdevices%2FMyDevice01%2Fapi-version%3D2016-11-14&sig=vSgHBMUG.....Ntg%3d&se=1456481802
This value is set to PASSWD variable. Have changed USER variable to:
USER = "MyAzureIoTHub.azure-devices.net/MyDeviceID/api-version=2016-11-14"
And has set to false tls.cert.verify
tls.cert.verify(false)
Works now :)
You can refer to the following two libraries to connect NodeMCU ESP-12N to Azure IoT hub, these two libraries could be searched in Library Manager:
AzureIoTHubMQTTClient
AzureIoTProtocol_MQTT
After installation,you can refer to the samples.