Azure IoT Hub MQTT failure - ssl

I'm attempting to connect a Quectel BG96 cellular modem to Azure IoT Hub using MQTT directly (no SDK), but keep getting disconnected immediately after attempting to connect.
I've tested:
Connecting to my IoT Hub using a python paho MQTT script.
Connecting from my cellular modem to a Mosquitto server using SSL encryption and username and password.
Both of which work.
When I try to connect to IoT Hub I can open the connection but when I try and connect to the MQTT server I immediately get disconnected.
Are there any caveats when using MQTT in IoT Hub. Also, is there an easy way to get access to the connection logs in IoT Hub?

I had the same problem here with BG96 and Azure IoTHub.
My solution with this modem is to force the MQTT version to "v4", according to the AT MQTT Manual. Try using AT+QMTCFG="version",<"yourtcpconnectionid">,4 then open the connection and authenticate.

Related

Directly connect to Azure IoT Edge via MQTT as transparent gateway to Azure IoT Central

I am trying to setup Azure IoT Edge as transparent gateway to which I want to connect directly via MQTT (without any IoT SDKs).
###---Short Version---###
I want to connect directly to IoT Edge via MQTT like this to IoT Hub. What is the host, username and password for connection via symmetric keys to connect to the IoT Edge Gateway?
###---Long Version---###
The communication should work like this: Device (MQTT) -> Azure IoT Edge -> Azure IoT Central.
I started with provisioning the Device to Azure IoT Central and was able to connect there directly. I used a .NET sample to provision the devices on Azure IoT Central and get the Iot-Hub name. Then I created the SAS Token to connect directly with a MQTT client to Azure IoT Central (assigned IoT-Hub)
I used the following credentials:
"ClientID": "plc2"
"Host": "mqtts://iotc-x-x-x-x-x.azure-devices.net"
"Port": "8883"
"Username": "iotc-x-x-x-x-x.azure-devices.net/plc2/?api-version=2021-04-12"
"Password": "SharedAccessSignature sr=iotc-x-x-x-x-x.azure-devices.net%2Fdevices%2Fplc2&sig=P......D&se=1652037456"
I created the SAS Token following this documentation for MQTT direct device connection: SAS Token structure
As ressourceUri for creating SAS Token I used the following: "iotc-x-x-x-x-x.azure-devices.net.azure-devices.net/devices/plc2"
For testing I used MQTTX windows client with the Azure Baltimore Root CA Certificate and the credentials explained and everything was fine.
The problem
Now I want the communication to run via the Azure IoT Edge as transparent gateway. I followed following documentation from Microsoft:
Created the demo certificates from Microsoft
Configured "config.toml" -> Set the hostname to: iotedge-prod1
Provisioned the device in Azure IoT Central -> Set its gateway to the Edge device
Used a sample Manifest file for edge where the ports are open and upstream is allowed
On my windows pc created a host file entry with "192.168.0.100 iotedge-prod1"
Ping is ok for the new hostname of the edge device
Generated a .PKCS12 certificate from the .PEM certificate for the windows machine
But now I cannot connect via my MQTT Client -> It says Username or Password wrong
My big question
What does the MQTT connection data to the Edge device look like? The structure with Edge Hub I have not yet understood I think. I tried many combinations of credentials but I didn't get it
"ClientID": "plc2" --> Should be ok
"Host": "mqtts://iotedge-prod1" --> In my opinion the IP-Adress is important right?
"Port": "8883" --> Same like before for TLS
"Username": "iotedge-prod1.iotc-x-x-x-x-x.azure-devices.net/plc2/?api-version=2021-04-12" or just "iotedge-prod1/plc2/?api-version=2021-04-12" --> What must the username be like?
"Password": "SharedAccessSignature sr=iotc...." --> Same thing for the password. Which information is necessary in the SAS Token? Is the ressourceUri for creation: "iotedge-prod1.myHub.azure-devices.net/devices/plc2" or just "iotedge-prod1/devices/plc2" or anything different?
I hope I could explain halfway understandable what my problem is.
Additional information:
Edge-config_toml.jpg
Edge-IoTCentral.jpg
Edge-Manifest (MS Docs)
The username and password in case of direct connection to IoT Central or via IoT Edge as transparent gateway will be the same. This is because IoT Edge will pass through the token to IoTHub for attestation.
Only change required will be the Host, which should be mqtts://hostname or ip
Ensure in MQTTX client the Certificate is selected as Self signed and provide path of the Test Root CA, no need for client cert and key. The parent of the device also needs to be correctly set in IoT Central.
e.g. the deviceId here is mqttclient and iotedge gateway is raspi###
Check edgeHub log to see if you are getting connection attempt with "iotedge logs -f edgeHub' from MQTTX client
One possible problem also was that the certificate hierachy was not ok. If Azure IoT Edge is installed there are some certificates installed. After using the demo certificates from Azure the hierarchy should be mainly the same like in the documentation from Microsoft - starting with "Azure ... Test Only"
Demo Azure Certificate Hierarchy

