我正在尝试使用 Debian 11 armhf(32 位)配置一对在 2 个 Raspberry Pi 上运行的主/从 IoT Edge 节点,但由于证书问题(这是肯定的),我无法使其工作也可能存在配置问题(这是我需要确认的)。
到目前为止我在主节点中所做的事情是:
./certGen.sh create_root_and_intermediate
./certGen.sh create_edge_device_identity_certificate "my-edge-device-1"
./certGen.sh create_edge_device_ca_certificate "root"
auto_reprovisioning_mode = "OnErrorOnly"
prefer_module_identity_cache = false
trust_bundle_cert = "file:///var/aziot/certs/azure-iot-test-only.root.ca.cert.pem"
[edge_ca]
cert = "file:///var/aziot/certs/iot-edge-device-ca-root.cert.pem"
pk = "file:///var/aziot/secrets/iot-edge-device-identity-my-edge-device-1.key.pem"
[provisioning]
source = "manual"
connection_string = "HostName=XXXX;DeviceId=my-edge-device-1;SharedAccessKey=XXXX"
[aziot_keys]
[preloaded_keys]
[cert_issuance]
[preloaded_certs]
[tpm]
[agent]
name = "edgeAgent"
type = "docker"
imagePullPolicy = "on-create"
[agent.config]
image = "mcr.microsoft.com/azureiotedge-agent:1.5"
[agent.config.createOptions]
[agent.env]
[connect]
workload_uri = "unix:///var/run/iotedge/workload.sock"
management_uri = "unix:///var/run/iotedge/mgmt.sock"
[listen]
workload_uri = "fd://aziot-edged.workload.socket"
management_uri = "fd://aziot-edged.mgmt.socket"
[watchdog]
max_retries = "infinite"
[moby_runtime]
uri = "unix:///var/run/docker.sock"
network = "azure-iot-edge"
iotedge system stop && docker rm -f $(docker ps -aq -f "label=net.azure-devices.edge.owner=Microsoft.Azure.Devices.Edge.Agent") && iotedge config apply
这样,edgeHub和edgeAgent都可以正确启动,如下所示:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9cc2e76a01c4 mcr.microsoft.com/azureiotedge-hub:1.5 "/bin/sh -c 'echo \"$…" 17 minutes ago Up 17 minutes 0.0.0.0:443->443/tcp, :::443->443/tcp, 0.0.0.0:5671->5671/tcp, :::5671->5671/tcp, 0.0.0.0:8883->8883/tcp, :::8883->8883/tcp, 1883/tcp edgeHub
83c870270863 mcr.microsoft.com/azureiotedge-agent:1.5 "/bin/sh -c 'exec /a…" 17 minutes ago Up 17 minutes edgeAgent
在从属端,我所做的是扩展连接字符串以包含 GatewayHostName 属性,并且还包含 parent_hostname 属性。结果,我得到了这个:
auto_reprovisioning_mode = "OnErrorOnly"
prefer_module_identity_cache = false
parent_hostname = "iot-edge-gateway.local"
[provisioning]
source = "manual"
connection_string = "HostName=YYYY;DeviceId=my-edge-device-2;SharedAccessKey=YYYY;GatewayHostName=iot-edge-gateway.local"
[aziot_keys]
[preloaded_keys]
[cert_issuance]
[preloaded_certs]
[tpm]
[agent]
name = "edgeAgent"
type = "docker"
imagePullPolicy = "on-create"
[agent.config]
image = "mcr.microsoft.com/azureiotedge-agent:1.5"
[agent.config.createOptions]
[agent.env]
[connect]
workload_uri = "unix:///var/run/iotedge/workload.sock"
management_uri = "unix:///var/run/iotedge/mgmt.sock"
[listen]
