Connect to Azure IoT Hub using MQTT - azure-iot-hub

I am trying to connect to an Azure IoT Hub directly using MQTT using this method:
https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-mqtt-support#using-the-mqtt-protocol-directly-as-a-device
I am using MQTT explorer for windows: https://mqtt-explorer.com/
I enter the following details. My ioTHub is called IoTHub and my device is called device, so as per the documentation:
Protocol: mqtt://
Host: iothub.azure-devices.net/?api-version=2018-06-3430
Port: 8883
Validate Cert: Off
Encryption: Off
Username: iothub.azure-devices.net/device/?api-version=2018-06-30
Password: SharedAccessSignature sr=iothub.azure-devices.net&sig=XXXXXXXXXXXXXXXXXXXredactedXXXXXXXXXXXXXXXXXXXX&se=1642603375&skn=iothubowner
No ports are blocked from my location. The connection fails and says disconnected from server.
If I try with TLS encryption it says not authorised.
How can I access the IoTHub using MQTT?

You're on the right track! One small detail is missing, in the docs
Quote:
For the ClientId field, use the deviceId.
The client ID can be set using the advanced settings, as seen in the two screenshots below:
As for TLS Encryption, it's required. Switch it on and you should be able to connect.
Edit:
As you mentioned in the comment, the connection string was also wrong. You need the Shared Access Signature for a device. An easy way of generating one is by using the az cli. When you run the command below, you provide the connection string of your device (you can get it from the portal) and it will create the Shared Access Signature for you.
az iot hub generate-sas-token --connection-string "HostName=iot-Hub.azure-devices.net;DeviceId=deviceId;SharedAccessKey=foo"

Related

Directly connect to Azure IoT Edge via MQTT as transparent gateway to Azure IoT Central

I am trying to setup Azure IoT Edge as transparent gateway to which I want to connect directly via MQTT (without any IoT SDKs).
###---Short Version---###
I want to connect directly to IoT Edge via MQTT like this to IoT Hub. What is the host, username and password for connection via symmetric keys to connect to the IoT Edge Gateway?
###---Long Version---###
The communication should work like this: Device (MQTT) -> Azure IoT Edge -> Azure IoT Central.
I started with provisioning the Device to Azure IoT Central and was able to connect there directly. I used a .NET sample to provision the devices on Azure IoT Central and get the Iot-Hub name. Then I created the SAS Token to connect directly with a MQTT client to Azure IoT Central (assigned IoT-Hub)
I used the following credentials:
"ClientID": "plc2"
"Host": "mqtts://iotc-x-x-x-x-x.azure-devices.net"
"Port": "8883"
"Username": "iotc-x-x-x-x-x.azure-devices.net/plc2/?api-version=2021-04-12"
"Password": "SharedAccessSignature sr=iotc-x-x-x-x-x.azure-devices.net%2Fdevices%2Fplc2&sig=P......D&se=1652037456"
I created the SAS Token following this documentation for MQTT direct device connection: SAS Token structure
As ressourceUri for creating SAS Token I used the following: "iotc-x-x-x-x-x.azure-devices.net.azure-devices.net/devices/plc2"
For testing I used MQTTX windows client with the Azure Baltimore Root CA Certificate and the credentials explained and everything was fine.
The problem
Now I want the communication to run via the Azure IoT Edge as transparent gateway. I followed following documentation from Microsoft:
Created the demo certificates from Microsoft
Configured "config.toml" -> Set the hostname to: iotedge-prod1
Provisioned the device in Azure IoT Central -> Set its gateway to the Edge device
Used a sample Manifest file for edge where the ports are open and upstream is allowed
On my windows pc created a host file entry with "192.168.0.100 iotedge-prod1"
Ping is ok for the new hostname of the edge device
Generated a .PKCS12 certificate from the .PEM certificate for the windows machine
But now I cannot connect via my MQTT Client -> It says Username or Password wrong
My big question
What does the MQTT connection data to the Edge device look like? The structure with Edge Hub I have not yet understood I think. I tried many combinations of credentials but I didn't get it
"ClientID": "plc2" --> Should be ok
"Host": "mqtts://iotedge-prod1" --> In my opinion the IP-Adress is important right?
"Port": "8883" --> Same like before for TLS
"Username": "iotedge-prod1.iotc-x-x-x-x-x.azure-devices.net/plc2/?api-version=2021-04-12" or just "iotedge-prod1/plc2/?api-version=2021-04-12" --> What must the username be like?
"Password": "SharedAccessSignature sr=iotc...." --> Same thing for the password. Which information is necessary in the SAS Token? Is the ressourceUri for creation: "iotedge-prod1.myHub.azure-devices.net/devices/plc2" or just "iotedge-prod1/devices/plc2" or anything different?
I hope I could explain halfway understandable what my problem is.
Additional information:
Edge-config_toml.jpg
Edge-IoTCentral.jpg
Edge-Manifest (MS Docs)
The username and password in case of direct connection to IoT Central or via IoT Edge as transparent gateway will be the same. This is because IoT Edge will pass through the token to IoTHub for attestation.
Only change required will be the Host, which should be mqtts://hostname or ip
Ensure in MQTTX client the Certificate is selected as Self signed and provide path of the Test Root CA, no need for client cert and key. The parent of the device also needs to be correctly set in IoT Central.
e.g. the deviceId here is mqttclient and iotedge gateway is raspi###
Check edgeHub log to see if you are getting connection attempt with "iotedge logs -f edgeHub' from MQTTX client
One possible problem also was that the certificate hierachy was not ok. If Azure IoT Edge is installed there are some certificates installed. After using the demo certificates from Azure the hierarchy should be mainly the same like in the documentation from Microsoft - starting with "Azure ... Test Only"
Demo Azure Certificate Hierarchy

