Solved: Re: SSL configuration for Azure IoT Hub connector ...

vi1 · ‎Apr 12, 2021

Hi,

I have enabled https configuration in server.xml in Tomcat folder. What are steps to follow in Azure IoT Hub configuration to enable the https? I am using Thingworx 8.5.1 version and IoT Hub 3.0.2.

I have added below configuration in environment variable. azre-iot service is not running if set below configuration. Azure IoTHub connector was working correctly without enable https and also receiving the data correctly from Azure IoT Hub to Thingworx. I have followed Thingworx help document.

"AZURE_IOT_OPTS=-Djavax.net.ssl.trustStore=
C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\cacerts-customized -Djavax.net.ssl.trustStorePassword=xxxxxxx"

Also, I have updated in conf. "platforms = "wss://localhost:443/Thingworx/WS"

Regards,

Latha

vi1 · ‎Apr 19, 2021

Hi,

This issue resolved through support ticket. We have added SSL certificate into Java trust store. After that, its established connection between thingworx and azure IoT Hub.

Thank you

Latha

View solution in original post

SachinSharma · ‎Apr 12, 2021

Hi @vi1

What is the error you are getting in cxserver.log file located at Azure-IoT-Hub-Connector-<ver>\connector\bin\ when you are trying to connect using SSL?

Regards,

Sachin

vi1 · ‎Apr 12, 2021

Hi,

Thank you for replay.

I am getting below error in cxserver log. what is the configuration in environment variable for ssl. Below is the configuartion in environment variable.

AZURE_IOT_OPTS=-Djavax.net.ssl.trustStore=C:\\Program Files\\Apache Software Foundation\\Tomcat 9.0\\conf\\cerificatename.pfx -Djavax.net.ssl.trustStorePassword=xxxxx

2021-04-12T01:52:01.779 [NettyClient-NIO-1] ERROR c.t.s.i.t.netty.NettyChannelHandler - [ClientHandler: b17106b7] WebSocket error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, closing connection!
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:983)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:970)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:917)
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1510)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1524)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1408)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1282)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
... 16 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:275)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:140)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:630)
... 31 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 37 common frames omitted

Regards,

Latha

SachinSharma · ‎Apr 12, 2021

@vi

Refer following help center guide, navigate to section When Using SSL/TLS and set the environment variable as mentioned there. Make sure that you do NOT use double quotation marks when setting the environment variable on Windows. If you use them, the Connector will fail to start.

Regards,

Sachin

vi1 · ‎Apr 12, 2021

Hi,

I have followed same as mentioned in document. Here 'cacerts-customized' means is it certification name?

set AZURE_IOT_OPTS=-Djavax.net.ssl.trustStore=
<your-connector-path-to-certs>cacerts-customized
-Djavax.net.ssl.trustStorePassword=new-password

below is my configuration:

AZURE_IOT_OPTS=-Djavax.net.ssl.trustStore=C:\\Program Files\\Apache Software Foundation\\Tomcat 9.0\\conf\\cerificatename.pfx -Djavax.net.ssl.trustStorePassword=xxxxx

Regards,

Latha

vi1 · ‎Apr 12, 2021

Hi,

I have copied same certification which it is available in Tomcat conf folder into IoT Hbb connector conf folder. After placed the certification into IoT Hub conf folder, updated path in environment variable.

Azure connector service is started but its not connected connection server and getting below errors in cxserver.

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:219)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:441)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:422)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:282)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:140)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:630)
... 31 common frames omitted
2021-04-12T02:50:46.579 [NettyClient-NIO-4] ERROR c.t.s.i.t.netty.NettyChannelHandler - [ClientHandler: 0abe5beb] WebSocket error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found., closing connection!
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:983)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:970)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:917)
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1510)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1524)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1408)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1282)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
... 16 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:219)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:441)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:422)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:282)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:140)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:630)
... 31 common frames omitted

Regards,

Latha

nmilleson · ‎Apr 12, 2021

Assuming you're using a self-signed cert, I ran into this same issue. You'll need to recreate your cert and make sure you include a SAN.

When you create the cert using keytool, include

-ext "SAN=IP:<your twx ip>"

OR

-ext "SAN=DNS:<twx dns>"

vi1 · ‎Apr 12, 2021

Hi,

Thank you for response.

I have added domain name. Connection server is established but IoT Hub connector thing is not connected. I am using same certification for Thingwox and IoT Hub connector.

Regards,

Latha

nmilleson · ‎Apr 12, 2021

Can you share the log output again?

vi1 · ‎Apr 19, 2021

Hi,

This issue resolved through support ticket. We have added SSL certificate into Java trust store. After that, its established connection between thingworx and azure IoT Hub.

Thank you

Latha

SSL configuration for Azure IoT Hub connector configuration

SSL configuration for Azure IoT Hub connector configuration