iotedge: Identity provisioning fails to add subject DN to CSR using EST and x509 authentication when using identity certificate

Expected Behavior

The configured Distinguished Name (DN) in the “subject” configuration should be added to the Certificate Signing Request (CSR) using Enrollment over Secure Transport (EST) when using X509 (client) authentication with an identity certificate.

Current Behavior

Only the common name of the subject is included in the CSR of the identity certificate. Other fields such as “organization_unit” (OU) are ommited. The subject configuration is included for the EST bootstrap identity (“bootstrap_identity”), but not for the EST device identity (“identity”).

Intercepted EST network traffic (aziot-certd) for “identity_cert”:

POST [https://<...>/.well-known/est/<...>/simpleenroll HTTP/1.1](https://<...>/.well-known/est/<...>/simpleenroll)
content-type: application/pkcs10
content-transfer-encoding: base64
host: <...>
content-length: 825

Decoded Payload (openssl req -in csr -inform der -noout -text):
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = GW-01-OP-001
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus: <...>
                Exponent: <...>
        Attributes:
            <...>
    Signature Algorithm: sha256WithRSAEncryption
         <...>
Intercepted network traffic for "bootstrap_identity" 
POST [https://<...>/.well-known/est/<...>/simpleenroll HTTP/1.1](https://<...>/.well-known/est/<...>/simpleenroll)
content-type: application/pkcs10
content-transfer-encoding: base64
host: <...>
content-length: 825

Decoded Payload (openssl req -in csr -inform der -noout -text):
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = GW-01-OP-001, OU = GW-01
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    <...>
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        Attributes:
        Requested Extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
    Signature Algorithm: ecdsa-with-SHA256
         <...>

The EST server is configured to only accept CSR that contains an “organization_unit”. This results in the error: {"errors":[{"code":"invalid_input","message":"Please provide value for subject.organization_unit"}]}. This field is a constraint for an operational certificate by the PKI / EST server provider “DigiCert IoT Manger” (referenced in the documentation, see https://docs.microsoft.com/en-us/azure/iot-edge/tutorial-configure-est-server?view=iotedge-2020-11#est-server)

Steps to Reproduce

Provide a detailed set of steps to reproduce the bug.

  1. Install IoT Edge according to the documentation (see https://docs.microsoft.com/en-us/azure/iot-edge/how-to-provision-single-device-linux-symmetric?view=iotedge-2020-11&tabs=azure-portal%2Cubuntu#install-iot-edge)
  2. Configure DPS provisioning with EST (see configuration in Context (Environment)) using “subject” instead of “common_name” for the “identity” (see template.toml#L180, #5742).

Context (Environment)

Configuration:

hostname = "ubuntu"
trust_bundle_cert = "file:///<...>/root.pem"

[cert_issuance.est]
trusted_certs = [
     "file:///<...>/cacerts.pem",
]

[provisioning]
source = "dps"
global_endpoint = "https://global.azure-devices-provisioning.net/"
id_scope = "<...>"

[provisioning.attestation]
method = "x509"
registration_id = "GW-01-OP-001"

[provisioning.attestation.identity_cert]
method = "est"
subject = { CN = "GW-01-OP-001", OU = "GW-01" }
url = "https://<...>/.well-known/est/<...>"
identity_cert = "file:///<...>/identity_cert.pem"
identity_pk = "file:///<...>/identity_key.pem"

Output of iotedge check

Click here 
Configuration checks (aziot-identity-service)
---------------------------------------------
√ keyd configuration is well-formed - OK
√ certd configuration is well-formed - OK
√ tpmd configuration is well-formed - OK
√ identityd configuration is well-formed - OK
√ daemon configurations up-to-date with config.toml - OK
√ identityd config toml file specifies a valid hostname - OK
√ aziot-identity-service package is up-to-date - OK
√ host time is close to reference time - OK
√ production readiness: identity certificates expiry - OK
√ production readiness: EST identity and bootstrap certificates expiry - OK
√ preloaded certificates are valid - OK
√ keyd is running - OK
√ certd is running - OK
√ identityd is running - OK
√ read all preloaded certificates from the Certificates Service - OK
√ read all preloaded key pairs from the Keys Service - OK
√ ensure all preloaded certificates match preloaded private keys with the same ID - OK