"i want to use same SSL certificate on multiple device(esp8266) for mqtt connection, am i able to do that"?

I am new to this, but i am using AWS IOT CORE with esp8266. So, here i am connecting esp8266 to mqtt broker which is on AWS cloud and sending data to it. Which mean my esp8266 is a client which is connected to a broker AWS IOT CORE.
SO, my main question is that when i connect single esp8266 to AWS IOT CORE then i need some certificates like CA, CERTI & Private key etc.. These file's provide secure TLS connection of esp8266 with AWS MQTT IOT core. But now i want to connect 2x esp8266 with the same Mqtt Broker with same Topic but most essentially with same TLS certificates that i generated earlier for esp8266 (1). So is it possible to use those same certificates to provide secure TLS connection to both esp8266 at the same time.
Need a answer to that in a described manner. Do help me out here.
For reference i used this project to connect my esp8266 with AWS IOT CORE through MQTT
https://electronicsinnovation.com/how-to-connect-nodemcu-esp8266-with-aws-iot-core-using-arduino-ide-mqtt/
No, client certificates are used to uniquely identify each connecting client.
You need to use a separate certificate per device.

Azure IoT Hub MQTT failure

I'm attempting to connect a Quectel BG96 cellular modem to Azure IoT Hub using MQTT directly (no SDK), but keep getting disconnected immediately after attempting to connect.
I've tested:
Connecting to my IoT Hub using a python paho MQTT script.
Connecting from my cellular modem to a Mosquitto server using SSL encryption and username and password.
Both of which work.
When I try to connect to IoT Hub I can open the connection but when I try and connect to the MQTT server I immediately get disconnected.
Are there any caveats when using MQTT in IoT Hub. Also, is there an easy way to get access to the connection logs in IoT Hub?
I had the same problem here with BG96 and Azure IoTHub.
My solution with this modem is to force the MQTT version to "v4", according to the AT MQTT Manual. Try using AT+QMTCFG="version",<"yourtcpconnectionid">,4 then open the connection and authenticate.

