问题描述
我正在按照文档设置嵌套边,如下所述:Tutorial: Create a hierarchy of IoT Edge devices (Preview)
我在较低层设备上的 journalctl 日志中遇到“无法获得本地颁发者证书”错误。我在上层设备上遵循了类似的证书模式,但没有看到类似的错误。
Feb 27 23:31:22 TMnestEdge01 systemd[1]: Started Azure IoT Edge daemon.
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Starting Azure IoT Edge Security Daemon
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Version - 1.2.0~rc1
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Using config file: /etc/iotedge/config.yaml
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Configuring /var/lib/iotedge as the home directory.
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Configuring certificates...
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Transparent gateway certificates not found,operating in quick start mode...
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Finished configuring provisioning environment variables and certificates.
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Initializing hsm...
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Finished initializing hsm.
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Provisioning edge device...
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Starting provisioning edge device via manual mode using a device connection string...
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Manually provisioning device "nestedEdge01" in hub "TMIoTHub.azure-devices.net"
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Finished provisioning edge device.
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Initializing the module runtime...
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Initializing module runtime...
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Notary Content Trust is disabled
Feb 27 23:31:22 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:22Z [INFO] - Using runtime network id azure-iot-edge
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Successfully initialized module runtime
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Finished initializing the module runtime.
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Stopping all modules...
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Finished stopping modules.
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Detecting if configuration file has changed...
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - No change to configuration file detected.
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Edge issuer CA expiration date: 2021-05-28T00:12:14Z
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Obtaining workload CA succeeded.
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Starting management API...
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Starting workload API...
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Starting watchdog with 60 second frequency...
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Listening on fd://iotedge.mgmt.socket/ with 1 thread for management API.
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Listening on fd://iotedge.socket/ with 1 thread for workload API.
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Checking edge runtime status
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [INFO] - Creating and starting edge runtime module edgeAgent
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [WARN] - Error in watchdog when checking for edge runtime status:
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [WARN] - A module runtime error occurred.
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [WARN] - caused by: Could not get identity $edgeAgent
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [WARN] - caused by: Could not get module $edgeAgent
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [WARN] - caused by: Could not perform HTTP request
Feb 27 23:31:23 TMnestEdge01 iotedged[31876]: 2021-02-27T23:31:23Z [WARN] - caused by: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify Failed:../ssl/statem/statem_clnt.c:1924: (unable to get local issuer certificate)
这是我的 config.yaml 中的证书部分:
certificates:
device_ca_cert: "file:///certs/iot-edge-device-ca-TMnestEdge01-full-chain.cert.pem"
device_ca_pk: "file:///certs/iot-edge-device-ca-TMnestEdge01.key.pem"
trusted_ca_cert: "file:///certs/azure-iot-test-only.root.ca.cert.pem"
上层和下层设备具有相同的入站网络规则。下面是上位机的截图。
下面是下层设备上的 Azure IoT Edge 检查。我用 x.x.x.x. 屏蔽了 IP 地址。
root@TMnestEdge01:/home/tmandin/cmds# sudo iotedge check --diagnostics-image-name x.x.x.x:8000/azureiotedge-diagnostics:1.2.0-rc2
Configuration checks
--------------------
√ config.yaml is well-formed - OK
√ config.yaml has well-formed connection string - OK
√ container engine is installed and functional - OK
√ config.yaml has correct hostname - OK
√ config.yaml has correct parent_hostname - OK
× config.yaml has correct URIs for daemon mgmt endpoint - Error
Unable to find image 'x.x.x.x:8000/azureiotedge-diagnostics:1.2.0-rc2' locally
docker: Error response from daemon: Get https://x.x.x.x:8000/v2/: x509: certificate signed by unkNown authority.
See 'docker run --help'.
‼ latest security daemon - Warning
Installed IoT Edge daemon has version 1.2.0~rc1 but 1.1.0 is the latest stable version available.
Please see https://aka.ms/iotedge-update-runtime for update instructions.
× host time is close to reference time - Error
error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify Failed:../ssl/statem/statem_clnt.c:1924: (unable to get local issuer certificate)
× container time is close to host time - Error
Could not query local time inside container
‼ DNS server - Warning
Container engine is not configured with DNS server setting,which may impact connectivity to IoT Hub.
Please see https://aka.ms/iotedge-prod-checklist-dns for best practices.
You can ignore this warning if you are setting DNS server per module in the Edge deployment.
‼ production readiness: certificates - Warning
The Edge device is using self-signed automatically-generated development certificates.
They will expire in 89 days (at 2021-05-28 00:12:14 UTC) causing module-to-module and downstream device communication to fail on an active deployment.
After the certs have expired,restarting the IoT Edge daemon will trigger it to generate new development certs.
Please consider using production certificates instead. See https://aka.ms/iotedge-prod-checklist-certs for best practices.
√ production readiness: container engine - OK
‼ production readiness: logs policy - Warning
Container engine is not configured to rotate module logs which may cause it run out of disk space.
Please see https://aka.ms/iotedge-prod-checklist-logs for best practices.
You can ignore this warning if you are setting log policy per module in the Edge deployment.
× production readiness: Edge Agent's storage directory is persisted on the host filesystem - Error
Could not check current state of edgeAgent container
× production readiness: Edge Hub's storage directory is persisted on the host filesystem - Error
Could not check current state of edgeHub container
× EdgeAgent module can be pulled from upstream - Error
Failed to get edge Agent image
Connectivity checks
-------------------
× host can connect to and perform TLS handshake with upstream AMQP port - Error
Could not connect to x.x.x.x:5671 : Could not complete TLS handshake
× host can connect to and perform TLS handshake with upstream HTTPS / WebSockets port - Error
Could not connect to x.x.x.x:443 : Could not complete TLS handshake
× host can connect to and perform TLS handshake with upstream MQTT port - Error
Could not connect to x.x.x.x:8883 : Could not complete TLS handshake
× container on the default network can connect to upstream AMQP port - Error
Container on the default network Could not connect to x.x.x.x:5671
× container on the default network can connect to upstream HTTPS / WebSockets port - Error
Container on the default network Could not connect to x.x.x.x:443
× container on the default network can connect to upstream MQTT port - Error
Container on the default network Could not connect to x.x.x.x:8883
× container on the IoT Edge module network can connect to upstream AMQP port - Error
Container on the azure-iot-edge network Could not connect to x.x.x.x:5671
× container on the IoT Edge module network can connect to upstream HTTPS / WebSockets port - Error
Container on the azure-iot-edge network Could not connect to x.x.x.x:443
× container on the IoT Edge module network can connect to upstream MQTT port - Error
Container on the azure-iot-edge network Could not connect to x.x.x.x:8883
6 check(s) succeeded.
4 check(s) raised warnings. Re-run with --verbose for more details.
15 check(s) raised errors. Re-run with --verbose for more details.
我尝试了以下方法:
- 重新生成设备证书,确保在创建设备证书时使用设备名称。例如。
create_edge_device_ca_certificate - 同时使用 /etc/iotedge/config.yaml 中的 FQDN 和 IP。我目前在下端和上端设备上都使用 IP。
- 将所有证书放在根目录中并授予完全权限。例如。
chmod 777 /certs和chmod 777 /certs/*。我知道这不是一个好主意,只是试图让它发挥作用。我会在它工作后清理它。 - 在全新的虚拟机上重做整个教程。遇到了同样的问题。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)