iotedge: Unable to connect MxChip DevKit as leaf device to IoT Edge

Configuring an MxChip devkit device as leaf device for IoT Edge I am unable to make a successful connection. I am following this guide:

As a datapoint, after making the (undesirable) firmware change to disable verification in mbedtls, the connection works successfully: mbedtls_ssl_conf_authmode(&tls_io_instance->config, MBEDTLS_SSL_VERIFY_NONE);

Expected Behavior

Device should connect as leaf deviceto IoT Edge. I have been successful with the same steps using Windows (using .NET SDK) and Ubuntu 18.04 (using C SDK as well as .NET SDK) as leaf devices.

Current Behavior

Device attempts to connect to the Edge gateway, but it appears the TLS handshake is failing.

Steps to Reproduce

  1. Create a Azure IoT Edge on Ubuntu VM in Azure
  2. Open all the required ports needed for a gateway scenario
  3. Generate certificates as described in the docs
  4. Using VSCode, create a new “Getting Started” project for MxChip using the Azure IoT Tools extension
  5. Append “GatewayHostName=<gateway dns name>” to the connection string
  6. Add the certification from step 3 to the project
  7. Deploy and run on the MxChipdevice

Result: device attempts to connect to the gateway, but the TLS handshake fails

Context (Environment)

MxChip devkit with “Ubuntu Server 16.04 LTS + Azure IoT Edge runtime” VM in Azure

Device (Host) Operating System

Ubuntu 16.04 LTS



Container Operating System


Runtime Versions



Edge Agent


Edge Hub



3.0.3, build 48bd4c6d


from iotedge logs edgeHub -f:

2019-02-17 19:33:09.246 +00:00 [WRN] - TLS handshake failed., System.IO.IOException: Channel is closed, 5bd3d2a6

Additional Information

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 29 (16 by maintainers)

Most upvoted comments

This is my cert chain. Does this look correct?

depth=3 CN = Azure IoT CA TestOnly Intermediate CA
verify error:num=20:unable to get local issuer certificate
Certificate chain
 0 s:/CN=
   i:/CN=iotedged workload ca
 1 s:/CN=iotedged workload ca
 2 s:/
   i:/CN=Azure IoT CA TestOnly Intermediate CA
 3 s:/CN=Azure IoT CA TestOnly Intermediate CA
   i:/CN=Azure IoT CA TestOnly Root CA

@myagley look above, he used openssl s_client -connect