Important changes to forums and questions
All forums and questions are now archived. To start a new conversation or read the latest updates go to forums.mbed.com.
3 years, 1 month ago.
Microsoft Azure IoT Hub cert is rejected during the handshake
I am using MBED TLS with MQTT to connect to the Azure IoT Hub. During the first handshake itself, the CA cert from Microsoft is rejected. I am using a K64F.
Mbed to Azure IoT Hub: version is 0.10
Opening network interface... Connected to the network successfully. IP address: 10.1.10.65
Time is now Fri Aug 23 15:30:14 2019 Connecting to host hublora.azure-devices.net:8883 ... [DBG ][TLSW]: mbedtls_ssl_conf_ca_chain() [INFO][TLSW]: Starting TLS handshake with hublora.azure-devices.net [DBG ][TLSW]: mbedtls_ssl_setup() [DBG ][TLSW]: Verifying certificate at depth 1:
[DBG ][TLSW]: cert. version : 3 serial number : 0F:2C:10:C9:5B:06:C0:93:7F:B8:D4:49:F8:3E:85:69 issuer name : C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root subject name : C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 issued on : 2016-05-20 12:51:57 expires on : 2024-05-20 12:51:57 signed using : RSA with SHA-256 RSA key size : 4096 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign ext key usage : TLS Web Server Authentication, TLS Web Client Authentication, OCSP Signing
[INFO][TLSW]: ! The certificate is not correctly signed by the trusted CA
[DBG ][TLSW]: Verifying certificate at depth 0:
[DBG ][TLSW]: cert. version : 3 serial number : 20:00:05:DD:5F:F5:41:2A:B7:FB:B1:05:62:00:00:00:05:DD:5F issuer name : C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 subject name : CN=*.azure-devices.net issued on : 2019-04-12 22:59:46 expires on : 2020-04-12 22:59:46 signed using : RSA with SHA-256 RSA key size : 2048 bits subject alt name : *.azure-devices.net, *.amqpws.azure-devices.net, *.su.management-azure-devices.net key usage : Digital Signature, Key Encipherment, Data Encipherment ext key usage : TLS Web Client Authentication, TLS Web Server Authentication
[INFO][TLSW]: No verification issue for this certificate
[DBG ][TLSW]: ssl_tls.c:5920: |1| x509_verify_cert() returned -9984 (-0x2700)
[ERR ][TLSW]: mbedtls_ssl_handshake() failed: -0x2700 (-9984): X509 - Certificate verification failed, e.g. CRL, CA or signature check failed ERROR from MQTTNetwork connect is -3011
3 years, 1 month ago.
I believe you haven't set the root CA with subject "Microsoft IT TLS CA 2" in your client as a trusted root CA, using the mbedtls_ssl_conf_ca_chain() API.
Is this the case?
Mbed OS Support