Connect to Azure IoT Hub using MQTT

I am trying to connect to an Azure IoT Hub directly using MQTT using this method:
https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-mqtt-support#using-the-mqtt-protocol-directly-as-a-device
I am using MQTT explorer for windows: https://mqtt-explorer.com/
I enter the following details. My ioTHub is called IoTHub and my device is called device, so as per the documentation:
Protocol: mqtt://
Host: iothub.azure-devices.net/?api-version=2018-06-3430
Port: 8883
Validate Cert: Off
Encryption: Off
Username: iothub.azure-devices.net/device/?api-version=2018-06-30
Password: SharedAccessSignature sr=iothub.azure-devices.net&sig=XXXXXXXXXXXXXXXXXXXredactedXXXXXXXXXXXXXXXXXXXX&se=1642603375&skn=iothubowner
No ports are blocked from my location. The connection fails and says disconnected from server.
If I try with TLS encryption it says not authorised.
How can I access the IoTHub using MQTT?
You're on the right track! One small detail is missing, in the docs
Quote:
For the ClientId field, use the deviceId.
The client ID can be set using the advanced settings, as seen in the two screenshots below:
As for TLS Encryption, it's required. Switch it on and you should be able to connect.
Edit:
As you mentioned in the comment, the connection string was also wrong. You need the Shared Access Signature for a device. An easy way of generating one is by using the az cli. When you run the command below, you provide the connection string of your device (you can get it from the portal) and it will create the Shared Access Signature for you.
az iot hub generate-sas-token --connection-string "HostName=iot-Hub.azure-devices.net;DeviceId=deviceId;SharedAccessKey=foo"

How do I make VPN connection working from Azure VM?

I have created Virtual Network Connection.
I have created Connection for Site to Site(IPSec) which connects to VMWare-snx
Connection status is "Connecting". (Also connection from VMWare SNX side)
I have VM in subnet. VNet is same as with Gateway Subnet.
I try to ping or RDP to VM in VMWare side, but do not have connection.
Did I understand correctly that I should have automatically connection from all subnet in VNet.
No routing is needed between Gateway Subnet and others?
Is there any way to troubleshoot if ping passed Azure VPN?
https://vzerotohero.com/2017/03/step-by-step-deploy-vmware-nsx-with-microsoft-azure-ipsec-vpn-site-to-site/
If the VPN connection is set up well, the Connection status should be "connected". Please follow the step by step in the article, especially the note things:
NSX VPN as of now only supports Policy-Based VPN type.
PFS: Disable Perfect Forward Secrecy since its not supported with Azure Static-Policy based VPN.

"i want to use same SSL certificate on multiple device(esp8266) for mqtt connection, am i able to do that"?

I am new to this, but i am using AWS IOT CORE with esp8266. So, here i am connecting esp8266 to mqtt broker which is on AWS cloud and sending data to it. Which mean my esp8266 is a client which is connected to a broker AWS IOT CORE.
SO, my main question is that when i connect single esp8266 to AWS IOT CORE then i need some certificates like CA, CERTI & Private key etc.. These file's provide secure TLS connection of esp8266 with AWS MQTT IOT core. But now i want to connect 2x esp8266 with the same Mqtt Broker with same Topic but most essentially with same TLS certificates that i generated earlier for esp8266 (1). So is it possible to use those same certificates to provide secure TLS connection to both esp8266 at the same time.
Need a answer to that in a described manner. Do help me out here.
For reference i used this project to connect my esp8266 with AWS IOT CORE through MQTT
https://electronicsinnovation.com/how-to-connect-nodemcu-esp8266-with-aws-iot-core-using-arduino-ide-mqtt/
No, client certificates are used to uniquely identify each connecting client.
You need to use a separate certificate per device.

Azure IoT Hub Java SDK, connecting X.509 Devices multiplexed over single AMQP Connection

I have auto provisioned a bunch of IoT devices via Azure IoT DPS. The devices are registered at my IoT hub. All devices have an X.509 certificate authentication.
What I now want to do is to send messages to the devices. All certificates are available and I can connect with the DeviceClient to the device at the hub. This is the method of the Azure IoT Java SDK I am using:
public static DeviceClient createFromSecurityProvider(String uri, String deviceId, SecurityProvider securityProvider, IotHubClientProtocol protocol) throws URISyntaxException, IOException
It takes SecurityProviderX509Cert as parameter.
However, each DeviceClient has its own physical connection. What I want is to use AMQP multiplexing by using this constructor:
public DeviceClient(String connString, TransportClient transportClient) throws URISyntaxException
This doesn't work with X.509 devices. In the connection string I've used the shared access key from my shared access policy from the hub but got an exception:
Unauthorized: Device 'xxx' at IotHub 'yyy' does not have PrimaryKey or SecondaryKey
I assume that will only work if I register the device with symmetric keys. However, those devices cannot be enrolled automatically via Azure DPS. I can only enroll devices with X.509 or TPM.
So how do I get the trick to connect multiple X.509 devices over a single AMQPS connection?
It seems that Azure IoT Hub SDK for Java does not support multiplexing for X.509 devices.
You can post a requirement for this feature on github(https://github.com/Azure/azure-iot-sdk-java/issues).