IoT Edge certificate management

Makowiecki Adrian 0

I want to find a way to renew IoT Edge certificates manually, to prevent automatic edge reboots.

I set up a test EST server as described on here and confirmed it is working by running openssl s_client -showcerts -connect localhost:8085 and getting a certificate in response.

When I tried to remove certificates to renew them new certificate files are not created and there are errors in iotedge system logs:

Mar 04 16:15:54 device-name aziot-certd[807771]: 2025-03-04T16:15:54Z [ERR!] - !!! internal error
Mar 04 16:15:54 device-name aziot-certd[807771]: 2025-03-04T16:15:54Z [ERR!] - !!! caused by: could not create cert
Mar 04 16:15:54 device-name aziot-certd[807771]: 2025-03-04T16:15:54Z [ERR!] - !!! caused by: EST endpoint did not return successful response: 401 Unauthorized b"Error 401: Unauthorized\nThe server was unable to authorize the request.\n"
Mar 04 16:15:54 device-name aziot-certd[807771]: 2025-03-04T16:15:54Z [INFO] - --> 500 {"content-type": "application/json"}
Mar 04 16:15:54 device-name aziot-identityd[810605]: 2025-03-04T16:15:54Z [ERR!] - Failed to provision with IoT Hub, and no valid device backup was found: internal error
Mar 04 16:15:54 device-name aziot-identityd[810605]: 2025-03-04T16:15:54Z [ERR!] - service encountered an error
Mar 04 16:15:54 device-name aziot-identityd[810605]: 2025-03-04T16:15:54Z [ERR!] - caused by: internal error
Mar 04 16:15:54 device-name aziot-identityd[810605]: 2025-03-04T16:15:54Z [ERR!] - caused by: could not create certificate
Mar 04 16:15:54 device-name aziot-identityd[810605]: 2025-03-04T16:15:54Z [ERR!] - caused by: internal error

My main goal is to avoid automatic restarts of the iotedge modules, I will appreciate help. Here is my config.toml

VSawhney 110 Reputation points Microsoft External Staff

2025-03-06T08:37:17.42+00:00
Hello Makowiecki Adrian,

The error logs mentioned suggests that the EST server does not recognize or trust the device’s credentials. You can follow the below steps to check and proceed:

Confirm EST Server Authentication:    - Double-check the cert_issuance.est.auth section:    - Ensure the username and password fields are correct and match the credentials configured on your EST server.      - Verify that the EST server's access control lists (ACLs) allow the device to authenticate successfully.

Certificate Chain Validation:    - The trusted_certs field points to cacert.crt.pem. Ensure that this file contains the correct root CA certificate for the EST server.    - Confirm the certificate chain is intact and the IoT Edge device can validate it.

Test EST Endpoint:    - Use the curl command or openssl to test the EST URL manually and verify that the server responds correctly. Example:      bash      curl -u [username]:[password] [https://localhost:8085/.well-known/est/cert](https://localhost:8085/.well-known/est/cert"https://localhost:8085/.well-known/est/cert")         - Ensure the response does not show authentication errors.

Verify Common Name:    - The common_name set to "device-name" should match the expected identity on the EST server. Check if there is a mismatch between the device registration and the EST server's settings.

Adjust EST URL:    - The default URL for EST is set to [https://localhost:8085/.well-known/est.](https://localhost:8085/.well-known/est%60."https://localhost:8085/.well-known/est%60.") If the EST server is hosted on a different machine, replace localhost with its IP address or DNS name.

Network Connectivity:    - Ensure the device can connect to the EST server (firewall and network rules might block communication).    - Confirm the port 8085 is open and accessible.

Edge Runtime Restart:    - After making adjustments to the configuration, restart the Azure IoT Edge runtime:      bash      sudo iotedge system restart

Please go through this document for detailed information on how to manage trusted root certificates : https://learn.microsoft.com/en-us/azure/iot-edge/how-to-manage-device-certificates?form=MG0AV3&tabs=windows#manage-trusted-root-ca-trust-bundle

If you have any further query do let us know.

Thank you!
VSawhney 110 Reputation points Microsoft External Staff

2025-03-07T12:35:46.26+00:00

Hello Makowiecki Adrian,

Just checking in to see if the answer helped. If you have any further query do let us know.

Thank you!
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Makowiecki Adrian 0 Reputation points

2025-03-07T16:55:20.9966667+00:00
Hello VSawhney, thank you for your answer.I am using the default EST image from the tutorial, and the username and password are estuser and estpw, as those are the default. I also use a different device name. I edited it in config out of habit. The EST server is running on the same machine as the iotedge for now.

Going through the checks you recommended after I run curl -u estuser:estpw https://localhost:8085/.well-known/est/cert I got a message about a problem with self-signed certificate, so I added it to system's trusted certificate store by running

sudo cp /var/aziot/certs/cacert.crt.pem /usr/local/share/ca-certificates/custom_ca.crt sudo update-ca-certificates

Now executing curl -u estuser:estpw https://localhost:8085/.well-known/est/cert returns Error 404: Not Found instead of a certificate error, but after restarting iotedge the problem stays the same, with the same error messages in the logs.

Is there another way of manually renewing/resetting the certificates?

Share via

IoT Edge certificate management

Your answer