workload_uri = "fd://aziot-edged.workload.socket"
management_uri = "fd://aziot-edged.mgmt.socket"
[watchdog]
max_retries = "infinite"
[moby_runtime]
uri = "unix:///var/run/docker.sock"
network = "azure-iot-edge"
显然,我已在 /etc/hosts 中添加了一个条目,以确保可以解析该主机名。至此,我确认从站正在尝试与主站通信,这就是我发现证书问题的地方。
我所做的是(这些是门户中记录的步骤,一一):
sudo cp azure-iot-test-only.root.ca.cert.pem /usr/local/share/ca-certificates/azure-iot-test-only.root.ca.cert.pem.crt
sudo update-ca-certificates
已按预期添加 1 个证书。
但是,尽管从站确实尝试与主站建立连接(如果您不在 /etc/aziot/config.toml 中包含 parent_hostname 属性,它会绕过主站,即使您扩展了连接字符串并且include GatewayHostName),这是我用 tcpdump 确认的,签名有问题。
测试证书是否有效的方法也有记录:
openssl s_client -connect iot-edge-gateway.local:8883 -CAfile ./azure-iot-test-only.root.ca.cert.pem -showcerts
输出在这里:
CONNECTED(00000003)
depth=1 CN = root.ca
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = iot-edge-gateway.local
verify error:num=7:certificate signature failure
verify return:1
depth=0 CN = iot-edge-gateway.local
verify return:1
---
Certificate chain
0 s:CN = iot-edge-gateway.local
i:CN = root.ca
-----BEGIN CERTIFICATE-----
MIIDMzCCAhugAwIBAgIBADANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdyb290
LmNhMB4XDTI0MDUwODE1MTg0NVoXDTI0MDYwNzE1MTg0NVowITEfMB0GA1UEAwwW
aW90LWVkZ2UtZ2F0ZXdheS5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMeA+/14aM/7si1qq2x7NUBMCc+UKwMnIK0MotAwYgcBFdSklrRyTI+n
YaGQ62hjtuzfDgzruEF5NdToWBVwHsEk/lQxI7AvTdsF6lbTDZIySIEqFQSDauRo
bb8ZrlGkR2ZgOW2g2hIwKRdo9bEchDweJH+KO7aEonoMHptH3fKCEQkobN5wfxBz
L4mJfWby6Th5bBcoy0At3LZ9w6XJNNoodf9y/LI839IJ3lbgGgtMiB+PPT8h5zS0
HMJOiAP227DLT7U6SclUIlAK5GeFVT0mKaM5RWIuzEsH4herU+lFqA57/EL/NGk6
m/HFeUwuI6nLV2P/iN3GwDqUUc0cS9MCAwEAAaOBhDCBgTATBgNVHSUEDDAKBggr
BgEFBQcDATAqBgNVHREEIzAhghZpb3QtZWRnZS1nYXRld2F5LmxvY2FsggdlZGdl
SHViMB0GA1UdDgQWBBTT3dL2gpYhbc1lEEt517eWzNxprDAfBgNVHSMEGDAWgBTJ
Uvd+MWIS4yyz9X1xd9IilV/M1jANBgkqhkiG9w0BAQsFAAOCAQEAV7WJB3eZc5RV
SVW+QqHshGKCtVsYDQxWh6b6Fjv0Tx74pz1PhhEzvzZMUhJHc3QseLmNWbbDsYhI
J3pzi9KY8Cj1/SmW90AFXnaVMfTamBfBBSH4TB1ganeXvIJdK9tBV5r0EhF5qgxV
UGW2UjAh8tRsY8fnQ0tEtxQ8J6bnr7DW1f4BbKBexI2C4xlzrVbmcpV6GWoAUrTl
/PeJeSci+uTjOLWoHSA+uHz2RmyXuSksVTd/6Z/I9nTYetYpurWK0f8KT1deSDxA
+P5jkdLrxFH+jlFw7dFAPhem/yz7XVthQ5vU8VBvPERvjT2cgAhU1QQtjM8W6HJm
YemhvSDoEw==
-----END CERTIFICATE-----
1 s:CN = root.ca
i:CN = Azure_IoT_Hub_Intermediate_Cert_Test_Only
-----BEGIN CERTIFICATE-----
MIIFWzCCA0OgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwNDEyMDAGA1UEAwwpQXp1
cmVfSW9UX0h1Yl9JbnRlcm1lZGlhdGVfQ2VydF9UZXN0X09ubHkwHhcNMjQwNTA4
MTUxNTIyWhcNMzIwNzI1MTUxNTIyWjASMRAwDgYDVQQDDAdyb290LmNhMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsoYghhaJtbxR56i8oTlXGAZigdRF
DsZ10c5NgxBmobdMNpd22/aRn+F8QXADNRWpO1/vg9XuicV4sq2d9VQlAUx/5Z0J
