TLS Azure IoT Service Root CA certificate migration in progress (Action needed)

[danewalton]

Please see the blog post here for details on why this is important:
https://techcommunity.microsoft.com/t5/internet-of-things/azure-iot-tls-critical-changes-are-almost-here-and-why-you/ba-p/2393169

[khilscher]

I see the G2 root cert was recently pushed in #1971. When are we planning a new SDK release/tag that we can point everyone to use, which includes the new G2 root?

[ericwolz]

I see the G2 root cert was recently pushed in #1971. When are we planning a new SDK release/tag that we can point everyone to use, which includes the new G2 root?

Yes, that will happen in 1-2 weeks

[coffeeaddict19]

Is the connection string in the validation section of the blog post supposed to work? It does not for me.

I receive an error when I run the iothub_ll_telemetry_sample and compile with the connection string in the blog post hard coded:
jlaird@AUTOSOL1195:~/azure-iot-sdk-c/cmake2/iothub_client/samples/iothub_ll_telemetry_sample$ ./iothub_ll_telemetry_sample

Creating IoTHub Device handle Sending message 1 to IoTHub Sending message 2 to IoTHub Sending message 3 to IoTHub Sending message 4 to IoTHub Sending message 5 to IoTHub

-> 13:56:38 CONNECT | VER: 4 | KEEPALIVE: 240 | FLAGS: 192 | USERNAME: g2cert.azure-devices.net/TestDevice1/?api-version=2020-09-30&DeviceClientType=iothubclient%2f1.7.0%20(native%3b%20Linux%3b%20x86_64) | PWD: XXXX | CLEAN: 0

<- 13:56:38 CONNACK | SESSION_PRESENT: false | RETURN_CODE: 0x5 The device client has been disconnected Error: Time:Tue Aug 31 13:56:38 2021 File:/home/jlaird/azure-iot-sdk-c/iothub_client/src/iothubtransport_mqtt_common.c Func:mqttOperationCompleteCallback Line:2075 Connection Not Accepted: 0x5: Not Authorized The device client has been disconnected

-> 13:56:38 CONNECT | VER: 4 | KEEPALIVE: 240 | FLAGS: 192 | USERNAME: g2cert.azure-devices.net/TestDevice1/?api-version=2020-09-30&DeviceClientType=iothubclient%2f1.7.0%20(native%3b%20Linux%3b%20x86_64) | PWD: XXXX | CLEAN: 0

<- 13:56:39 CONNACK | SESSION_PRESENT: false | RETURN_CODE: 0x5 The device client has been disconnected Error: Time:Tue Aug 31 13:56:39 2021 File:/home/jlaird/azure-iot-sdk-c/iothub_client/src/iothubtransport_mqtt_common.c Func:mqttOperationCompleteCallback Line:2075 Connection Not Accepted: 0x5: Not Authorized The device client has been disconnected

Steps:
GIT clone branch LTS_07_2021_Ref01
cd azure-iot-sdk-c
mkdir cmake2
cd cmake2
edit connection string in iothub_ll_telemetry_sample.c to reflect blog post
cmake -Duse_amqp=OFF -Duse_http=OFF -Duse_sample_trusted_cert=ON ..
cmake --build .
./iothub_ll_telemetry_sample

*edit error in order of steps

[ericwolz]

@coffeeaddict19 Yes, it's failing for me also. Investigating.

[RamIoTMalhotra]

@coffeeaddict19 Yes this is by design. As written in the blog, the key in the connection string is invalid. The only test to be done is to ensure a successful TLS handshake. The connection will fail authentication since there's no need to test beyond the TLS handshake. Does that make sense? As long as you're able to validate the server certificate after Server Hello, you should be good!

[danewalton]

For anyone that hits this in the future and would like further information on how to check that it is working properly, here is a link to a walkthrough dissecting a TLS connection using Wireshark.
https://www.catchpoint.com/blog/wireshark-tls-handshake

[coffeeaddict19]

Thank you for the clarification. This helps a lot now I know exactly what to look for.
Without the 'DigiCert Global Root G2' CA Certificate available or specified I see IOTHUB_CLIENT_CONNECTION_UNAUTHENTICATED and IOTHUB_CLIENT_CONNECTION_NO_NETWORK with the trace message:

Error: Time:Thu Sep 2 10:01:50 2021 File:/home/jlaird/azure-iot-sdk-c/c-utility/adapters/tlsio_openssl.c Func:send_handshake_bytes Line:734 error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Error: Time:Thu Sep 2 10:01:50 2021 File:/home/jlaird/azure-iot-sdk-c/umqtt/src/mqtt_client.c Func:onOpenComplete Line:454

Error: failure opening connection to endpoint

With the 'DigiCert Global Root G2' CA Certificate available or specified I see:
IOTHUB_CLIENT_CONNECTION_UNAUTHENTICATED and IOTHUB_CLIENT_CONNECTION_NO_NETWORK with trace message:
Error: Time:Thu Sep 2 10:02:32 2021 File:/home/jlaird/azure-iot-sdk-c/iothub_client/src/iothubtransport_mqtt_common.c Func:mqttOperationCompleteCallback Line:2075 Connection Not Accepted: 0x5: Not Authorized

openssl s_client -connect g2cert.azure-devices.net:8883 was a good tool as well.

[ericwolz]

@RamIoTMalhotra can we update the blob post to clarify this better?

[ewertons]

It has been now two and half years since this notice has been in place, and given the stage we are in the TLS certificate migration we will go ahead and close it.
If you have any TLS issues related to the Azure CA certificate migration, please file a new issue for assistance.
Much appreciated,
Azure IoT SDK Team