Add ability to easily setup leaf node devices via the tool, with certs and provisioning taken care of.

[jongio]

[jackt-moran]

For what it's worth, my team would benefit from this feature. Are there any updates to where this feature stands on your project roadmap?

[blackchoey]

@jackt-moran We have a tool iotedgehubdev which has the ability to create certs for IoT Edge transparent gateway. You can use the generated certs to config your IoT Edge device as transparent gateway and connect your leaf device to it. Just pip install -U iotedgehubdev and then iotedgehubdev generatedeviceca in your working folder. In the meantime, can you share the problems you met when setup/connect leaf devices to IoT Edge transparent gateway?

[jackt-moran]

@blackchoey sorry for the delay.

I haven't had any problems actually. I've been reading through your documentation because it seems like the perfect dev environment tool, minus the fact that I haven't seen support to create leaf devices with it. If this is indeed a feature then it would be great if you point me to the associated docs.

To elaborate, our solution has a transparent gateway and a single leaf device, and the leaf device runs on a separate machine. It would be great if your tool allowed for the easy initialization of the leaf device just as it allows for easy initialization of the IoT Edge device.

[blackchoey]

@jackt-moran Thanks for the information. iotedgedev haven't provided leaf device related feature yet. You can use the iotedgehubdev tool mentioned above to create certs for IoT Edge transparent gateway and leaf device initialization. It's easy to generate certs used for initialization:

1. Run iotedgehubdev generatedeviceca in your working folder to generate certs:

• Device CA certificate: iot-edge-device-ca-chain.cert.pem
• Device CA private key: iot-edge-device-ca.key.pem
• Root CA: azure-iot-test-only.root.ca.cert.pem

2. Use the 3 certs generated above to setup your IoT Edge transparent gateway.
3. Use the root CA generated above to connect your leaf device to your IoT Edge transparent gateway.

Hope this can help you setup your IoT Edge transparent gateway and leaf device quickly.

[jackt-moran]

@blackchoey I am trying to setup a script to setup a dev environment, which uses the iotedgedev container and it's corresponding toolset. Overall the tool is working well, however I am trying to bootstrap leaf devices as a part of my wrapper script and getting the transparent gateway SSL authentication is proving to be a puzzle.

FYI, I have setup transparent gateways in production so understanding how it works in general is not my problem.

Here is what I'm doing at a high level:

1. iotedgedev build then iotedgedev start to get the dev containers started up (this works fine, I can share all of my cli args if needed but I don't think there is a problem with this step).
2. Copy the Device CA Cert from /var/lib/iotedgehubdev/certs/edge-device-ca/cert/edge-device-ca-root.cert.pem to my leaf device so it has the CA's root.
3. Build and run my leaf device container on the azure-iot-edge-dev network, with the root from the above step set as a trusted CA, the "GatewayHostname" parameter of the connection string set to "edgehubdev", and explicitly using the trusted CA when connecting.

Step 3 does not succeed, and there is no obvious reason why this should be the case. The main error message that the Python azure-iot-device SDK outputs is:

azure.iot.device.common.transport_exceptions.TlsExchangeAuthError: TlsExchangeAuthError(None) caused by SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'edgehubdev'. (_ssl.c:1091)")

In production the code works just fine so I'm confident the Python SDK isn't the problem. I could still be missing something though, right? However, I also tried this on my leaf device, which conflicts with that thought: openssl s_client -connect edgehubdev:8883 -CAfile /usr/local/share/ca-certificates/edge-device-ca.cert.pem -showcerts and this command succeeds without issue (I can share the output if needed).

I also inspected /etc/iotedgehubdev/edgeHub.json and noticed the property gatewayhostname. This is simply the container ID of the iotedgedev container. This was promising, and something I hadn't tried, so I tried running my leaf device on the default bridge network (where iotedgedev runs by default) and connecting through the gatewayhostname value in edgeHub.json. This did not work - neither my Python code nor the basic openssl test worked - so this does not seem to be the way.

Is what I'm trying to do even possible, or is what I'm trying to do specifically what this feature is meant to cover? If it is the latter, then I want to reiterate this is a must have feature. Without it there is currently no way to develop leaf device code in an inner dev loop - sure I can setup some staging devices but that is a much longer loop and not really acceptable for development purposes.

If what I'm trying to do is possible, but I'm just missing something, adding a little documentation explaining how iotedgedev sets up certificates and correspondingly how one could connect a leaf device in this environment would be very helpful, since the dev tool doesn't seem to follow the patterns a production edge device would (e.g. there is no /etc/iotedge/config.yml). If it is possible, here is the information I need:

• What do I need to set the GatewayHostname parameter as in my leaf device's connection string?
• What docker network does my leaf device container need to be on?
• Which certificate should I use as the root CA of the device CA?
• Am I correct that iotedgedev sets up it's own certificates, so there is no need to use iotedgehubdev generatedeviceca for my use case?

[marianan]

@jackt-moran thanks for your question. We have added it to our backlog and will get back to you as soon as we have updates to share.

[jackt-moran]

@marianan thank you.