Connectivity checks (aziot-identity-service)
--------------------------------------------
‼ host can connect to and perform TLS handshake with iothub AMQP port - Warning
    Could not retrieve iothub_hostname from provisioning file.
    Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information.
    Since no hostname is provided, all hub connectivity tests will be skipped.
‼ host can connect to and perform TLS handshake with iothub HTTPS / WebSockets port - Warning
    Could not retrieve iothub_hostname from provisioning file.
    Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information.
    Since no hostname is provided, all hub connectivity tests will be skipped.
‼ host can connect to and perform TLS handshake with iothub MQTT port - Warning
    Could not retrieve iothub_hostname from provisioning file.
    Please specify the backing IoT Hub name using --iothub-hostname switch if you have that information.
    Since no hostname is provided, all hub connectivity tests will be skipped.
√ host can connect to and perform TLS handshake with DPS endpoint - OK

Configuration checks
--------------------
√ aziot-edged configuration is well-formed - OK
√ configuration up-to-date with config.toml - OK
√ container engine is installed and functional - OK
× configuration has correct URIs for daemon mgmt endpoint - Error
    SocketError - SocketErrorCode (TimedOut) : Operation timed out
    One or more errors occurred. (Got bad response: )
√ aziot-edge package is up-to-date - OK
√ container time is close to host time - OK
‼ DNS server - Warning
    Container engine is not configured with DNS server setting, which may impact connectivity to IoT Hub.
    Please see https://aka.ms/iotedge-prod-checklist-dns for best practices.
    You can ignore this warning if you are setting DNS server per module in the Edge deployment.
‼ production readiness: logs policy - Warning
    Container engine is not configured to rotate module logs which may cause it run out of disk space.
    Please see https://aka.ms/iotedge-prod-checklist-logs for best practices.
    You can ignore this warning if you are setting log policy per module in the Edge deployment.
‼ production readiness: Edge Agent's storage directory is persisted on the host filesystem - Warning
    The edgeAgent module is not configured to persist its /tmp/edgeAgent directory on the host filesystem.
    Data might be lost if the module is deleted or updated.
    Please see https://aka.ms/iotedge-storage-host for best practices.
‼ production readiness: Edge Hub's storage directory is persisted on the host filesystem - Warning
    The edgeHub module is not configured to persist its /tmp/edgeHub directory on the host filesystem.
    Data might be lost if the module is deleted or updated.
    Please see https://aka.ms/iotedge-storage-host for best practices.
√ proxy settings are consistent in aziot-edged, aziot-identityd, moby daemon and config.toml - OK

Connectivity checks
-------------------
24 check(s) succeeded.
7 check(s) raised warnings. Re-run with --verbose for more details.
1 check(s) raised errors. Re-run with --verbose for more details.
7 check(s) were skipped due to errors from other checks. Re-run with --verbose for more details.

Device Information

  • Host OS [e.g. Ubuntu 18.04, Windows Server IoT 2019]: Ubuntu 20.04.04 LTS
  • Architecture [e.g. amd64, arm32, arm64]: amd64

Runtime Versions

  • aziot-edged [run iotedge version]: 1.3.0
  • Edge Agent [image tag (e.g. 1.0.0)]: 1.3.0
  • Edge Hub [image tag (e.g. 1.0.0)]: 1.3.0
  • Docker/Moby [run docker version]: 20.10.17+azure-1

