Azure IoT Edge 1.0.2 update issues

During Microsoft Ignite the Azure IoT Edge version 1.0.2 was released with some important improvements like proxy support.

-> https://azure.microsoft.com/en-us/updates/iot-edge1-0-2/

Today I updated my two Raspberry Pi’s running Raspbian to the new IoT Edge version.

-> https://docs.microsoft.com/en-us/azure/iot-edge/how-to-install-iot-edge-linux-arm#install-the-container-runtime

After the update to version 1.0.2 the Azure IoT Edge daemon fails to start. So, I used the following command to get the daemon logs.

journalctl -u iotedge --no-pager --no-full

But this did not provide me with the necessary information I was looking for. I changed the command to journalctl –no-pager and got the information to troubleshoot the issue.

AzureIoTEdge10201

Oct 08 16:54:49 rp3-01 iotedged[748]: 2018-10-08T14:54:49Z [INFO] - Initializing hsm...
Oct 08 16:54:49 rp3-01 iotedged[748]: 2018-10-08T14:54:49Z [ERR!] - An hsm error occurred.
Oct 08 16:54:49 rp3-01 iotedged[748]: 2018-10-08T14:54:49Z [ERR!] -         caused by: HSM failure
Oct 08 16:54:49 rp3-01 iotedged[748]: 2018-10-08T14:54:49Z [ERR!] -         caused by: HSM Init failure: 44
Oct 08 16:54:49 rp3-01 iotedged[748]: 2018-10-08T14:54:49Z [ERR!] (/project/hsm-sys/azure-iot-hsm-c/src/edge_pki_openssl.c:validate_certificate_expiration:655) Certificate has expired
Oct 08 16:54:49 rp3-01 iotedged[748]: 2018-10-08T14:54:49Z [ERR!] (/project/hsm-sys/azure-iot-hsm-c/src/edge_pki_openssl.c:check_certificates:1366) Certificate file has expired /var/lib/iotedge/hsm/certs/edge_owner_cav0cQJsrFHjxosiOJDer2oKf-O45ZXKVJrO5WFWtFKe0_.cert.pem
Oct 08 16:54:49 rp3-01 iotedged[748]: 2018-10-08T14:54:49Z [ERR!] (/project/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_store.c:load_if_cert_and_key_exist_by_alias:1531) Failure when verifying certificate for alias edge_owner_ca
Oct 08 16:54:49 rp3-01 iotedged[748]: 2018-10-08T14:54:49Z [ERR!] (/project/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_store.c:generate_edge_hsm_certificates_if_needed:1638) Could not check and load owner CA certificate and key
Oct 08 16:54:49 rp3-01 iotedged[748]: 2018-10-08T14:54:49Z [ERR!] (/project/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_store.c:hsm_provision_edge_certificates:1804) Failure generating required HSM certificates
Oct 08 16:54:49 rp3-01 iotedged[748]: 2018-10-08T14:54:49Z [ERR!] (/project/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_crypto.c:hsm_client_crypto_init:43) Could not create store. Error code 1915

As you can see in the screenshot and the log output, the edge_owner certificate is expired and causes an HSM initialization error. This error lets the Azure IoT Edge daemon fail at the startup.

The current workaround is to delete the edge_owner certificate under the path /var/lib/iotedge/hsm/certs/ and restart the Azure IoT Edge daemon.

sudo systemctl restart iotedge
systemctl status iotedge

Afterwards the IoT Edge daemon should start without any issues and you can continue operating your IoT Edge device.

There is also an open GitHub issue where I posted the workaround and just today the Microsoft PG confirmed that this will be fixed in the next release of Azure IoT Edge.

-> https://github.com/Azure/iotedge/issues/378#issuecomment-427877673

Facebooktwittergoogle_pluslinkedinmail