Lua SSL certificate and Azure Iot hub

I am trying to connect my NodeMCU ESP-12N to Azure IoT hub.
I have created client with code like this:
esp8266 = mqtt.Client(DEVICE, 240, USER, PASSWD)
and receiving error on calling esp8266:connect
PANIC: unprotected error in call to Lua API (init.lua:127: ssl not
available)
When I previously have connect my Arduino, then it was important to flash Wi-Fi with SSL certificate. However I can't do it with NodeMCU (or more right to say - don't know how).
I can get certificates with:
openssl s_client -showcerts -connect ArduinoDemoHub.azure-devices.net:8883
When I have add (thank you #MarcelStör for hint, I have tried previously net.cert.verify)
tls.cert.verify([[
-----BEGIN CERTIFICATE-----
MIIGsTCCBJmgADJKJFdWgAIQF5Koy/50vI3cQAAAAhAXjANBgkqhkiG9w0BAQsF
......
lz3ZDUcyzRgG6TRtA3SjASEUlJMt3f7xuI2nNpt8p5gy9pXuRw==
-----END CERTIFICATE-----
]])
tls.cert.verify(true)
I'v received another error:
Error Connecting: -5
UPDATE:
There is another similar topic, and I have set time, but still without result.
UPDATE 2:
Here are some links that I trying to use:
Use Azure IoT Hub without client libraries (MQTT)
Sending Device-to-Cloud (D2C) Messages
sankarcheppali gitHub with samples
Here is official Link
Communicate with your IoT hub using the MQTT protocol
that tells:
To use the MQTT protocol directly, your client must connect over
TLS/SSL. Attempts to skip this will fail with connection errors.
This link also provides username that is different from old code samples:
{iothubhostname}/{device_id}/api-version=2016-11-14
TLS/SSL by default is disabled in the firmware build configuration. CLIENT_SSL_ENABLE in user_config.h must be uncommented before compiling/building the firmware.
The easiest is to use the cloud builder at https://nodemcu-build.com (by yours truly) and check the TLS checkbox.
Also, all TLS/SSL related functions in the net module (you use net.cert.verify) were extracted into the tls module a while ago. Unless there's convincing arguments for not using a current firmware build I suggest you try the dev branch. When you enable "TLS/SSL support" in the builder you get the tls module automatically.
UPDATE: There is nice article about Azure IoT hub and certificates: Certificate between IoT hub and devices connection
I have created SAS with help of Device Explorer, that is looks like:
SharedAccessSignature sr={your hub name}.azure-devices.net%2Fdevices%2FMyDevice01%2Fapi-version%3D2016-11-14&sig=vSgHBMUG.....Ntg%3d&se=1456481802
This value is set to PASSWD variable. Have changed USER variable to:
USER = "MyAzureIoTHub.azure-devices.net/MyDeviceID/api-version=2016-11-14"
And has set to false tls.cert.verify
tls.cert.verify(false)
Works now :)
You can refer to the following two libraries to connect NodeMCU ESP-12N to Azure IoT hub, these two libraries could be searched in Library Manager:
AzureIoTHubMQTTClient
AzureIoTProtocol_MQTT
After installation,you can refer to the samples.

noVNC connecting to VNCServer on private LAN using HTTPS only

Not sure if i'm really up-to-date, but i'm looking in a way to convert my existing project to use HTML5 websockets.
Here's my situation :
- Client runs a modified java vnc applet with extra parameter (CONNECT).
- Modified stunnel listenin on webserver (with both public, private IP) port 443
- Client connects to 443 and sends (prior to RFB) a HTTP packet like :
'CONNECT 10.0.0.1:4001'
- Stunnel opens a new stream to 10.0.0.1:4001 using SSL wrapper
- VNC Server (#10.0.0.1:4001) responds, connection is established.
Now I want to get rid of the Java Applet and switch to Websocket using NoVNC.
I want to be able to :
- Open a single port on the webserver (HTTPS preferably)
- Have client connect using HTML5 only (no more java applet)
I cannot change :
- VNCServer will still be listening on private LAN only.
- VNCServer will still listen to a bunch of ports, each corresponding to
a virtual server
Questions are :
- How to give NoVNC the notion of target HOST:PORT ?
- Is stunnel still be usable ? Or should I change to websocket proxy ?
If anyone has a starting point, i'd really appreciate !
Disclaimer: I created noVNC so my answer may be heavily biased ;-)
I'll answer you second question first:
stunnel cannot be used directly by noVNC. The issue is that the WebSockets protocol has an HTTP-like initial handshake and the messages are framed. In addition, until binary payload support is added to WebSockets, the payload is base64 encoded by the websockets proxy (websockify). Adding the necessary support to stunnel would be non-trivial but certainly doable. In fact noVNC issue #37 is an aspirational feature to add this support to stunnel.
First question:
noVNC already has a concept of HOST:PORT via the RFB.connect(host, port, password) method. The file vnc_auto.html at the top level shows how to get noVNC to automatically connect on page load based on the host, port and password specified as URL query string parameters.
However, I think what you are really asking is how do you get noVNC to connect to alternate VNC server ports on the backend. This problem is not directly addressed by noVNC and websockify. There are several ways to solve this and it usually involves an out-of-band setup/authorization mechanism so that the proxy can't be used to launch attacks by arbitrary hosts. For example, at my company we have a web based management framework that integrates noVNC and when the user wants to connect to the console, an authenticated AJAX call is used to configure the proxy for that particular user and the system they want to connect to. Our web management interface is internal only.
Ganeti Web Manager uses a similar model and the source is available. They have a fork of VNCAuthProxy that has WebSockets support. They use a control channel from the web interface to the VNCAuthProxy to setup a temporary password associated with a specific VNC server host:port.
Also OpenStack (Nova) integrates noVNC uses a similar out-of-band token based model to allow access with their nova-vncproxy.
Some links:
Ganeti Web Manager
Wiki page about how noVNC works in Ganeti Web Manager
Ganeti Web Manager sources
Ganeti Web Manager VNCAUthProxy sources
Using noVNC in Nova/OpenStack
OpenStack fork of noVNC
Old nova-vnc-proxy code
Current nova vnc proxy code