While connecting to edge gateway from simulated device code, facing connection timeout with below exceptions:
'Microsoft.Azure.Devices.Client.Exceptions.IotHubClientException' in Microsoft.Azure.Devices.Client.dll
Exception thrown: 'Microsoft.Azure.Devices.Client.Exceptions.IotHubClientException' in mscorlib.dll
Exception thrown: 'System.AggregateException' in Microsoft.Azure.Devices.Client.dll
Exception thrown: 'System.AggregateException' in mscorlib.dll
'Microsoft.Azure.Devices.Client.Exceptions.IotHubClientException' in Microsoft.Azure.Devices.Client.dll
Exception thrown: 'Microsoft.Azure.Devices.Client.Exceptions.IotHubClientException' in mscorlib.dll
Exception thrown: 'Microsoft.Azure.Devices.Client.Exceptions.IotHubClientTransientException' in Microsoft.Azure.Devices.Client.dll
Exception thrown: 'Microsoft.Azure.Devices.Client.Exceptions.IotHubClientTransientException' in mscorlib.dll
Exception thrown: 'Microsoft.Azure.Devices.Client.Exceptions.IotHubClientTransientException' in Microsoft.Azure.Devices.Client.dll
I am adding ConnectionString in correct format & also included the GatewayHostName configured from https://learn.microsoft.com/en-us/azure/iot-edge/how-to-create-transparent-gateway
The article Create an IoT Edge device that acts as a transparent gateway - preview does work fine. The key to make it work is to set the right certificates.
Following scenario is for both client and edge are on the same machine.
Follow that doc, I have got the following cert files:
Please note I used New-CACertsEdgeDevice myEdgeDevice to create the device certificate.
Then run the following command to setup the edge runtime.
iotedgectl setup --connection-string HostName=jierong-iothub.azure-devices.net;DeviceId=jierong-iotedge-device1;SharedAccessKey=XXXXXXX --edge-hostname localhost --device-ca-cert-file myEdgeDevice-public.pem --device-ca-chain-cert-file myEdgeDevice-all.pem --device-ca-private-key-file myEdgeDevice-private.pem --owner-ca-cert-file RootCA.pem
Then run iotedgectl start to start the runtime, and run docker ps to check everything is good.
Remove all you installed certificates and install the myEdgeDevice.pfx file directly by double clcking it. After that, you can see the following certs in your cert manager:
Then construct you device connection string like following if you ave using local host, don't use machine name, like below:
private const string DeviceConnectionString = "HostName=jierong-iothub.azure-devices.net;DeviceId=jierong-iothub-device;SharedAccessKey=XXXXXXXX;GatewayHostName=localhost";
Modified the app cloned from following:
git clone https://github.com/Azure-Samples/iot-hub-dotnet-simulated-device-client-app.git
I can run the app successfully.
Similar for edge server and client are on two different Win 10 machines, but you should install the cert first, like writing following code:
If it's still not working, do check if you are not running to any certification validation issues, and it is how it works:
Edge runtime in docker container will send left (deivce cerificate) during TLS handshake.
client (Win 10 machine in this case) will have to validate this certification, to validate this as trusted, I twill have to look at issuer of this certificate and go up the chain and see if this issuer is in Trusted Root CA.
Please note that IoT Edge is still in Preview mode, so some things may not be flushed out. If you still get some issues, I suggest you create a support ticket to do further troubleshooting.
Thanks,
Jie
Related
iotedge list command error
Hi,
On running the iotedge list command it is throwing - A module runtime error occurred. Is there something missed. It was working fine till yesterday.
If you are still blocked, you can check the below information.
There could be multiple reasons for the module runtime error on IoT Edge.
Was it working earlier and stopped suddenly? As Matthijs mentioned in
the comments, collect complete logs to know more about the issue.
Refer Gather debug information with 'support-bundle' command
Also, check Azure IoT Edge security manager logs. The IoT Edge
security manager is responsible for operations like initializing the
IoT Edge system at startup and provisioning devices. If IoT Edge
isn't starting, the security manager logs may provide useful
information.
Make sure that the module is properly configured and all
required environment variables are set.
If the issue still persists, you can try restarting the module or the
entire IoT Edge device to see if that resolves the issue.
You can also check Solutions to common issues for Azure IoT Edge for most common errors and solutions.
I've been writing an EventHubs message processor that just connects to EventHubs and processes messages on the EventHub. I've been developing in Visual Studio on Windows using .NET 6. Things work as expected on Windows; I can:
Connect to EventHubs
Receive messages
Do the message processing I want
Great. I then wanted to scale my message processor horizontally and decided that I would Dockerize it, and since .NET 6 runs on Linux, I would cross-compile it for Linux and eventually deploy multiple instances of my message processor on Docker Desktop as a next step. I eventually want to stick it on Kubernetes to scale up by an order of magnitude or two.
It was easy to Dockerize my Project in Visual Studio. I simply right-clicked the Project and selected Add -> Docker Support. Visual Studio detected I had Docker Desktop installed and generated all the config files I needed, and added an appropriate build configuration so that I could compile a binary, build a Docker image with it, and automatically deploy it to my local Docker Desktop instance.
