Lua SSL certificate and Azure Iot hub - ssl

I am trying to connect my NodeMCU ESP-12N to Azure IoT hub.
I have created client with code like this:
esp8266 = mqtt.Client(DEVICE, 240, USER, PASSWD)
and receiving error on calling esp8266:connect
PANIC: unprotected error in call to Lua API (init.lua:127: ssl not
available)
When I previously have connect my Arduino, then it was important to flash Wi-Fi with SSL certificate. However I can't do it with NodeMCU (or more right to say - don't know how).
I can get certificates with:
openssl s_client -showcerts -connect ArduinoDemoHub.azure-devices.net:8883
When I have add (thank you #MarcelStör for hint, I have tried previously net.cert.verify)
tls.cert.verify([[
-----BEGIN CERTIFICATE-----
MIIGsTCCBJmgADJKJFdWgAIQF5Koy/50vI3cQAAAAhAXjANBgkqhkiG9w0BAQsF
......
lz3ZDUcyzRgG6TRtA3SjASEUlJMt3f7xuI2nNpt8p5gy9pXuRw==
-----END CERTIFICATE-----
]])
tls.cert.verify(true)
I'v received another error:
Error Connecting: -5
UPDATE:
There is another similar topic, and I have set time, but still without result.
UPDATE 2:
Here are some links that I trying to use:
Use Azure IoT Hub without client libraries (MQTT)
Sending Device-to-Cloud (D2C) Messages
sankarcheppali gitHub with samples
Here is official Link
Communicate with your IoT hub using the MQTT protocol
that tells:
To use the MQTT protocol directly, your client must connect over
TLS/SSL. Attempts to skip this will fail with connection errors.
This link also provides username that is different from old code samples:
{iothubhostname}/{device_id}/api-version=2016-11-14

TLS/SSL by default is disabled in the firmware build configuration. CLIENT_SSL_ENABLE in user_config.h must be uncommented before compiling/building the firmware.
The easiest is to use the cloud builder at https://nodemcu-build.com (by yours truly) and check the TLS checkbox.
Also, all TLS/SSL related functions in the net module (you use net.cert.verify) were extracted into the tls module a while ago. Unless there's convincing arguments for not using a current firmware build I suggest you try the dev branch. When you enable "TLS/SSL support" in the builder you get the tls module automatically.
UPDATE: There is nice article about Azure IoT hub and certificates: Certificate between IoT hub and devices connection

I have created SAS with help of Device Explorer, that is looks like:
SharedAccessSignature sr={your hub name}.azure-devices.net%2Fdevices%2FMyDevice01%2Fapi-version%3D2016-11-14&sig=vSgHBMUG.....Ntg%3d&se=1456481802
This value is set to PASSWD variable. Have changed USER variable to:
USER = "MyAzureIoTHub.azure-devices.net/MyDeviceID/api-version=2016-11-14"
And has set to false tls.cert.verify
tls.cert.verify(false)
Works now :)

You can refer to the following two libraries to connect NodeMCU ESP-12N to Azure IoT hub, these two libraries could be searched in Library Manager:
AzureIoTHubMQTTClient
AzureIoTProtocol_MQTT
After installation,you can refer to the samples.

Related

How to configure certificates for Grafana MQTT plugin to connect to HiveMQ cloud broker

I'm running Grafana 9.3.6 installed via apt-get on Ubuntu 20.04.5
I have a HiveMQ cloud broker I'm trying to connect to.
Previously I succeeded to connect via mosquitto command line tool and mosquittopp C++ interface. These required me to provide a certificate or certificate path.
I used the .pem file provided by HiveMQ with the command line tool.
I provided the /etc/ssl/certs/ path for the C++ interface (the 1st option did not work out)
Now I'm trying to connect via the Grafana MQTT plugin. I installed it using
grafana-cli plugins install grafana-mqtt-datasource.
When trying to add it in the web gui, I get the following error:
error connecting to MQTT broker: network Error : EOF
I can see some messages going back and forth in Wireshark so I assume the problem is with the certificates.
I tried editing the grafana.ini file without success. It's not completely clear which file/path should I add where and what other options I need to set.
Edit: the grafana.ini file had nothing to do with this.
As #hardillb pointed out, I had to pay attention to the URL scheme. After putting tls:// in front of the broker URL as described in grafana-mqtt-datasource, everything worked.

Could anyone connect Cloud SQL with cloud sql proxy pod

I'm trying to setup a very basic wordpress setup as explained in this document: https://cloud.google.com/kubernetes-engine/docs/tutorials/persistent-disk
And cloud sql proxy is giving me certificate errors:
esonika#cloudshell:~ (esonika)$ k logs wordpress-8d7998ccd-xnfn9 -c cloudsql-proxy
2022/12/30 10:43:38 using credential file for authentication; email=cloudsql-proxy#esonika.iam.gserviceaccount.com
2022/12/30 10:43:38 Listening on 127.0.0.1:3306 for esonika:europe-west9:mysql-wordpress-instance
2022/12/30 10:43:38 Ready for new connections
2022/12/30 10:44:01 New connection for "esonika:europe-west9:mysql-wordpress-instance"
2022/12/30 10:44:02 couldn't connect to "esonika:europe-west9:mysql-wordpress-instance": x509: certificate is valid for 38-968d77ed-a928-4b25-97d3-5451b5f3c670.europe-west9.sql.goog, not esonika:mysql-wordpress-instance
I dont know why a certificate such as "38-968d77ed-a928-4b25-97d3-5451b5f3c670.europe-west9.sql.goog" is created and where.
Tried resetting ssl configurations and it didn't work.
Usually, if you don't explicitly set a SSL connection on your Cloud SQL instance, the communication with the database is in plain text.
EXCEPT when you create a tunnel with Cloud SQL proxy. This time, a secure connection is created, with encrypted data. The encryption is ensure by this automatically and ephemeral certificate created by the proxy.
Here is a doc which might help you in connecting to Cloud SQL from GKE using sidecar pods.
Thanks, The document doesn't list anything that I haven't tried. I think there is an internal issue with cloud_sql_proxy, that's why I decided to switch Cloud SQL to a private network only and wordpress pod is directly connecting to Cloud SQL private IP.
I was running into the same issue around the time you posted this question. I also reset SSL configuration on the DB like you did. My solution was upgrading from the version 1.11 to 1.33.2. It resolved all of the x509 errors. No clue why it suddenly stopped working.

