Failed to connect to Cumulocity cloud

, ,
1

Product/components used and version/fix level:

thin-edge v1.0.1 with a custom Cumulocity tennant

Detailed explanation of the problem:

I followed the tutorial instructions for getting started with thin-edge at thin-edge dot github dot io. I’m doing this on a Debian buster virtual machnie rather than Raspberry Pi. All of the steps go without error until I run
sudo tedge connect c8y

On that step I get the output as shown below.

I’ve searched for answers and found the instructions for setting configuration for a custom tennant, that is setting c8y.mqtt and c8y.http rather than c8y.url. I have also set c8y.root.cert.path.

Error messages / full error message screenshot / log file:

$ sudo tedge connect c8y
The system config file ‘/etc/tedge/system.toml’ doesn’t exist. Use ‘/bin/systemctl’ as a service manager.

Detected mosquitto version < 2.0.0
Checking if systemd is available.

Checking if configuration for requested bridge already exists.

Validating the bridge certificates.

Creating the device in Cumulocity cloud.

The device certificate is not trusted by Cumulocity.
Error: failed to connect Cumulocity cloud.

Caused by:
Connection check failed

Question related to a free trial, or to a production (customer) instance?

2

This sounds like you’ve missed Make the device trusted by Cumulocity step. Are you sure that you have performed this step?

1 Like
3

Yes, I had done that step and got no warnings or errors. I executed the command again after reading your response, and got “Certificate already exists in the cloud.”

4

I would check in the Cumulocity IoT Device Management application under “Trusted Certificates” to make sure the certificate is enabled and the “auto registration” option is also set (just to be sure).

But that looks ok, I would try the following:

  1. Disable the Trusted Certificate (related to your device), wait 5 seconds, then re-enable it

  2. On the device try to connect again

    sudo tedge reconnect c8y

    You can increase the log level using (this will give very detailed/but technical information about the certs being used etc.)

    sudo RUST_LOG=trace tedge reconnect c8y

If that still fails, then check that your Cumulocity IoT HTTP and MQTT urls. You mentioned that you are using a custom domain, so maybe the configured c8y.http endpoint is not pointing to the same underlying Cumulocity tenant where the c8y.mqtt is pointing to. You can list the setting using the following:

tedge config get c8y.http
tedge config get c8y.mqtt

In your case I would expect the settings to be something like (not I just added the property names below to make it easier to see what value is assigned to what property):

c8y.http    my.custom.domain.com
c8y.mqtt    t12345.eu-latest.cumulocity.com
5

Thank you for the pointers. When I looked at the Trusted Certificates I found my device certificate was marked as Proof of Possession incomplete. I found the instructions for completing it, performed that. Now the certificate shows Proof of Possesion complete. I disabled it for 5 seconds, re-enabled it, and tried again to connect. Again, I get “The device certificate is not trusted in Cumulocity.”

6

Can you print out all of the thin-edge.io settings using (that will also show the c8y.http and c8y.mqtt values from before):

tedge config list

Also are you using a certificate that was created via tedge cert create or are you creating your own?

7

I used tedge cert create to make my certificate. Here are the settings:

$ tedge config list
device.id=debianWTF_rlc
device.key_path=/etc/tedge/device-certs/tedge-private-key.pem
device.cert_path=/etc/tedge/device-certs/tedge-certificate.pem
device.type=thin-edge.io
c8y.root_cert_path=/etc/ssl/certs/ca-certificates.crt
c8y.smartrest.templates=[]
c8y.http=dashboard.hennypenny.com:443
c8y.mqtt=t517788845.eu-latest.cumulocity.com:8883
c8y.topics=["te/+/+/+/+", "te/+/+/+/+/twin/+", "te/+/+/+/+/m/+", "te/+/+/+/+/e/+", "te/+/+/+/+/a/+", "te/+/+/+/+/status/health"]
c8y.enable.log_upload=true
c8y.enable.config_snapshot=true
c8y.enable.config_update=true
c8y.enable.firmware_update=false
c8y.proxy.bind.address=127.0.0.1
c8y.proxy.bind.port=8001
c8y.proxy.client.host=127.0.0.1
c8y.proxy.client.port=8001
c8y.bridge.include.local_cleansession=auto
c8y.entity_store.auto_register=true
c8y.entity_store.clean_start=true
az.root_cert_path=/etc/ssl/certs
az.mapper.timestamp=true
az.mapper.timestamp_format=unix
az.topics=["te/+/+/+/+/m/+", "te/+/+/+/+/e/+", "te/+/+/+/+/a/+", "te/+/+/+/+/status/health"]
aws.root_cert_path=/etc/ssl/certs
aws.mapper.timestamp=true
aws.mapper.timestamp_format=unix
aws.topics=["te/+/+/+/+/m/+", "te/+/+/+/+/e/+", "te/+/+/+/+/a/+", "te/+/+/+/+/status/health"]
mqtt.topic_root=te
mqtt.device_topic_id=device/main//
mqtt.bind.address=127.0.0.1
mqtt.bind.port=1883
mqtt.client.host=localhost
mqtt.client.port=1883
http.bind.port=8000
http.bind.address=127.0.0.1
http.client.port=8000
http.client.host=127.0.0.1
agent.state.path=/data/tedge/agent
agent.enable.config_update=true
agent.enable.config_snapshot=true
agent.enable.log_upload=true
software.plugin.max_packages=1000
run.path=/run
run.lock_files=true
run.log_memory_interval=0
logs.path=/var/log/tedge
tmp.path=/tmp
data.path=/var/tedge
firmware.child.update.timeout=3600
service.type=service
service.timestamp_format=unix
apt.dpk.options.config=keepold
sudo.enable=true
8

Thanks that explains everything. You are using the wrong value for the c8y.mqtt setting. So essentially you have the http and mqtt pointing to two different Cumulocity IoT instances.

I checked the custom domain, and it is pointing to t517788845.us.cumulocity.com (not on eu-latest).

So you should be able to fix it using:

sudo tedge config set c8y.mqtt "t517788845.us.cumulocity.com:8883"
sudo tedge reconnect c8y

I was able to find the underlying Cumulocity IoT tenant by opening up your custom domain (used for HTTP traffic), and just looked at the browser network calls, and found the real tenant url which is used for MQTT traffic). Or if you would prefer using some cli commands, you can get the MQTT endpoint using curl, jq and cut:

curl https://dashboard.hennypenny.com/tenant/loginOptions | jq -r .self | cut -d/ -f3