question

AliAkbarQureshi-6990 avatar image
0 Votes"
AliAkbarQureshi-6990 asked AliAkbarQureshi-6990 commented

The remote certificate is invalid according to the validation procedure

Hi,

We are currently using a symmetric key to authenticate the devices and these devices are working fine but today at one of the devices we get the following exception:

Failed to connect: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.


Afterward, the connection was lost, and when we tried to re-connect it prompted for a new certificate after which we were able to re-connect.

Any idea what can be the reason for it and how can we avoid it in the future?

Regards,
Ali Qureshi

azure-iot-hub
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SandervandeVelde42 avatar image
1 Vote"
SandervandeVelde42 answered

Hello @AliAkbarQureshi-6990 ,

is this issue related to an Edge device? Can this be related to this?

Azure IoT Edge uses a separate certificate for securing inter-module communication (together with the edgehub module).

A 'development' certificate is created by default. This certificate is only valid for 90 days. A restart of the device will generate a new certificate (again valid for 90 days only).

You need to replace this certificate with a 'production' certificate.

Please run

 sudo iotedge check

for more informaton.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SatishBoddu-MSFT avatar image
1 Vote"
SatishBoddu-MSFT answered AliAkbarQureshi-6990 commented

Hello @AliAkbarQureshi-6990,

Adding few more points to Sander's response.

Recommended Steps

  • Run iotedge check. This tool has specific checks and recommendations for certificate settings.

  • Make sure the hostname setting in /etc/iotedge/config.yaml is a hostname and not an ip address.

  • Update the iotedge runtime to latest

Recommended Documents
Understand how Azure IoT Edge uses certificates.

Question: In case of certificate expiry, why does the edgeHub , runtime and other modules do not stop working.
"The Edge Hub does not proactively drop established connections when its certificate expires. Any client that successfully connected before the new certificate expired would continue to send data."

Question: IoT Edge Runtime creates

  • Workload CA certificate with expiry of 1 year

  • Server Certificate with expiry of 90 days

Now it is expected that after 90 days the Server Certificate should get regenerated or renewed by IoT Edge Runtime and IoT edgeHub?

Yes, it should be automatic.

Please comment in the below section so that we can help you further.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


We are not using IoT Edge. We have a separate device (called Iba controller) that sends the data to IoTHub using the MQTT protocol. As mentioned in my original thread we are using a symmetric key for authentication and not X.509 certificate.

I am assuming that the only certificate in play is the Azure root certificate used to access the IoT Hub Host.


Regards,
Ali Qureshi

0 Votes 0 ·