EdgeX509AuthDownstreamDevice sample gives error "Authentication failed because the platform does not support ephemeral keys"

[scout208]

I'm trying to run the EdgeX509AuthDownstreamDevice but when I do I get this error output:

This is the contents of my launchSettings.json file:

{
    "profiles": {
        "EdgeDownstreamDeviceX509": {
            "commandName": "Project",
            "environmentVariables": {
                "IOTHUB_HOSTNAME": "iotc-6319eecd-e8ee-46b9-98fd-704c79d7a6bb.azure-devices.net",
                "IOTEDGE_GATEWAY_HOSTNAME": "VM1-EFLOW",
                "DEVICE_ID": "vm1leaf",
                "DEVICE_IDENTITY_X509_CERTIFICATE_PEM_PATH": "C:\\Users\\Admin\\wrkdir\\certs\\iot-device-vm1leaf.cert.pem",
                "DEVICE_IDENTITY_X509_CERTIFICATE_KEY_PEM_PATH": "C:\\Users\\Admin\\wrkdir\\private\\iot-device-vm1leaf.key.pem",
                "IOTEDGE_TRUSTED_CA_CERTIFICATE_PEM_PATH": "C:\\Users\\Admin\\wrkdir\\certs\\azure-iot-test-only.root.ca.cert.pem",
                "MESSAGE_COUNT": "10",
                "DEVICE_CLIENT_PROTOCOL": "Mqtt"
            }
        }
    }
}

How do I resolve this error?

[nyanzebra]

@scout208 would you mind trying to run openssl s_client -connect with device certificates to see if you can reach with those. It appears there is likely something wrong with certs being used for the tls connection so let's confirm those are correct. Would you mind providing what instructions you followed for creating the test certificates?

[scout208]

@nyanzebra I created the test certificates using the instructions on this page here: https://learn.microsoft.com/en-us/azure/iot-edge/how-to-create-test-certificates?view=iotedge-1.5&tabs=windows#create-downstream-device-certificates

When I run openssl s_client -connect VM1-EFLOW:8883 -CAfile "C:\Users\Admin\wrkdir\certs\iot-device-vm1leaf-full-chain.cert.pem" -showcerts this is the output. It appears to be ok to me:

I did notice that if I don't run it with the full-chain certificate it gives an error, so I changed my launchSettings.json to use the full-chain instead, but I still get the same output when I run the program.

Output of openssl s_client -connect VM1-EFLOW:8883 -CAfile "C:\Users\Admin\wrkdir\certs\iot-device-vm1leaf.cert.pem" -showcerts

My new launchSettings.json

{
    "profiles": {
        "EdgeDownstreamDeviceX509": {
            "commandName": "Project",
            "environmentVariables": {
                "IOTHUB_HOSTNAME": "iotc-6319eecd-e8ee-46b9-98fd-704c79d7a6bb.azure-devices.net",
                "IOTEDGE_GATEWAY_HOSTNAME": "VM1-EFLOW",
                "DEVICE_ID": "vm1leaf",
                "DEVICE_IDENTITY_X509_CERTIFICATE_PEM_PATH": "C:\\Users\\Admin\\wrkdir\\certs\\iot-device-vm1leaf-full-chain.cert.pem",
                "DEVICE_IDENTITY_X509_CERTIFICATE_KEY_PEM_PATH": "C:\\Users\\Admin\\wrkdir\\private\\iot-device-vm1leaf.key.pem",
                "IOTEDGE_TRUSTED_CA_CERTIFICATE_PEM_PATH": "C:\\Users\\Admin\\wrkdir\\certs\\azure-iot-test-only.root.ca.cert.pem",
                "MESSAGE_COUNT": "10",
                "DEVICE_CLIENT_PROTOCOL": "Mqtt"
            }
        }
    }
}

Same output from dotnet run:

[jlian]

I see in the comments of this sample

iotedge/samples/dotnet/EdgeX509AuthDownstreamDevice/Program.cs

Lines 225 to 226 in aaba3b9

	// Reading the private key to see if the import was successful. On Windows it fails sometimes,
	// the root cause is unknown.

Any chance you could try this for Linux?

[jlian]

@scout208 any updates?

[scout208]

@jlian Sorry I haven't had time to test it on Linux yet. Ultimately if it only works on Linux that won't work for me as I need my client to be running Windows.

[jlian]

Have you tried this? https://stackoverflow.com/questions/77819470/how-to-avoid-an-error-about-ephemeral-keys-when-using-pem-files-in-net-for-we

[jlian]

@scout208 any updates

[scout208]

@jlian I did decide to try it on Linux to see if it worked. I'm now getting this error:

And the same error actually happens on Windows after trying to convert the .pem to a .pfx like you suggested.

It seems there's some problem with how I'm using the certificate but I can't figure it out.

[jlian]

Ok so we're at least past the ephemeral key issue that seems to be solved with the .pfx conversion. It looks like the connection is rejected by IoT Edge because your child device isn't authorized.

Are you following a tutorial on this? Did you register the device identities? https://learn.microsoft.com/en-us/azure/iot-edge/how-to-authenticate-downstream-device?view=iotedge-1.5

[scout208]

@jlian Yes, I followed the tutorials starting here https://learn.microsoft.com/en-us/azure/iot-edge/how-to-create-transparent-gateway?view=iotedge-1.5&tabs=eflow. I think the issue is my devices are in Azure IoT Central. I tried following the tutorial with a device created in IoT Hub and it worked. Do you know if anyone has tried following this sample using IoT Central?

[nyanzebra]

@jlian & @scout208 I just tried with our test certs https://learn.microsoft.com/en-us/azure/iot-edge/how-to-create-test-certificates?view=iotedge-1.5&tabs=linux#create-edge-ca-certificates which for provisioning work fine, but for this where certs are checked (more than just thumbprint verification) they don't work. Will try with some manual certs in a bit and see if can get this working.