Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Create IoT Hub DPS Enrollment Group does not properly send certificate data
See original GitHub issueDescribe the bug
When trying to create a DPS enrollment group, the certificate data is not properly sent, which causes the error “TPM or X509 attestation is required.” to be returned
To Reproduce
- Be logged in and have a DPS instance created
- Have a file on your current directory called cert.crt
File will look like this: (cert.crt)
-----BEGIN CERTIFICATE-----
MIIEfDCCA2SgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMxETAPBgNVBAgM
CFZpcmdpbmlhMRgwFgYDVQQKDA9Ib21lVmFsZXQsIEluYy4xLDAqBgNVBAMMI0hvbWVWYWxldCBU
... etc ...
htgh2w8U4Ezyr41n
-----END CERTIFICATE-----
- Run the command
az iot dps enrollment-group create --dps-name $DPS_NAME -g $RESOURCE_GROUP_NAME --enrollment-id $NAME --cp ./cert.crt --debug
Expected behavior Certificate is sent to IoT hub and enrollment group is created
Actual Behavior
Certificate doesn’t seem to be read, or not sent properly. can’t tell which. Note how the "x509": {"signingCertificates": {"primary": {"certificate": ""}}}} is empty. Here’s a sample of the debug output:
msrest.http_logger: Request URL: 'https://***.azure-devices-provisioning.net/enrollmentGroups/mfg-hub?api-version=2019-03-31'
msrest.http_logger: Request method: 'PUT'
msrest.http_logger: Request headers:
msrest.http_logger: 'Accept': 'application/json'
msrest.http_logger: 'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger: 'x-ms-client-request-id': 'f9fe1d38-fae2-11eb-b542-00155d3a3834'
msrest.http_logger: 'accept-language': 'en-US'
msrest.http_logger: 'Content-Length': '307'
msrest.http_logger: 'User-Agent': 'python/3.6.10 (Linux-5.10.16.3-microsoft-standard-WSL2-x86_64-with-debian-bullseye-sid) msrest/0.6.21 msrest_azure/0.6.3 provisioningserviceclient/2019-03-31 IoTPlatformCliExtension/0.10.14'
msrest.http_logger: Request body:
msrest.http_logger: {"enrollmentGroupId": "mfg-hub", "attestation": {"type": "x509", "x509": {"signingCertificates": {"primary": {"certificate": ""}}}}, "capabilities": {"iotEdge": false}, "initialTwin": {"tags": {}, "properties": {"desired": {}}}, "reprovisionPolicy": {"updateHubAssignment": true, "migrateDeviceData": true}}
msrest.universal_http: Configuring redirects: allow=True, max=30
msrest.universal_http: Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http: Configuring proxies: ''
msrest.universal_http: Evaluate proxies against ENV settings: True
urllib3.connectionpool: Starting new HTTPS connection (1): ***.azure-devices-provisioning.net:443
urllib3.connectionpool: https://***.azure-devices-provisioning.net:443 "PUT /enrollmentGroups/mfg-hub?api-version=2019-03-31 HTTP/1.1" 400 None
msrest.http_logger: Response status: 400
msrest.http_logger: Response headers:
msrest.http_logger: 'Date': 'Wed, 11 Aug 2021 20:30:20 GMT'
msrest.http_logger: 'Content-Type': 'application/json; charset=utf-8'
msrest.http_logger: 'Transfer-Encoding': 'chunked'
msrest.http_logger: 'x-ms-request-id': '5f84cf7c-0d79-4067-b0e4-794ad5d6066c'
msrest.http_logger: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger: Response content:
msrest.http_logger: {"errorCode":400004,"trackingId":"5f84cf7c-0d79-4067-b0e4-794ad5d6066c","message":"TPM or X509 attestation is required.","timestampUtc":"2021-08-11T20:30:21.7460401Z"}
msrest.exceptions: TPM or X509 attestation is required.
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
File "/home/ksykora/.azure/cliextensions/azure-iot/azext_iot/operations/dps.py", line 419, in iot_dps_device_enrollment_group_create
return sdk.create_or_update_enrollment_group(enrollment_id, group_enrollment)
File "/home/ksykora/.azure/cliextensions/azure-iot/azext_iot/sdk/dps/service/provisioning_service_client.py", line 368, in create_or_update_enrollment_group
raise models.ProvisioningServiceErrorDetailsException(self._deserialize, response)
azext_iot.sdk.dps.service.models.provisioning_service_error_details_py3.ProvisioningServiceErrorDetailsException: TPM or X509 attestation is required.
Environment summary
WSL2 Ubuntu 20.04, installed via apt
azure-cli 2.27.1
core 2.27.1
telemetry 1.0.6
Extensions:
storage-preview 0.7.4
azure-iot 0.10.14
Additional context
Issue Analytics
- State:
- Created 2 years ago
- Comments:7 (2 by maintainers)
Top Results From Across the Web
Tutorial: Provision multiple X.509 devices using enrollment ...
This tutorial shows how to use X.509 certificates to provision multiple devices through an enrollment group in your Azure IoT Hub Device ...
Read more >Proper configuration of Azure IoT Hub DPS group enrollment ...
1 Answer 1 ... When you upload an intermediate certificate, the ONLY thing that is uploaded is the cert itself, not the entire...
Read more >Lab Scenario - AZ-220-Microsoft-Azure-IoT-Developer
Task 3: Create Group Enrollment (X.509 Certificate) in DPS ... You will have a single IoT Hub associated with the enrollment in this...
Read more >Device provisioning - AWS IoT Core - AWS Documentation
Things can be defined using a thing type or grouped into thing groups. For more information, see Managing devices with AWS IoT. Although...
Read more >Getting Started with Azure Device Provisioning Service
Azure and IoT Hub provide the ability to register and connect individual IoT devices so that their telemetry data can be sent and...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thanks for the feedback. It doesn’t make a lot of sense to me to require a specific file extension, but I’ll leave that decision up to you.
close the issue since it was fixed in pr and it will be avaliable in the next release (0.18.4), thanks