Connect to Azure IoT Hub using MQTT

I am trying to connect to an Azure IoT Hub directly using MQTT using this method:
https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-mqtt-support#using-the-mqtt-protocol-directly-as-a-device
I am using MQTT explorer for windows: https://mqtt-explorer.com/
I enter the following details. My ioTHub is called IoTHub and my device is called device, so as per the documentation:
Protocol: mqtt://
Host: iothub.azure-devices.net/?api-version=2018-06-3430
Port: 8883
Validate Cert: Off
Encryption: Off
Username: iothub.azure-devices.net/device/?api-version=2018-06-30
Password: SharedAccessSignature sr=iothub.azure-devices.net&sig=XXXXXXXXXXXXXXXXXXXredactedXXXXXXXXXXXXXXXXXXXX&se=1642603375&skn=iothubowner
No ports are blocked from my location. The connection fails and says disconnected from server.
If I try with TLS encryption it says not authorised.
How can I access the IoTHub using MQTT?
You're on the right track! One small detail is missing, in the docs
Quote:
For the ClientId field, use the deviceId.
The client ID can be set using the advanced settings, as seen in the two screenshots below:
As for TLS Encryption, it's required. Switch it on and you should be able to connect.
Edit:
As you mentioned in the comment, the connection string was also wrong. You need the Shared Access Signature for a device. An easy way of generating one is by using the az cli. When you run the command below, you provide the connection string of your device (you can get it from the portal) and it will create the Shared Access Signature for you.
az iot hub generate-sas-token --connection-string "HostName=iot-Hub.azure-devices.net;DeviceId=deviceId;SharedAccessKey=foo"

How can SSL be turned on on SIM868E?

We are using the SIM868E module for connection via GSM, with internal communication over UART.
We need the SIM868E module to communicate with an HTTPS server, (using SSL), however after sending the commands AT+HTTPSSL=?, AT+HTTPSSL=1 or AT+CIPSSL=? the SIM868E module responds:
+CME Error: unknown
(with CMEE level 2).
The specs note that SSL/TLS are supported by this module: (https://simcom.ee/modules/gsm-gprs-gnss/sim868e/).
The firmware on the chip (requested using AT+CGMR) is Revision:1418B02SIM868E32_BLE_EAT.
How can we fix this problem?
According to 2019 SIMCom products catalogue it seems that for SIM868E device there's not support for TLS feature (TLS is the standard name for the SSL protocol).
Just in case the link becomes unreachable, I attach a screenshot of the relevant page of the document:
as you can see, TLS dot is "empty".
Nevertheless, I have to say that SIMCom documents are sometimes contradictory and confusing: in fact in the SIM868E flier claims that the SSL SW feature is supported, but in the SIM800 series AT command manual there's no mention of SSL AT commands.
I will update in case I find any new piece of information about it.
I would honestly avoid trying strange things like flashing the SW of another module. It would be like searching for trouble. And in your case you would lose your positioning capabilities (GPS/GNSS).
Talking about your issue in particular, you'll probably have to compile an SSL library on your host processor (for SSL handshake and data encryption) using the TCP/HTTP commands of your device to transport data to the server. It's not a simple job.

Connect to on premises DB2 server using Bluemix secure gateway and TLS

I have been trying to connect my Node.js Public Bluemix app to a DB2 server which is behind a firewall using the secure gateway service of Bluemix. When I try that by just using TCP everything works fine. I am now trying to use the TLS:Mutual Auth option and I can't make it work.
I followed this tutorial (https://developer.ibm.com/bluemix/2015/04/17/securing-destinations-tls-bluemix-secure-gateway/) and the tunnel seems to be created (I can see that at logs of the gateway client) but no data is coming through.
In the object Options which is a parameter of tls.connect, if I set rejectUnauthorized: true then I get "UNABLE_TO_GET_ISSUER_CERT" while I am using the generated certificates of the destination. If I set rejectUnauthorized: false, then it seems to work and the connection opens but nothing comes through, it just hangs. In both cases, I am using the same code that works when TLS is not set up and is based on the ibm_db node driver for DB2.
Has anyone experience with this, I have been struggling with it for some days now and any help would be much appreciated.
After some discussion, we determined that part of the problem was explicitly stating a piece of the cert chain in the CA, causing the UNABLE_TO_GET_ISSUER_CERT error to be emitted. This can be resolved by either adding the full chain to the CA or not explicitly adding anything to the CA (as the cert is publicly signed).
An underlying issue that was identified is that the ibm_db node driver for DB2 does not appear to work as expected for TLS connections.