Logs

aziot-edged logs 
Aug 09 01:07:57 ubuntu systemd[1]: Started Azure IoT Identity Service.
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [INFO] - Starting service...
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [INFO] - Version - 1.3.0
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [INFO] - Provisioning starting. Reason: Startup
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 75 bytes
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes)
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", keyd.sock)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 1 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is empty
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- GET /keypair/device-id?api-version=2021-05-01 {"host": "keyd.sock"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 357 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 1 headers
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is empty
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [INFO] - <-- GET /certificates/device-id?api-version=2020-09-01 {"host": "certd.sock"}
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [INFO] - !!! parameter "id" has an invalid value
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [INFO] - !!! caused by: not found
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [INFO] - --> 400 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 190 bytes
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 81 bytes
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (73 bytes)
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", certd.sock)
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 369 bytes
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 2 headers
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is empty
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", keyd.sock)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- DELETE /keypair?api-version=2021-05-01 {"content-type": "application/json", "host": "keyd.sock", "content-length": "248"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 204 {}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 83 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (56 bytes)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- POST /keypair?api-version=2021-05-01 {"content-type": "application/json", "host": "keyd.sock", "content-length": "56"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 174 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 357 bytes
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes)
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", keyd.sock)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 2 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- POST /parameters/algorithm?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 123 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 2 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- POST /parameters/rsa-modulus?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 465 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 2 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- POST /parameters/rsa-exponent?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 124 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 2 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- POST /parameters/algorithm?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 123 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 2 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- POST /parameters/rsa-modulus?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 465 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 2 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- POST /parameters/rsa-exponent?api-version=2021-05-01 {"content-length": "248", "content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 124 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 2 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (355 bytes)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- POST /encrypt?api-version=2021-05-01 {"content-length": "355", "content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 470 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 1080 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 1 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is empty
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- GET /keypair/est-id-device-id?api-version=2021-05-01 {"host": "keyd.sock"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 365 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 2 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (256 bytes)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- POST /parameters/algorithm?api-version=2021-05-01 {"content-length": "256", "content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 123 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (955 bytes)
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [INFO] - <-- POST /certificates?api-version=2020-09-01 {"content-type": "application/json", "host": "certd.sock", "content-length": "955"}
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 82 bytes
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (256 bytes)
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", keyd.sock)
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::client::connect::http] connecting to 192.168.117.1:8888
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::client::connect::http] connecting to 192.168.117.1:8888
