I am trying to send telemetry messages to Azure IoT Hub using the npm mqtt library, instead of using Azure Nodejs SDK/Library.
I am using X509 certificate authentication. The device connection is working fine when I use azure Nodejs SDK/Library and I am able to send telemetry messages.
When trying to use the MQTT library, it is saying unauthorized.
const mqtt = require("mqtt");
const fs = require('fs');
let options = {
cert: fs.readFileSync("device-cert.pem", "utf-8").toString(),
key: fs.readFileSync("device-cert.key", "utf-8").toString(),
passphrase: '1234',
clientId: "device-003",
username: "ih-iot-sample-001.azure-devices.net/device-003/?api-version=2021-04-12",
}
let client = mqtt.connect(
"mqtts://ih-iot-sample-001.azure-devices.net:8883",
options
);
client.on("connect", function () {
console.log("connected");
});
client.on("error", (err) => {
console.log(err);
process.exit(0)
});
Error :
Connection refused: Not authorized
The clientid and the deviceId in the username were wrong. That's why I got this error
Related
I have a service A and B. I am running up keycloak service in the same container with service A.
So, configs for service A are the following:
[app]
PageSize = 10
JwtSecret = 233
PrefixUrl = http://127.0.0.1:8000
[sso]
Host = http://127.0.0.1:8080
AdminLogin = some_admin
AdminPassword = some_password
Realm = master
ClientID = my_client
ClientSecret = XXX
I set up a middleware that validates JWT (gotten by keycloak) in service A and it successfully works out.
I run service B in another container with this config:
[app]
PageSize = 10
JwtSecret = 233
PrefixUrl = http://127.0.0.1:8002
[sso]
Host = http://172.18.0.1:8080
AdminLogin = some_admin
AdminPassword = some_password
Realm = master
ClientID = my_client
ClientSecret = XXX
You have noticed that I couldn't use 127.0.0.1 in B's config because it cannot dial this address (because keycloak is running with A in the same container).
I use the same JWT in the request header for service B. After that it goes to keycloak and gets:
{
"code": "ERROR_AUTH_CHECK_TOKEN_FAIL",
"context": {
"code": 401,
"message": "401 Unauthorized: invalid_token: Token verification failed",
"type": "unknown"
}
}
Am I right that keycloak detects the proxing somehow and the error is thrown because of that?
Should I use separate clients for keycloak for both services? And if it is so, how do I verify JWT gotten from service A in the B service?
I solved my problem. Ticket that I got from A had the issuer host http://127.0.0.1:8080 and B sent a header with the host http://172.18.0.1:8080 that failed token validation. Briefly, these hosts must be the same
I am trying to instantiate a PaymentIntent on the server-side (using Go) just like this example but met with this error Request failed with error: Post "https://api.stripe.com/v1/payment_intents": x509: certificate signed by unknown authority. I have made sure to assign the test secret key like below, but the error still persists. Does it have something to do with SSL certificate? I am testing my app locally using Docker (localhost).
My code:
import (
"github.com/stripe/stripe-go"
"github.com/stripe/stripe-go/paymentintent"
)
func CreateStripePaymentIntent(subtotal float32) (string, error) {
// Create a PaymentIntent with amount and currency
stripe.Key = os.Getenv("STRIPE_SECRET_KEY")
fmt.Println(stripe.Key)
params := &stripe.PaymentIntentParams{
Amount: stripe.Int64(int64(subtotal)),
Currency: stripe.String(string(stripe.CurrencyUSD)),
}
pi, err := paymentintent.New(params)
if err != nil {
return "", fmt.Errorf("pi.New: %v", err) // =======> ERROR HERE WHEN CALLING STRIPE API
}
return pi.ClientSecret, nil
}
Since I run the server using scratch Docker image, there is no SSL certificate to use. Just need to copy the certs from first stage (Mine is a multi-staged build) COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
I have created an RSA certification using a generated private/public key using this library-
https://github.com/cbaker6/CertificateSigningRequest
thanks to this library I now have a certificate in a PEM string format.
now I want to create an ssl socket that can use this certificate to connect to a remote server that requires an ssl connection.
so for example this is a pseudo code in node.js:
let options = {
key : this.certs.key,
cert: this.certs.cert,
port: this.port,
host : this.host,
rejectUnauthorized: false,
}
console.debug("Start Connect");
this.client = tls.connect(options, () => {
console.debug(this.host + " connected")
});
where the key and the cert are both a PEM string
I tried BlueSSLService lib, but they only support connecting with cert files, no strings.
I am creating an asp.net core web app and within Visual studio I don't have any issue on below code while I am trying to fetch azure key vault using managed identity.
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
config.AddAzureKeyVault(new AzureKeyVaultConfigurationOptions
{
Vault = "https://testvaultXYZ.vault.azure.net/",
Client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(new AzureServiceTokenProvider().KeyVaultTokenCallback)),
});
})
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup<Startup>();
});
Now I make this application to run in docker/container now when I am running this application in local container I am getting below error for above code,
Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: 'Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxxxx. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxx. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxxx. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxxxxx. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory
I understand that user is different while running in docker container. What's the solution here?
I saw some solution to get access token using below command,
$Env:ACCESS_TOKEN=(az account get-access-token --resource=https://testvaultXYZ.vault.azure.net | ConvertFrom-Json).accessToken
but here also getting error like,
Get Token request returned http error: 400 and server response: {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://testvaultXYZ.vault.azure.net was not found in the tenant named XXXXXXX. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.
It should be: az account get-access-token --resource=https://vault.azure.net. Then you get the access token you can use :) This is working for me.
To use the workaround with get-access-token:
be sure that you're signed in to azure cli, just run the command az account get-access-token ... in terminal and check whether you're able to get the token; do you use correct tenant and subscription?
save the result to environment variable in terminal session
pass this variable to docker run --env KVTOKEN=$Env ... command as an environment variable
don't forget to read this variable in application and pass it to KeyVaultClient constructor:
var token = Environment.GetEnvironmentVariable("KVTOKEN");
KeyVaultClient kvclient = string.IsNullOrEmpty(token) ? new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(new AzureServiceTokenProvider().KeyVaultTokenCallback)) : new KeyVaultClient((authority, resource, scope) => token);
Having node https setup
const server = require('https').createServer(
{
key: fs.readFileSync('ssl/some.key'),
cert: fs.readFileSync('ssl/some.crt')
}, handler);
iOS app performs good with xcode debug, but misses connectivity when app distributed via .ipa file.
Node https setup must include intermediate CA certificate (provided by Certificate Authority):
const server = require('https').createServer(
{
// this line is required.
ca: fs.readFileSync('ssl/intermediate.crt'),
key: fs.readFileSync('ssl/some.key'),
cert: fs.readFileSync('ssl/some.crt')
}, handler);