How to add ZScaler certificate to edgeHub and edgeAgent?

Question

I have issue with connectivity using Azure IoT Edge behind Zscaler. I know that I need to somehow install the ZScaler cerificate on host machine and Docker containers. I was able to install it in Ubuntu server and it worked because right now I get green indicate that host can connect to azure-devices.net. But it still can't connect from container network. Can anyone provide me details how to do that? From what I understand I should provide the info to edgeHub and edgeAgent DockerFile, I just can't locate them. Will i need to build new images for that? Because edgeAgent doesn't have connectivity to cloud I can't modify anything in the deploy manifest.

Answer 1

You can use a bind to mount the required certificate into the edgeAgent and edgeHub containers. What you mount will vary upon if you are using Edge 1.1 or 1.2.

For Edge 1.1, you will need to copy the ca-certificates.crt file from /etc/ssl/certs on the container, append the Zscaler root certificate (in pem format) to that file, and then mount it to each container with a bind as /etc/ssl/certs/ca-certificates.crt. Your config.yaml should look something like this:

agent:
  name: “edgeAgent”
  type: “docker”
  env:”
    https_proxy: “This should be the URL of your proxy server”
    UpstreamProtocol: “AmqpWs”   # Typically
  config:
    image: “mcr.microsoft.com/azureiotedge-agent:1.1”  # Possibly
    auth: {}   # Typically
    create_options:
# Following lines are added
      host_config:
        binds:
        - /full/path/to/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt

For Edge 1.2, you will need to generate the hash value of the certificate that is used by OpenSSL to find the correct root certificate. You can do this with the command:

ln -s zscalerroot.crt `openssl x509 -hash -noout -in zscalerroot.crt`.0

where zscalerroot.crt is your Zscaler root. This will create a symbolic link with eight hex digits followed by .0 to your zscaler certificate. You can then bind the Zscaler root certificate into /etc/openssl/certs but name it in the container with the name you just generated. Your config.toml should look something like this snippet:

[agent.config]
image = “mcr.microsoft.com/azureiotedge-agent:1.1"  # Possibly
# Bind added here
createOptions = { HostConfig = { Binds = [ “/full/path/to/zscaler.crt:/etc/ssl/certs/001122ff.0”] } }

Where the 001122ff.0 is the name generated by the ln command.

You will also need to add the bind into the deployment JSON. This will be in the runtime settings in the Azure portal when you use the set modules functionality. You need to add it to the HostConfig.

For edgeAgent under 1.1 for example:

{
    "HostConfig": {
        "Binds": [
            "/full/path/to/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"
        ],
    }
}

And for edgeAgent under 1.2:

{
    "HostConfig": {
        "Binds": [
            "/full/path/to/zscaler.crt:/etc/ssl/certs/001122ff.0"
        ],
    }
}

You will need to add a similar bind to edgeHub's runtime settings too.

Caveat: I have got this to work with Edge 1.1. I have not had an opportunity to test the 1.2 yet.