9k3P1nr3p6dxoCPGVSgV/ReD+wWyOzkQRFW47YJCIPEMAkPr7rIHdYa99guy7/nd
wovOc/EdWL+j80IK1B444AEy9/O0cHQLUBm2nnj8evGmJMEx6mx6978r1EpcIbET
cR0FKW5XugqiFW8uEWpdzC6I3lbWD7lOH4EoIzEcSVyHHrVWYQNga6IubTL1XZ3/
e23pWRyim6mj/ISrF20lIwoPVqEXJK5l7IPGAgSrJMgWZZtajYGUlC2MY/rDpkWK
eot2XWSLTOD0Vn2mJXs3RMcq1YgJ0jnn6MumL0XA8aR/BETJA3n+qiQttovqXWwV
IJOXWs/N0NsPittxu+BdKPfe4W1IAyVm+ktCRW0jJjcS1UVkfOdJiKALA/dPO4iG
y44T+w/xOARTIt/HOOcolNLO7H077TAnJn5QLLIsS2m35ZLVHXGLemcrkgTvHktR
aVqG6XuZBF+wzawK58scxJpRa5oGKXDEVQo3oqrKwcxkqAuSx2G8GuWrNFb87Awp
WhxMWAGSw2jGJdbQaLUkDVDWZloP4jiUEKxvnXYw8HhQbYQ+lphNPm+IiveEeaX0
IjCCf4n6bGlPsVsCAwEAAaOBmDCBlTAdBgNVHQ4EFgQUyVL3fjFiEuMss/V9cXfS
IpVfzNYwUwYDVR0jBEwwSoAU7i0yy4DgeQq2WUcEPt8xkkE2YhmhLqQsMCoxKDAm
BgNVBAMMH0F6dXJlX0lvVF9IdWJfQ0FfQ2VydF9UZXN0X09ubHmCAhAAMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAe
arUMoodnfIpNk3zA9BQEwyKcDIqH7CfN8OEBbG3DYaI2eB4IOLy4OOjoz76nkAnL
rwUIECJdUwXQFty8WbCgkdWjFzYIEKiRnEPvFtdzl1NlTU/69IAjMi94rP5pXvuv
0FreCnzZ4HzlRzLHwK1vGq9pKFYpdwE/OitiLF5OnYqJut4otTh6eQoSKn5c+Oth
BuAk89fCdopme7z1CnghMaRgW6JAYyyHsuKQlK0zc19V4yWmdjNsFBfFib3zv9Z8
POhfeCcpL5xppKDlqo44nnSkNUWvZnmS4k0RgjZ77aXuEU4FpLMme250G3uEcaMY
N68U/wa/lIXJRetUJYssjztyQdtkpMmOgfAC4ud/NcKKnnk+LkdsudFla/UWADHG
+7q03huKEwubYQV1hfRybnB00bQBypVILwNVyp5CVwxiNO2ecU8U6ADnchROH/7D
SMguypSA2uz+1Sn53e3nRe+6vP5X02IlAYbJTMWNfi/SKh/KdwICheRhDKOM50LB
U2/pBNar1SL4PR4PLLW3kekRigXV2NfCFM9HKnjv1nYHNms+UXpjxDbdS2zH7Lhr
0Bam+prxk4SndMsxSOQaN6WzwnTd9K/fGxccVz4PXzjQyk54+EAq9sfnevqyf/rO
Pi4Jca3Wvtz/+5jS2mdZrliov4puxXL8X5/h9GERBQ==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = iot-edge-gateway.local
issuer=CN = root.ca
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2826 bytes and written 424 bytes
Verification error: certificate signature failure
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 7 (certificate signature failure)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 83ECFFFCF6D6DDB25C514346C3FE04738B6C9D71028CE1040309FDFD43825C42
Session-ID-ctx:
Resumption PSK: 340BAF166C555E9441C0A46EAE88B4908C78BC3C3BA9BAA407AFA22A23B8E15A2DEB5EA5ED9FB52B1BB2DDB7D50A3113
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 04 25 ab 77 b5 0f e8 74-74 7e ec cd ae 07 6b 2b .%.w...tt~....k+
0010 - 75 20 72 94 44 1b d4 59-ae 2e 0a aa 00 d4 98 f5 u r.D..Y........
0020 - c1 0c ed a8 e0 ab f0 11-d3 7b a6 f4 60 2a 67 38 .........{..`*g8
0030 - 3d e3 85 16 06 00 be 77-15 cb 13 9e 5c 07 96 d7 =......w....\...
0040 - f0 73 4b 94 5f b9 9a 19-32 bc e5 69 1d a5 cd f1 .sK._...2..i....
0050 - 2e f8 6a d6 20 64 07 09-d0 db 78 30 88 96 31 55 ..j. d....x0..1U
0060 - b3 5d a1 67 3a 3a ab 8e-ac c3 69 08 d3 cb 64 96 .].g::....i...d.
