thin-edge.io
thin-edge.io copied to clipboard
thin-edge
Improve certificate related error messages
In discussion with Didier following a error connecting to c8y, error message was shown:
pi@raspberrypi:~ $ sudo tedge config set c8y.url qaenvironment.eu-latest.cumulocity.com
pi@raspberrypi:~ $ sudo tedge connect c8y
The system config file '/etc/tedge/system.toml' doesn't exist. Use '/bin/systemctl' as a service manager.
Checking if systemd is available.
Checking if configuration for requested bridge already exists.
Validating the bridge certificates.
Creating the device in Cumulocity cloud.
ERROR: Io(Custom { kind: InvalidData, error: AlertReceived(CertificateUnknown) })
Error: failed to connect Cumulocity cloud.
Caused by:
Connection check failed
pi@raspberrypi:~ $ tedge config list --all
device.id=ST22092022172148
device.type=thin-edge.io
device.key.path=/etc/tedge/device-certs/tedge-private-key.pem
device.cert.path=/etc/tedge/device-certs/tedge-certificate.pem
c8y.url=qaenvironment.eu-latest.cumulocity.com
c8y.root.cert.path=/etc/ssl/certs
c8y.smartrest.templates=[]
az.root.cert.path=/etc/ssl/certs
az.mapper.timestamp=true
mqtt.bind_address=127.0.0.1
mqtt.port=1883
tmp.path=/tmp
logs.path=/var/log
run.path=/run
az.url=
mqtt.external.port=
mqtt.external.bind_address=
mqtt.external.bind_interface=
mqtt.external.capath=
mqtt.external.certfile=
mqtt.external.keyfile=
software.plugin.default=
Because the error is certificate related and there are to points of interest concerning the certificate, device and cloud, the error message should be more speciffic.
Adding some precisions. The error message needs to be improved by telling explicitly which peer cannot be authenticated:
- Does the server reject the client certificate
device.cert.path=/etc/tedge/device-certs/tedge-certificate.pem? - Does the client reject the server certificate
c8y.root.cert.path=/etc/ssl/certs?
To reproduce the issue (Cumulocity doesn't trust the device),
- don't upload the certificate to cumulocity
- try
tedge connect c8y.
To reproduce the issue (device doesn't trust Cumulocity),
- change
c8y.root.cert.path=/etc/ssl/certsto some random directory - try
tedge connect c8y.
Let's focus on the two patterns of error and improve the error message output so that user can recognize what is the actual error.
I think there are even more patterns that tedge connect c8y get certificate errors.
- If the certificate is not uploaded to Cumulocity,
[crates/core/tedge/src/cli/connect/c8y_direct_connection.rs:67] &err = Io(
Custom {
kind: InvalidData,
error: AlertReceived(
CertificateUnknown,
),
},
)
- If not valid certificate is provided to
device.key.path,
[crates/core/tedge/src/cli/connect/c8y_direct_connection.rs:67] &err = Io(
Custom {
kind: InvalidData,
error: AlertReceived(
HandshakeFailure,
),
},
)
- If invalid root certificate is provided to
c8y.root.cert.path,
[crates/core/tedge/src/cli/connect/c8y_direct_connection.rs:67] &err = Tls(
Io(
Custom {
kind: InvalidData,
error: InvalidCertificateData(
"invalid peer certificate: UnknownIssuer",
),
},
),
)
I think there can be even more patterns, but the current way of error display is too rough. I will fix this part.
pub fn create_device_with_direct_connection(
bridge_config: &BridgeConfig,
device_type: &str,
) -> Result<(), ConnectError> {
// skip many lines
Err(err) => {
eprintln!("ERROR: {:?}", err);
return Err(ConnectError::ConnectionCheckError);
}
}
Indeed, the priority is to improved the errors displayed by create_device_with_direct_connection.
Coming back with a better understanding of @rina23q 's comment.
The 3 identified error cases cover the large majority of errors experienced in practice:
- The device certificate is not trusted by Cumulocity
- The path points to a file that is not a valid certificate.
- The cloud end-point certificate is not trusted by the device.
So making these 3 cases explicit and keeping the generic error just in case will be already a nice improvement.
The error message has improved by #1589, and the build is https://github.com/thin-edge/thin-edge.io/actions/runs/3473197877