我正在尝试使用Azure IoT Hub迁移现有解决方案,以使用Azure IoT Hub设备配置服务(DPS(。
设备使用X.509自签名证书进行自我身份验证。
出于测试目的,我可以使用生成证书
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
- 公用名设置为
mything1
- 所有其他字段为空
然后我可以使用将这些文件合并为一个文件
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
选择password
作为密码。
然后我有3个文件。
certificate.p12
同时包含证书和私钥- 包含证书的
certificate.pem
- 包含私钥的
key.pem
然后我可以使用直接在物联网集线器中注册此设备
string ThingId = "mything1";
// Register device directly in IoT hub.
{
var certificate = new X509Certificate2(File.ReadAllBytes("certificate.pem"));
string thumb1 = certificate.Thumbprint;
using (var hasher = SHA256.Create())
{
using (var registryManager = RegistryManager.CreateFromConnectionString(iotHubConnectionString))
{
await registryManager.AddDeviceAsync(new Device(ThingId)
{
Authentication = new AuthenticationMechanism()
{
X509Thumbprint = new X509Thumbprint()
{
PrimaryThumbprint = thumb1,
SecondaryThumbprint = thumb1,
}
},
});
}
}
}
然后,在设备注册后,我可以使用证书作为设备身份验证,作为设备连接到IoT集线器。
// Vertifying that certificate is ok etc
// by connecting to an IoT Hub
{
var auth = new DeviceAuthenticationWithX509Certificate(ThingId, new X509Certificate2(File.ReadAllBytes("certificate.p12"), "password"));
var client = DeviceClient.Create(iotHubHostname, auth,
new ITransportSettings[] { new AmqpTransportSettings(Microsoft.Azure.Devices.Client.TransportType.Amqp_WebSocket_Only) });
// Report a value just to make sure it works.
TwinCollection props = new TwinCollection();
props["Hello"] = "World";
await client.UpdateReportedPropertiesAsync(props, new CancellationTokenSource(1000 * 30).Token);
}
这是有效的,也是我今天的解决方案。现在尝试做同样的事情,但使用DPS。
首先为设备创建一个单独的注册:
// Create an individual enrollment for device
using (var provisioningServiceClient =
ProvisioningServiceClient.CreateFromConnectionString(provisioningServiceConnectionString))
{
var attestation = X509Attestation.CreateFromClientCertificates(new X509Certificate2(File.ReadAllBytes("certificate.pem")));
IndividualEnrollment individualEnrollment =
new IndividualEnrollment(
ThingId,
attestation);
IndividualEnrollment individualEnrollmentResult =
await provisioningServiceClient.CreateOrUpdateIndividualEnrollmentAsync(individualEnrollment);
}
然后在创建注册后,我应该能够将自己作为一个设备。
string globalDeviceEndpoint = "global.azure-devices-provisioning.net";
using (var security = new SecurityProviderX509Certificate(new X509Certificate2(File.ReadAllBytes("certificate.p12"), "password")))
{
ProvisioningDeviceClient provClient = ProvisioningDeviceClient.Create(globalDeviceEndpoint,
s_idScope,
security,
new ProvisioningTransportHandlerHttp());
DeviceRegistrationResult result = await provClient.RegisterAsync(); // Throws exception
Console.WriteLine($"ProvisioningClient AssignedHub: {result.AssignedHub}; DeviceId: {result.DeviceId}");
}
但这引发了一个未经授权的异常:
Unhandled exception. Microsoft.Azure.Devices.Provisioning.Client.ProvisioningTransportException: {"errorCode":401002,"trackingId":"f7ec27c8-dbad-4600-8b47-f46aaa0160de","message":"Unauthorized","timestampUtc":"2021-05-20T14:09:00.8491407Z"}
---> Microsoft.Rest.HttpOperationException: Operation returned an invalid status code 'Unauthorized'
at Microsoft.Azure.Devices.Provisioning.Client.Transport.RuntimeRegistration.RegisterDeviceWithHttpMessagesAsync(String registrationId, String idScope, DeviceRegistration deviceRegistration, Nullable`1 forceRegistration, Dictionary`2 customHeaders, CancellationToken cancellationToken)
at Microsoft.Azure.Devices.Provisioning.Client.Transport.RuntimeRegistrationExtensions.RegisterDeviceAsync(IRuntimeRegistration operations, String registrationId, String idScope, DeviceRegistration deviceRegistration, Nullable`1 forceRegistration, CancellationToken cancellationToken)
at Microsoft.Azure.Devices.Provisioning.Client.Transport.ProvisioningTransportHandlerHttp.RegisterAsync(ProvisioningTransportRegisterMessage message, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
at Microsoft.Azure.Devices.Provisioning.Client.Transport.ProvisioningTransportHandlerHttp.RegisterAsync(ProvisioningTransportRegisterMessage message, CancellationToken cancellationToken)
at DPSWorkShop.Program.Main(String[] args) in C:WorkEluxDPSWorkShopDPSWorkShopProgram.cs:line 91
at DPSWorkShop.Program.<Main>(String[] args)
我在这里做错了什么?
编辑:正如Rajeev在这里回答的那样:https://stackoverflow.com/a/67641996/6877590问题是基本的约束条件:CA:true。
为了解决这个问题(用于测试(
- 编辑文件
/usr/lib/ssl/openssl.cnf
- 查找
[ v3_ca ]
- 将CA:true更改为CA:false
设备提供的叶证书不应包含"CA"基本约束。参见RFC 5280。这就是DPS抛出"未授权"异常的原因。