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 2 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (256 bytes)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- POST /parameters/rsa-modulus?api-version=2021-05-01 {"content-length": "256", "content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 465 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] parsed 2 headers
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (256 bytes)
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - <-- POST /parameters/rsa-exponent?api-version=2021-05-01 {"content-length": "256", "content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [INFO] - --> 200 {"content-type": "application/json"}
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::io] flushed 124 bytes
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-keyd[15506]: 2022-08-09T08:07:57Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::client::connect::http] connected to 192.168.117.1:8888
Aug 09 01:07:57 ubuntu aziot-certd[15512]: 2022-08-09T08:07:57Z [DBUG] - [hyper::client::connect::http] connected to 192.168.117.1:8888
Aug 09 01:07:58 ubuntu aziot-certd[15512]: 2022-08-09T08:07:58Z [DBUG] - [hyper::proto::h1::io] flushed 1043 bytes
Aug 09 01:07:58 ubuntu aziot-certd[15512]: 2022-08-09T08:07:58Z [DBUG] - [hyper::proto::h1::io] flushed 122 bytes
Aug 09 01:07:58 ubuntu aziot-certd[15512]: 2022-08-09T08:07:58Z [DBUG] - [hyper::proto::h1::io] parsed 12 headers
Aug 09 01:07:58 ubuntu aziot-certd[15512]: 2022-08-09T08:07:58Z [DBUG] - [hyper::proto::h1::conn] incoming body is chunked encoding
Aug 09 01:07:58 ubuntu aziot-certd[15512]: 2022-08-09T08:07:58Z [DBUG] - [hyper::proto::h1::decode] incoming chunked header: 0x64 (100 bytes)
Aug 09 01:07:58 ubuntu aziot-certd[15512]: 2022-08-09T08:07:58Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:58 ubuntu aziot-certd[15512]: 2022-08-09T08:07:58Z [DBUG] - [hyper::client::pool] pooling idle connection for ("https", clientauth.demo.one.digicert.com)
Aug 09 01:07:58 ubuntu aziot-certd[15512]: 2022-08-09T08:07:58Z [ERR!] - !!! internal error
Aug 09 01:07:58 ubuntu aziot-certd[15512]: 2022-08-09T08:07:58Z [ERR!] - !!! caused by: could not create cert
Aug 09 01:07:58 ubuntu aziot-certd[15512]: 2022-08-09T08:07:58Z [ERR!] - !!! caused by: EST endpoint did not return successful response: 400 Bad Request b"{\"errors\":[{\"code\":\"invalid_input\",\"message\":\"Please provide value for subject.organization_unit\"}]}"
Aug 09 01:07:58 ubuntu aziot-certd[15512]: 2022-08-09T08:07:58Z [INFO] - --> 500 {"content-type": "application/json"}
Aug 09 01:07:58 ubuntu aziot-certd[15512]: 2022-08-09T08:07:58Z [DBUG] - [hyper::proto::h1::io] flushed 155 bytes
Aug 09 01:07:58 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:58Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Aug 09 01:07:58 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:58Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (28 bytes)
Aug 09 01:07:58 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:58Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Aug 09 01:07:58 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:58Z [DBUG] - [hyper::client::pool] pooling idle connection for ("http", certd.sock)
Aug 09 01:07:58 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:58Z [ERR!] - Failed to provision with IoT Hub, and no valid device backup was found: internal error
Aug 09 01:07:58 ubuntu aziot-certd[15512]: 2022-08-09T08:07:58Z [DBUG] - [hyper::proto::h1::conn] read eof
Aug 09 01:07:58 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:58Z [ERR!] - service encountered an error
Aug 09 01:07:58 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:58Z [ERR!] - caused by: internal error
Aug 09 01:07:58 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:58Z [ERR!] - caused by: could not create certificate
Aug 09 01:07:58 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:58Z [ERR!] - caused by: internal error
Aug 09 01:07:58 ubuntu aziot-identityd[15898]: 2022-08-09T08:07:58Z [ERR!] -    0: <unknown>
Aug 09 01:07:58 ubuntu aziot-identityd[15898]:    1: <unknown>
Aug 09 01:07:58 ubuntu systemd[1]: aziot-identityd.service: Main process exited, code=exited, status=1/FAILURE
Aug 09 01:07:58 ubuntu systemd[1]: aziot-identityd.service: Failed with result 'exit-code'.

Additional Information

Please provide any additional information that may be helpful in understanding the issue.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 21 (12 by maintainers)

Most upvoted comments

We’ve triaged the bug and are looking into a fix, but not too sure that it’ll make the next release (1.4.2) which needs to go out in time to take the latest .NET security patch and dependency updates. My guess would be that it’ll take about a month for this fix to be released as part of 1.4.3. Do you need it sooner?

+2
jlian on Sep 15, 2022

IoT Edge 1.4.8 is released and includes this fix (which is part of identity service 1.4.2)

+1
jlian on Feb 1, 2023

Still targeting late Oct to release in 1.4.3.

CC https://github.com/Azure/iot-identity-service/issues/455

+1
jlian on Oct 5, 2022

We’ve picked up the work and are currently forecasting late Oct to release this in 1.4.3.

+1
jlian on Sep 28, 2022

Hi @jlian , I’m working on the same project as @cookieofcode . If we can have a fix in November, this would still be ok for us. We are not in production yet but want to advance with our prototype.

+1
pebneter on Sep 22, 2022
Read more comments on GitHub
← iotedge: HSM problems and IoT Hub connectivity test problems
iotedge: IoT Edge - AMQP messages are not received, and error in sending the messages →