ThinEdge Client can't connect to Cumulocity

Product/components used and version/fix level:

production

Detailed explanation of the problem:

I tried following the guide Getting started with thin-edge.io on a RevPi from Kunbus with my RevolutionPi, but the ThinEdge Client can’t connect to Cumulocity.

Error messages / full error message screenshot / log file:

pi@RevPi11242:~ $ sudo tedge connect c8y
The system config file ‘/etc/tedge/system.toml’ doesn’t exist. Use ‘/bin/systemc tl’ as a service manager.

Checking if systemd is available.

Checking if configuration for requested bridge already exists.

Validating the bridge certificates.

Creating the device in Cumulocity cloud.

2023-07-20T13:29:30.068126589Z WARN rustls::conn: Sending fatal alert BadCertif icate
ERROR: Custom { kind: InvalidData, error: InvalidCertificateData(“invalid peer c ertificate: CertNotValidForName”) }
Error: failed to connect Cumulocity cloud.

Caused by:
Connection check failed

Question related to a free trial, or to a production (customer) instance?

Thanks in advance!!!

Some more information about your setup might be useful:

The error suggests that the SSL Certificate used by the Cumulocity IoT’s tenant url is not trusted by the certificate store on your device.

WARN rustls::conn: Sending fatal alert BadCertificate
ERROR: Custom { kind: InvalidData, error: InvalidCertificateData(“invalid peer certificate: CertNotValidForName”) }

You can try and troubleshoot using the following steps:

1. Check if curl can connect to your Cumulocity tenant (curl uses the OS Certificate truststore by default, so it usually an easy way to test if it is trusted or not)

   For example assuming your tenant is called thin-edge-io.eu-latest.cumulocity.com, you can do a curl against the tenant, below uses the tenant/loginOptions as this returns some json instead of html on the console (which more readable)

   curl https://thin-edge-io.eu-latest.cumulocity.com/tenant/loginOptions
   

   If curl fails, then you will need to follow general instructions on how to add a certificate to the truststore, e.g. entrusted-certificates-installation

2. If curl works then it most likely that you are using an older version of thin-edge which does not use the OS truststore by default. If you can upgrade thin-edge, then upgrading to 0.11.0 will fix the issue.

   You can verify which thin-edge version you have using:

   tedge --version
   

3. If you can’t upgrade thin-edge for whatever reason, then you can should be able to set the Cumulocity root certificate setting.

   Assuming your OS stores the certs under /etc/ssl/certs/ca-certificates.crt, then update the config settings to:

   sudo tedge config set c8y.root.cert.path /etc/ssl/certs/ca-certificates.crt
   # Try connecting again
   sudo tedge connect c8y
   

   Though generally upgrading would be the better option as you will also get all of the nice features that come along with every new release

Thanks Reuben,

1. curl https://"custom-domain"/tenant/loginOptions
   works fine

2. tedge version 0.11.0 is installed

The problem seems to be related to our custom domain. I tried a test instance we still use, that one works fine. Are there any known issues with that? Probably our certificate?

Ah, yes the custom Cumulocity IoT domain feature will be causing the error. The custom domain is only specific to the http communication (not mqtt).

Support for using separate http and mqtt endpoints for Cumulocity was added in 0.11.0. You can read a bit of background on the topic in the original issue #1931.

But you can set the Cumulocity IoT http and mqtt endpoints as follows:

sudo tedge config set c8y.http "mycustom.domain.com:443"
sudo tedge config set c8y.mqtt "mytenant.cumulocity.c8y.io:8883"

Then try connecting again:

sudo tedge connect c8y

Works like a charm! Thank you!

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.