0070 - db e7 10 37 d6 c7 8e 66-b5 12 97 60 22 85 13 d1 ...7...f...`"...
0080 - c9 eb d5 a2 12 d3 b3 f0-3a 62 68 cf ce 7a 9a d8 ........:bh..z..
0090 - 37 c9 02 cd f4 d7 6d 2c-d8 95 64 15 e2 4e 4c 77 7.....m,..d..NLw
00a0 - c1 4a 6f 1d 41 c7 f9 77-af 57 ff 3c d0 a2 72 7b .Jo.A..w.W.<..r{
00b0 - 00 ad 3b 5a c0 5e d6 34-fd eb 8e 12 61 c9 ad 9d ..;Z.^.4....a...
00c0 - c0 3b 7d f7 ae 2f 7f 59-d5 5b 03 64 a7 0d c3 28 .;}../.Y.[.d...(
00d0 - dd c0 ac 77 b8 46 7a 8d-c2 df bd 58 10 6e b3 eb ...w.Fz....X.n..
00e0 - 0e 65 7e dc a2 16 80 f7-2b f8 cf f9 2f 7a 25 d4 .e~.....+.../z%.
Start Time: 1715181617
Timeout : 7200 (sec)
Verify return code: 7 (certificate signature failure)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: A17E3D3E3082AD3929994E395E55C366A347E702573CDD694E23AB60B4F68BA0
Session-ID-ctx:
Resumption PSK: 9140F930B31CA9416C462E6077B43FE38BC8490BCB50E024B0519E67B8F82082F904A52ABC0C5B9160EC8A4410B529DA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 04 25 ab 77 b5 0f e8 74-74 7e ec cd ae 07 6b 2b .%.w...tt~....k+
0010 - ff da 60 3b 06 23 c6 60-c5 34 b7 70 49 b5 61 05 ..`;.#.`.4.pI.a.
0020 - 2a 13 38 6c bd c1 b6 af-a8 34 7a ba 0f 83 42 a2 *.8l.....4z...B.
0030 - d5 df 1e 76 0e 44 be 64-a2 17 1f 1e 98 79 05 ed ...v.D.d.....y..
0040 - 0a 95 21 e0 82 58 b6 6b-bb 8c 6f db 7c f9 0b 60 ..!..X.k..o.|..`
0050 - 23 82 e3 51 5b 2e be 9b-8c 73 ac ea e6 52 32 84 #..Q[....s...R2.
0060 - 63 e0 2b 2e 30 05 e6 ef-c9 c1 90 32 d1 28 62 5b c.+.0......2.(b[
0070 - f5 0d 7f 64 13 27 8a b4-9f 95 72 f4 08 fe 66 0d ...d.'....r...f.
0080 - 10 e9 df 8d ea 8b 72 aa-9e 73 f8 a7 b3 3e 31 78 ......r..s...>1x
0090 - 97 66 91 03 33 94 35 b2-03 d1 a1 60 dd bc 43 87 .f..3.5....`..C.
00a0 - 8b dd ad f6 4c 05 43 33-a7 b3 c3 5a 71 55 e2 a0 ....L.C3...ZqU..
00b0 - fe 08 bb e4 36 7b 40 67-1d 3a 65 6a 6c 0a 52 67 ....6{@g.:ejl.Rg
00c0 - 1e e6 c1 dd ae 39 23 7d-36 1d 51 03 58 7a 6e f0 .....9#}6.Q.Xzn.
00d0 - 41 92 a0 a3 59 b3 05 0b-b9 b3 fe 63 7f d4 0b 3d A...Y......c...=
00e0 - 85 ed 67 70 80 77 e8 eb-92 07 22 5f d3 e1 fe d6 ..gp.w...."_....
Start Time: 1715181617
Timeout : 7200 (sec)
Verify return code: 7 (certificate signature failure)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
如您所见,签名有问题。我的问题是:
我不明白的是,考虑到我已经一步一步遵循文档,为什么会失败。
问候
您遇到的问题是从属设备无法验证设备证书的签名,因为颁发者是中间 CA,而不是根 CA。
客户端必须能够验证返回受信任根的完整链。您添加了根 CA,但没有添加中间 CA。
要解决此问题,您应该在从属设备上导入中间公共证书。
您还可以将中间证书添加到设备证书中,这将允许链式加密验证返回到根 CA。您只需将中间 PEM 的内容添加到设备 PEM 的末尾即可。只要客户端可以看到你导入的根CA签署了中间体,并且中间体签署了设备,那么这将通过X509验证。