Share via

Issue Adding OPC UA Server Certificate to Trusted List – DNS Error

MohdFhG 55 Reputation points
2025-02-16T22:10:30.0466667+00:00

I'm trying to add the OPC UA server's application instance certificate to the trusted certificates list, following the steps in the Microsoft documentation: Configure the Trusted Certificates List.

When I run the following command:


az iot ops connector opcua trust add --instance azure-iotop-clus-ops-instance --resource-group ADT-IOTOP --certificate-file TestCSharpServer413CB6FECAF183566786F8413B694CA52715245A.der --secret-name TestOpcUaApp --overwrite-secret true

I get the following error:


Command group 'iot ops connector' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus

<urllib3.connection.HTTPSConnection object at 0x00000128349D4C20>: Failed to establish a new connection: [Errno 11001] getaddrinfo failed

Context:

  • I have the Key Vault Secrets Officer role at the resource level of the Key Vault.
  • I'm logged into the correct Azure subscription.
  • Azure IoT Operations is running on a virtual machine with K3s on Ubuntu 24.04.
  • I suspect this is a DNS/network issue, but I haven't found a solution yet. But I found a similar issue related to the Azure key vault: https://github.com/Azure/azure-cli/issues/28772

Has anyone encountered this issue before? What steps can I take to debug or resolve this DNS connection problem?

Thanks in advance for your help!

Azure IoT Operations
Azure IoT Operations
Azure IoT Operations is a set of modular services enabled by Azure Arc.
39 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manas Mohanty 745 Reputation points Microsoft Vendor
    2025-02-18T10:17:05.1033333+00:00

    Hi MohdFhG

    We are suggesting checking DNS resolution for key Vault on assumption that you have secured your dependent Keyvault with a virtual network and created private endpoints.

    Below are commands to check whether they are resolving to 

    #DNS resolution test
nslookup your-key-vault-name.vault.azure.net
dig your-key-vault-name.vault.azure.net

#connectivity test from your VM
ping your-key-vault-name.vault.azure.net

    If DNS is not resolving to private ips in DNS configuration from your private endpoint.

    You should check modify your proxy setting or local /etc/resolv.conf file to add you the hostnames and respective Ips.

    Thank you.

    0 comments
  2. Alex Burlachenko 1,190 Reputation points
    2025-02-18T14:15:20.86+00:00

    Hey! :) Looks like you're running into a DNS or network issue. what you can try?

    follow me :)

    Check VM Internet run ping google.com. If it fails, there’s a network issue.

    Allow Key Vault Access make sure your VM can reach the Key Vault. Check the Key Vault’s network settings in Azure.

    Update Azure CLI run az upgrade to get the latest version.

    Test DNS try nslookup vault.azure.net. If it doesn’t resolve, DNS is the problem.

    Check Proxy if you’re using a proxy, make sure Azure CLI is configured to use it.

    Enable Debug Logs run your command with --debug for more details.

    check Azure Status peek at Azure Status—it might be an Azure-side issue.

    If nothing works, reach out to Azure Support—they’ll help sort it out! Good luck!

    Alex

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.