SSL routines:tls_process_server_certificate:certificate verify failed (cross-compile)

[github-easyway]

I transplant AZURE-IOT-SDK to my MX26 platform, cross compile, but run abnormal. I use I.iothub_ll_telemetry_sample, the error message is as follows:
Creating IoTHub handle
Sending message 1 to IoTHub
Sending message 2 to IoTHub
Sending message 3 to IoTHub
Sending message 4 to IoTHub
Sending message 5 to IoTHub
Info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Info: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
What is the cause of this?

[github-easyway]

INCLUDE(CMakeForceCompiler)

SET(CMAKE_SYSTEM_NAME Linux) # this one is important
SET(CMAKE_SYSTEM_VERSION 1) # this one not so much
SET(CMAKE_SYSTEM_PROCESSOR arm)
#SET(OPENSSL_USE_STATIC_LIBS TRUE)
#set(CMAKE_C_FLAGS "-static -L/home/ubuntu/chenwei/lib/openssl/openssl_lib/lib -lssl -lcrypto -ldl")

this is the location of the amd64 toolchain targeting the Raspberry Pi

SET(CMAKE_C_COMPILER /home/ubuntu/chenwei/ioT-6G2C-L/gcc-linaro-arm-linux-gnueabihf-4.9-2014.09_linux/bin/arm-linux-gnueabihf-gcc)
SET(CMAKE_CXX_COMPILER /home/ubuntu/chenwei/ioT-6G2C-L/gcc-linaro-arm-linux-gnueabihf-4.9-2014.09_linux/bin/arm-linux-gnueabihf-g++)

this is the file system root of the target

#SET(CMAKE_FIND_ROOT_PATH $ENV{RPI_ROOT})

search for programs in the build host directories

SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)

for libraries and headers in the target directories

SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)

set(OPENSSL_ROOT_DIR /home/ubuntu/chenwei/lib/openssl/openssl-1.1.1-pre3)
set(OPENSSL_CRYPTO_LIBRARIES /home/ubuntu/chenwei/lib/openssl/openssl_lib/lib)
set(OPENSSL_SSL_LIBRARY /home/ubuntu/chenwei/lib/openssl/openssl_lib/lib/libssl.a)
set(OPENSSL_LIBRARIES /home/ubuntu/chenwei/lib/openssl/openssl_lib/lib)
set(OPENSSL_INCLUDE_DIR /home/ubuntu/chenwei/lib/openssl/openssl_lib/include)

set(CURL_INCLUDE_DIR /home/ubuntu/chenwei/lib/curl/curl_lib/include)
set(CURL_LIBRARY /home/ubuntu/chenwei/lib/curl/curl_lib/lib/libcurl.a)
set(CURL_LIBRARYS /home/ubuntu/chenwei/lib/curl/curl_lib/lib)
~

[jebrando]

@github-easyway Ensure that you call the function IoTHubClient_LL_SetOption(iothub_ll_handle, OPTION_TRUSTED_CERT, certificates); with the trusted server certificate found in the here. Let us know if this fixes your issue.

[github-easyway]

i use iothub_ll_telemetry_sample ,and code as follow:

IOTHUB_CLIENT_LL_HANDLE iothub_ll_handle;

// Used to initialize IoTHub SDK subsystem
(void)platform_init();

(void)printf("Creating IoTHub handle\r\n");
// Create the iothub handle here
iothub_ll_handle = IoTHubClient_LL_CreateFromConnectionString(connectionString, protocol);

// Set any option that are neccessary.
// For available options please see the iothub_sdk_options.md documentation
//bool traceOn = true;
//IoTHubClient_LL_SetOption(iothub_ll_handle, OPTION_LOG_TRACE, &traceOn);
// Setting the Trusted Certificate.  This is only necessary on system with without
// built in certificate stores.
IoTHubClient_LL_SetOption(iothub_ll_handle, OPTION_TRUSTED_CERT, certificates);

[lakshmisivareddy]

Hi ,
in IoTHubClient_LL_SetOption(iothub_ll_handle, OPTION_TRUSTED_CERT, certificates);
if chain of "certificates" was not set properly then below error will occur
1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

to resolve the issue
provide certificates[] in your ''iothub_client_sample_x509.c'' file
or
#define SET_TRUSTED_CERT_IN_SAMPLES macro & provide correct location of certs.h file in your "iothub_client_sample_x509.c"

[github-easyway]

@lakshmisivareddy
thks
i have define SET_TRUSTED_CERT_IN_SAMPLES when i cross compile sdk.
cmd as flow:
./build.sh --toolchain-file toolchain-rpi.cmake -cl -DSET_TRUSTED_CERT_IN_SAMPLES

but the problem is the same.

[lakshmisivareddy]

@github-easyway
try this one
provide certificates[] in your ''iothub_client_sample_x509.c'' file
create const char certificates[]="all certificates from cert.c file" in ''iothub_client_sample_x509.c'' file

[markrad]

@github-easyway
If you are running the code on a Raspberry Pi then you should not need to use the trusted certs option. The Raspberry Pi running Raspbian has full support for a trusted certificates root store. I don't know about the MX26 platform though (searched for it, couldn't find it). Assuming it is running Linux then these instructions should work for your platform too. However, some platforms I have encountered appear to ignore the trusted certificates root even though OpenSSL says it's there.
You can find out where OpenSSL is expecting to find the trusted certificates root by running:

openssl version -d

This will return the directory OpenSSL is using as its root. It will look in a subdirectory of that directory called certs for the certificates. This is typically symlinked to another location. You need to check and see if the Baltimore Cybertrust certificate is present in that directory. Here is the certificate on my Raspberry Pi. I don't remember if I had to add it. I have had to do so on some platforms:

markrad@RR-OHMAIN:~ $ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
markrad@RR-OHMAIN:~ $ ls -al /usr/lib/ssl/certs
lrwxrwxrwx 1 root root 14 Jun  5  2017 /usr/lib/ssl/certs -> /etc/ssl/certs
markrad@RR-OHMAIN:~ $ ls -al /etc/ssl/certs | grep -i baltimore
lrwxrwxrwx 1 root root     29 Sep  7  2017 3ad48a91.0 -> Baltimore_CyberTrust_Root.pem
lrwxrwxrwx 1 root root     29 Sep  7  2017 653b494a.0 -> Baltimore_CyberTrust_Root.pem
lrwxrwxrwx 1 root root     64 Sep  7  2017 Baltimore_CyberTrust_Root.pem -> /usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt
markrad@RR-OHMAIN:~ $

Note the certificate is another symlink to another location.

If the certificate is missing then you can download it form https://ssl-tools.net/subjects/c12f4576ed1559ecb05dba89bf9d8078e523d413. You will need the pem version of the cerficate. Also notice that there are two symlinks to the certificate. You will also need to create these. You can generate the hash values for the file names using OpenSSL but they will be exactly the same on any platform so just create the two shown above on your own system. Once that is done it should all work. If you already have the certificate though then there must be something else going on.

Alternatively, you can use the trusted certs option. That should work too.

Mark Radbourne MSFT

[ewertons]

Hi @github-easyway ,
we will close this issue for now, but if you would like to follow up on top of @markrad 's comment please feel free to reopen it.
Thanks,
Ewerton