.NET 6 also compiled without errors, which was great. However, when my container spins up, I get hit with the following runtime error:
System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain
and there is a stack trace (omitted here for brevity) stemming from something in the EventHubs processor library:
<...many layers...> at Azure.Messaging.EventHubs.Primitives.EventProcessor-1.RunProcessingAsync(CancellationToken cancellationToken)
I am correctly passing my EventHubs connection string to my container, but what I surmise is that my container is missing an SSL certificate or has a misconfigured SSL certificate. I suppose Visual Studio has helpfully silently gone ahead and installed a development certificate when I developed my message processor on Windows so that EventHubs connections "just work" in my development environment, but that SSL certificate is not available to my container, since it isn't part of the build output.
I know I probably should be using Azure key vault or whatever secret management service they provide, but how else can I resolve this SSL certificate issue as quickly or painlessly as possible? It would be nice if I can just keep my connection string in my appsettings.json (It's fine. Toy project, only using Azure free credits anyway.)
The easiest way forward would be to register a handler that participates in certificate validation and can, if desired, override normal handling and force acceptance. This, of course, comes with the warning that you're bypassing standard security checks and may be putting your network and host in danger.
You don't mention which client you're using, but each takes a set of options in their constructor. The options for each type have a member named ConnectionOptions which returns an EventHubsConnectionOptions instance that allows you to register a CertificateValidationCallback.
The Event Hubs Influencing SSL certificate validation sample demonstrates how to use it. More information is also available in the .NET documentation for RemoteCertificateValidationCallback.
I have an instance of Azure Hybrid Connections running on a server where SQL Server is installed.
I hosted an WebApp on azure, set up the hybrid connection and I'm consistently getting the same SSPI Handshake error
SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The operating system error code indicates the cause of failure. The logon attempt failed [CLIENT: 1x.xx.xx.xxx]
As described here I added the clients ip in the local security policy.
I also tried adding the DisableLoopbackCheck=1 in HKLM\System\CurrentControlSet\Control\LSA, but it didn't help either.
Do I have to fix it on a database level perhaps?
As per https://github.com/Huachao/azure-content/blob/master/articles/app-service-web/web-sites-hybrid-connection-connect-on-premises-sql-server.md
[AZURE.NOTE] To ensure that your application uses the database that you created in SQL Server Express, and not the one in Visual Studio's default LocalDB, it is important that you complete this step before running your project.
Edit the connectionStrings section to point to the SQL Server database on your local machine, following the syntax in the following example:
I added user credentials to my connection string in appsettings.json and it now works.
We have the following scenario:
Current working setup
Web API project using a single DockerFile
A release pipe line with an 'Azure App Service deploy' task.
Proposed new setup
Web API project using multi container Docker Compose file
A release pipe line with an 'Azure Web App for Containers' task.
Upon deploying the new setup we receive the below error message:
ERROR - multi-container unit was not started successfully
Unhandled exception. System.AggregateException: One or more errors occurred.
(Parameters: Connection String: XXX, Resource: https://vault.azure.net, Authority:
https://login.windows.net/xxxxx. Exception Message:
Tried to get token using Managed Service Identity.
Access token could not be acquired. Connection refused)
The exception thrown is because it can't connect to Azure MSI (Managed Service Identity). It does this to obtain a token before connecting to key vault.
I have tried the following based upon some research and solutions others have found:
Connecting with "RunAs=App" (this seems to be the default parameter-less constructor anyway)
Building up the connection string myself manually by pulling the "MSI_SECRET" environment variable from the machine. This is always blank.
Restarting MSI.
Upgrading and downgrading AppAuthentication package
MSI appears to be configured correctly as it works perfectly with our current working setup so we can rule that out.
It's worth noting that this is System assigned identity not a user assigned one.
The documentation that states which services support managed identites only mentions 'Azure Container Instances' not 'Azure Managed Container Instances' and that is for Linux/Preview too so that it could be not supported.
Services that support managed identities for Azure resources
We've spent a considerable amount of time getting to this point with the configuration and deployment and it would be great if we could resolve this last issue.
Any help appreciated.
Unfortunately, there currently is no multi-container support for managed identities. The multi-container feature is in preview and so does not have all its functionality working yet.
However, the documentation you linked to is also not as clear about the supported scenarios, so I am working on getting this documentation updated to better clarify this. I can update this answer once that's done.
Server Error in '/' Application.
IDX10803: Unable to create to obtain configuration from:
https://identityserver:444/identity/.well-known/openid-configuration'.
Description: An unhandled exception occurred during the execution of
the current web request. Please review the stack trace for more
information about the error and where it originated in the code.
Exception Details: System.InvalidOperationException: IDX10803: Unable
to create to obtain configuration from:
'https://identityserver:444/identity/.well-known/openid-configuration'.
All certificate install into local machine using MMC.
Identity Server Application host into IIS and call from client application. that time i facing this issue.
your port looks wrong in your authority. Please double check your port, port 444 is for Simple Network Paging Protocol (SNPP)
In your API's authorization middleware check to see if the correct port is on the authority option.