Do we also need to update CA data?

https://github.com/arduino/arduino-iot-cloud-py/blob/main/src/arduino_iot_cloud/__init__.py#L14

Do we also need to update CA data?

https://github.com/arduino/arduino-iot-cloud-py/blob/main/src/arduino_iot_cloud/__init__.py#L14

yes, thanks. Do you know if it's pem or der encoded?

yes, thanks. Do you know if it's pem or der encoded?

DER

I can't connect with mosquitto either. I tried this root certificate, and I also tried to download one myself:

openssl s_client -showcerts -connect iot.arduino.cc:8885 </dev/null | openssl x509 -outform PEM > ca-root.pem
mosquitto_sub --cafile ca-root.pem --cert cert.pem --key key.pem -d -h mqtts-sa.iot.arduino.cc -p 8885 -i ${DEVICE_ID} -v --tls-version tlsv1.2 -q 0 -t "/a/d/${DEVICE_ID}/e/i"

I got:

OpenSSL Error[0]: error:0A000086:SSL routines::certificate verify failed
Error: Protocol error

I can't connect with mosquitto either. I tried this root certificate, and I also tried to download one myself:

openssl s_client -showcerts -connect iot.arduino.cc:8885 </dev/null | openssl x509 -outform PEM > ca-root.pem
mosquitto_sub --cafile ca-root.pem --cert cert.pem --key key.pem -d -h mqtts-sa.iot.arduino.cc -p 8885 -i ${DEVICE_ID} -v --tls-version tlsv1.2 -q 0 -t "/a/d/${DEVICE_ID}/e/i"

I got:

OpenSSL Error[0]: error:0A000086:SSL routines::certificate verify failed
Error: Protocol error

since the CA is changed, to restore the CI we have to produce a new cert.pem signed with the new CA (for each device). Github action secrets are write-only, is there any other way we can retrieve their values?

since the CA is changed, to restore the CI we have to produce a new cert.pem signed with the new CA (for each device). Github action secrets are write-only, is there any other way we can retrieve their values?

Does this mean that all provisioned devices will stop working? That sounds bad.
I can update the secrets, but will need to provision a new device.

since the CA is changed, to restore the CI we have to produce a new cert.pem signed with the new CA (for each device). Github action secrets are write-only, is there any other way we can retrieve their values?

Does this mean that all provisioned devices will stop working? That sounds bad. I can update the secrets, but will need to provision a new device.

Actually my device already stopped working already Feb 24 for no obvious reason and can no longer connect to the MQTT broker.

note that I got an email from Arduino "Important Security Update Required for Arduino Cloud Devices"
Please note that the update will need to be completed by Feb 16th.In order to continue to ensure a reliable and secure connection between your IoT devices and Arduino Cloud, we need you to update the security credentials stored on your IoT devices

I followed all the steps mid February and my device continued working after my changes (and successfully removed the "requires update" icon in the web UI on cloud.arduino.cc under Devices) until it stopped working Feb 24 without me changing anything. It is Arduino RP2040 connect.

@rjtokenring
I am really disappointed how Arduino manages and especially communicates these changes without deeper technical explanations that help the makers self-resolve those problems. Not to mention the difficulties to get the create agent running on MacOS after you changed the required/expired HTTPS root cert to authenticate the create agent with the Browser.

I was even giving Arduino classes recommending the IoT cloud but I will stop doing this.
As long as the ArduinoIotCloud server side is a black box that violates the Arduino Open source principles it is impossible to resolve issues and official support just doesn't scale and work.

Sorry for hi-jacking this PR with my comments but I hope it finds the right audience this way.

note that I got an email from Arduino "Important Security Update Required for Arduino Cloud Devices"

@Bodobolero I missed that email, but I can't access my devices anyway.

@mirkokurt @rjtokenring Can you regenerate a device certificate if I send you the device ID and/or API key? Or should I just try to create a new device?

note that I got an email from Arduino "Important Security Update Required for Arduino Cloud Devices"

@Bodobolero I missed that email, but I can't access my devices anyway.

@mirkokurt @rjtokenring Can you regenerate a device certificate if I send you the device ID and/or API key? Or should I just try to create a new device?

Please provide device-id, so we can re-sign it.

Please provide device-id, so we can re-sign it.

mine is b02e929f-de77-40c1-bc48-000be066c944

mine is b02e929f-de77-40c1-bc48-000be066c944

@Bodobolero That was for me to provide the device id used for the CI.

The CI test now passes.

b02e929f-de77-40c1-bc48-000be066c944

@Bodobolero An automatic migration of all device certificates has been made for security reasons. The migration has been applied leveraging the cloud editor for RP2040. I've checked and the certificate of your device has been re-signed and the library version has been updated so your device should be able to connect. If this is not the case as you said, we can investigate. But this is not the right place. Please post in the forum and we will help you.

b02e929f-de77-40c1-bc48-000be066c944

@Bodobolero An automatic migration of all device certificates has been made for security reasons. The migration has been applied leveraging the cloud editor for RP2040. I've checked and the certificate of your device has been re-signed and the library version has been updated so your device should be able to connect. If this is not the case as you said, we can investigate. But this is not the right place. Please post in the forum and we will help you.

Another user failing arduino-libraries/ArduinoIoTCloud#534