Updating 200x Ewon Flexy205 and MQTT settings

Hello

I currently have the problem that Azure IoT Hub is changing its root certificate.
This is the message from Azure:

If I understand correctly, the old and new certificate need to be in the “trusted root store” of the device since they can’t determine an exact time on which they will be switching their CA.

At the moment, We have approximately 200 Ewon Flexy205 with a configuration with the old CA.

Now I have 2 questions:

  1. Is there any possibility to trust 2 CAs at the same? Looking at the Programming Reference Guide of the Ewon, MQTT “setparam”, “cafile” “path” only allows one path. If this is the case, do you have any idea how to fix this problem?
  2. Since we have 200 Ewons, is there any way to make bulk configuration updates? Updating them one by one seems a bit… cumbersome.

Since our company is depending on the MQTT function between Ewon and Azure IoT-Hub, this looks like a huge problem we are running into. Any advice is deeply appreciated.

Best regards
pstark

Did you get a solution to this issue?

Unfortunately, I’m still trying to find a solution for this.

We have developed an Azure IoT Connector that automates the provisioning process by using the SAS Token Provisioning Mode. Have you spoken with anyone about that yet?

I talked to Simon about this today and he said he has updated the thread here: MQTT- Easy connection to Microsoft AZURE IOT Hub/ IOT Central using SAS tokens

That is awesome that he has done that.

Nowhere in that post does he refer to the needed CA cert that needs to be installed onto the Flexy unit.

pstark is asking about the CA cert and the changes that are coming from Azure.

I think what he is saying is that you won’t be impacted if you are using the new script. Unfortunately, he’s on vacation now, but this change doesn’t go into effect until later next year. He also mentioned a tool for automating this, but it hasn’t yet been released. I will follow up when I can confirm this.

I would recommend considering our Azure Connector still, as it makes this process completely automated. I’m not sure how it’s distributed in the EU as it was developed by the Americas Solution Center, but I could find out if you were interested.

The script is calling the CA certificate that needs to be installed in the USR folder on the Flexy unit. If you look at the script you can see during the call to connect to MQTT there is a reference to the CA cert that is on the unit.

I would be interested in knowing more about the Azure Connector.

This is Ted with Sweeney, right? I can have the manager of the Solutions Center give you a call if you want to share a phone number. I’ll make sure that it won’t post it on the forum.

Same Ted different company as of June. Could not sign up with the same user name…

Thanks Ted! I gave your info to Tom McKinney, who is our Director of Engineering Services & Partnerships and manages our Solutions Center. He should be reaching out soon.

Sorry, was not able to reply until now.

If I’m seeing it correctly, i have to integrate the function below (from the provided script) into my own code as both certificates will be in a single file?
Then use the generated file for MQTT "SETPARAM", "CAFILE","/usr/AzureCA.crt"?

Now is there any way to update multiple Ewons at the same time?

FUNCTION Generate_Azure_CA_Certificates()


  //Generate DigiCert Root G2 CA Cert
    $CACRT$ =         "-----BEGIN CERTIFICATE-----" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"************************************************" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"***************************************************" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"*****************************************************" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"**************************************************************************/RrohCgiN9RlUyfuI" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"2/*********************************************+4FR1IAWsULecYxpsMNzaHxmx" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"1x7e/dfgy5SDN67sH0NO3Xss0r0upS/*********************************" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"q2EGnI/yuum06ZIya7XzV+***************************/tJS7SsVQepj5Wz" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"******************************************************" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/*******************" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"5uNu5g/6+*********************************************************" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"MrY=" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"-----END CERTIFICATE-----"
  $CACRT$ = $CACRT$ + CHR$(13) + CHR$(10)
  //Generate Baltimore CA certificate
  $CACRT$ = $CACRT$ +"-----BEGIN CERTIFICATE-----" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"MIIDdzCCAl+************************************************************" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"***********************************************************************************************" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"mpYcqWe4PwzV9/lSEy/**********************************" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"XmD+tqYF/***************************************/xXtabz5OTZy" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"*****************************************************************************v/ye" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"*******************************************************************************" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"BE3wMBIGA1UdEwEB/*******************************/BAQDAgEGMA0GCSqGSIb3" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"***********************************/szKN+OMY3EU/t3Wgx" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"jkzSswF07r51XgdIGn9w/*******************/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"***************************************************+3zvDyny67G7fyUIhz" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/******************" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp" + CHR$(13) + CHR$(10) 
  $CACRT$ = $CACRT$ +"-----END CERTIFICATE-----"
  
  
  
  OPEN "file:/usr/AzureCA.crt" FOR BINARY OUTPUT AS 1
  PUT 1, $CACRT$
  CLOSE 1

ENDFN

Correct. Simon is working on a way to automate this. I will check with him to see where that is at.

Thank you for your reply!
Looking forward to the update.

He’s actually pretty close to finishing, and just polishing it up a bit. It will be in the form of an Excel sheet which can update the Ewons remotely. (I don’t know exactly how it works yet.)

Here is a link to the tool that Simon created: Ewon Technical Forum

It allows you to replace a file on all of your Flexys (or one or as many as you want). It can be a firmware file, a full backup (.tar) file (though you wouldn’t want to send the same backup to all of your Flexys, yikes!), or any other file, like a cert. It also allows you to reboot as many Flexys as you want all at once.

If you have questions on it, I would recommend commenting on his thread, although I have tested it somewhat and may be able to answer some of your questions.

Link says don’t have permissions to get to that page.

Same here :frowning:

I will send it to you. I didn’t realize it before, but it isn’t public.

1 Like

can I get it as well