latest tedge cert renew fails when using a hsm and an older tedge-p11-server 1.6.1 #3832
Description
Describe the bug
When using a private key stored in a HSM, the tedge cert renew c8y command fails when using tedge 1.6.2~275+g7689e03 and an older tedge-p11-server 1.6.1.
These versions
Below shows the error reason when trying to renew the Cumulocity CA issued device certificate.
$ tedge cert renew
Error: failed to renew the device certificate via Cumulocity HTTP proxy http://127.0.0.1:8001
Caused by:
0: Failed to parse the received frame
1: Hit the end of buffer, expected more dataThe tedge client must be able to successfully communicate with older tedge-p11-server version to allow great flexibility to users which are using tedge from a container, and the container is communicating to the tedge-p11-server on the host where the version will not be updated as frequently as the version of tedge in the container.
Updating tedge-p11-server package on the host to match the latest tedge package resolves the problem, but this may not be feasible for some users.
# apt-get install tedge-p11-server
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
dc dos2unix
Use 'apt autoremove' to remove them.
The following packages will be upgraded:
tedge-p11-server
1 upgraded, 0 newly installed, 0 to remove and 184 not upgraded.
Need to get 875 kB of archives.
After this operation, 321 kB disk space will be freed.
Get:1 https://dl.cloudsmith.io/public/thinedge/tedge-main/deb/debian bookworm/main arm64 tedge-p11-server arm64 1.6.2~275+g7689e03 [875 kB]
Fetched 875 kB in 1s (1249 kB/s)
Reading changelogs... Done
(Reading database ... 59642 files and directories currently installed.)
Preparing to unpack .../tedge-p11-server_1.6.2~275+g7689e03_arm64.deb ...
Unpacking tedge-p11-server (1.6.2~275+g7689e03) over (1.6.1) ...
Setting up tedge-p11-server (1.6.2~275+g7689e03) ...
root@rpi4-d83add90fe56 ~ # tedge cert renew
Certificate renewed successfully
For an un-interrupted service:
=> the device has to be reconnected to the cloudTo Reproduce
-
Install tedge 1.6.1 and tedge-p11-server 1.6.1
-
Initialize the HSM (softhsm2 is fine) and register the device with the Cumulocity CA
-
Connect to Cumulocity
-
Update to tedge >=
1.6.2~275+g7689e03wget -O - thin-edge.io/install.sh | sh -s -- --channel main -
Try to renew the certificate
tedge cert renew c8y
Expected behavior
tedge should be able to communicate with older tedge-p11-server version successfully. If the tedge-p11-server adds new API calls, then it should add them in a non-breaking manner, e.g. add a new API rather than modifying an existing one (or something to that effect).
Screenshots
Environment (please complete the following information):
| Property | Value |
|---|---|
| OS [incl. version] | Debian GNU/Linux 12 (bookworm) |
| Hardware [incl. revision] | Raspberry Pi 4 Model B Rev 1.5 |
| System-Architecture | Linux rpi4-d83add90fe56 6.6.51+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.6.51-1+rpt3 (2024-10-08) aarch64 GNU/Linux |
| thin-edge.io version | tedge 1.6.2~275+g7689e03 |
| Additional context |