Error when trying to run basicPubSub

[ryanhliu]

Hi! I'm trying your basicPubSub example and keep running into this error. Could you help me out?

I run the command:

python basicPubSub.py -e <host> -r ../../../root-CA.crt -c ../../../izac_listener.cert.pem -k ../../../izac_listener.private.key

2017-05-08 22:58:35,694 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Paho MQTT Client init.
2017-05-08 22:58:35,694 - AWSIoTPythonSDK.core.protocol.mqttCore - INFO - ClientID: basicPubSub
2017-05-08 22:58:35,694 - AWSIoTPythonSDK.core.protocol.mqttCore - INFO - Protocol: MQTTv3.1.1
2017-05-08 22:58:35,694 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Register Paho MQTT Client callbacks.
2017-05-08 22:58:35,694 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - mqttCore init.
2017-05-08 22:58:35,694 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Load CAFile from: ../../../root-CA.crt
2017-05-08 22:58:35,694 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Load Key from: ../../../izac_listener.private.key
2017-05-08 22:58:35,694 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Load Cert from: ../../../izac_listener.cert.pem
2017-05-08 22:58:35,694 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for backoff timing: baseReconnectTime = 1 sec
2017-05-08 22:58:35,695 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for backoff timing: maximumReconnectTime = 32 sec
2017-05-08 22:58:35,695 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for backoff timing: minimumConnectTime = 20 sec
2017-05-08 22:58:35,695 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for publish queueing: queueSize = -1
2017-05-08 22:58:35,695 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for publish queueing: dropBehavior = Drop Newest
2017-05-08 22:58:35,695 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for draining interval: 0.5 sec
2017-05-08 22:58:35,695 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Set maximum connect/disconnect timeout to be 10 second.
2017-05-08 22:58:35,695 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Set maximum MQTT operation timeout to be 5 second
2017-05-08 22:58:35,695 - AWSIoTPythonSDK.core.protocol.mqttCore - INFO - Connection type: TLSv1.2 Mutual Authentication
Traceback (most recent call last):
  File "basicPubSub.py", line 133, in <module>
    myAWSIoTMQTTClient.connect()
  File "/Users/Ryan/virtualenvs/alexa/lib/python3.6/site-packages/AWSIoTPythonSDK/MQTTLib.py", line 403, in connect
    return self._mqttCore.connect(keepAliveIntervalSecond)
  File "/Users/Ryan/virtualenvs/alexa/lib/python3.6/site-packages/AWSIoTPythonSDK/core/protocol/mqttCore.py", line 290, in connect
    self._pahoClient.connect(self._host, self._port, keepAliveInterval)  # Throw exception...
  File "/Users/Ryan/virtualenvs/alexa/lib/python3.6/site-packages/AWSIoTPythonSDK/core/protocol/paho/client.py", line 655, in connect
    return self.reconnect()
  File "/Users/Ryan/virtualenvs/alexa/lib/python3.6/site-packages/AWSIoTPythonSDK/core/protocol/paho/client.py", line 798, in reconnect
    ciphers=self._tls_ciphers)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 1142, in wrap_socket
    ciphers=ciphers)
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 808, in __init__
    self.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 1061, in do_handshake
    self._sslobj.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 683, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:749)

I generated all the certificates with AWS IoT. I am running Python3.6 and my ssl version:

>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.2j  26 Sep 2016'

Thank you in advance!

[chaurah]

Hi @ryanhliu, Unfortunately, the python SDK does not currently support Python v3+. You can find further information and a workaround on this post. We are working on enabling support for v3.x in the next release. Thank you for using AWS IoT.

Rahul

[ryanhliu]

Hi again! I noticed I posted this issue in the wrong repo! Do you happen to know if aws-iot-device-sdk-python (https://github.com/aws/aws-iot-device-sdk-python) is supported by python 3.6? It says in the README it is, but the error above presents itself. I also made the change to the client.py file as you indicated in the link. Sorry for the confusion!

[chaurah]

Hi @ryanhliu, It is no problem. We got to the correct repo in the end. The link I provided in the previous post is the work around for the python device SDK. You will still have to use the workaround for the moment to make it work properly. Please let me know if you have further questions.

Rahul

[ryanhliu]

Hi @chaurah, I put the code change specified in the link you provided but get the same error. I put the change in: /Users/Ryan/virtualenvs/alexa/lib/python3.6/site-packages/AWSIoTPythonSDK/core/protocol/paho/client.py

[liuszeng]

Hi @ryanhliu ,

Thank you very much for providing the information.

Can you verify that you have activated the certificate in your AWS IoT Console?

Thanks, Liusu

[ryanhliu]

Will this do?

[liuszeng]

Hi @ryanhliu ,

Yes, the certificate is shown as active. Are you still experiencing the issue after the certificate is active?

Thanks, Liusu

[ryanhliu]

Yes, I get the exact same error as originally posted. Is there anything I could try? Keep note that I made the changes to client.py as specified by the workaround post.

[liuszeng]

Hi @ryanhliu ,

Can you attach the IoT policy you associate with the certificate? Can you use the same certificate and key with MQTT.fx to try again? If it still does not work, can you generate another pair of certificate and key and try again?

Thanks, Liusu

[ryanhliu]

Hi, I tried with the previous certificate and key and made a new certificate and key and tried it with those and ended up with this error:

2017-05-16 18:35:32,811  INFO --- ScriptsController              : Clear console.
2017-05-16 18:35:32,812  INFO --- MqttFX ClientModel             : MqttClient with ID 1afed18631c945b386848497c0fd2ef8 assigned.
2017-05-16 18:35:33,243 ERROR --- MqttFX ClientModel             : Error when connecting
org.eclipse.paho.client.mqttv3.MqttException: MqttException
    at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:664) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_131]
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[?:1.8.0_131]
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) ~[?:1.8.0_131]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) ~[?:1.8.0_131]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_131]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[?:1.8.0_131]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[?:1.8.0_131]
    at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:93) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:650) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    ... 1 more
2017-05-16 18:35:33,244 ERROR --- MqttFX ClientModel             : Please verify your Settings (e.g. Broker Address, Broker Port & Client ID) and the user credentials!
org.eclipse.paho.client.mqttv3.MqttException: MqttException
    at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:664) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_131]
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[?:1.8.0_131]
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) ~[?:1.8.0_131]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) ~[?:1.8.0_131]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_131]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[?:1.8.0_131]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[?:1.8.0_131]
    at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:93) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:650) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
    ... 1 more
2017-05-16 18:35:33,248  INFO --- ScriptsController              : Clear console.
2017-05-16 18:35:33,248 ERROR --- BrokerConnectService           : MqttException

My policy attached to both certificates is as follows:

  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Subscribe",
        "iot:Receive"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

My settings for the connection setup on mqtt fx is as follows:

[liuszeng]

Hi @ryanhliu ,

Unfortunately, I am not able to duplicate your issue on my side. The following are the steps and configuration I did. You can take a look and check if there is any difference:

1. I created the following IoT Policy via AWS IoT Console UI, using the policy JSON doc in your previous post:
2. I created, downloaded and activated the following IoT certificate/private key:
3. I attached the policy in step 1 to the certificate in step 2:
4. I used the following command to run basicPubSub sample in AWS IoT Python SDK:

   basicPubSub|master⚡ ⇒ python3.6 basicPubSub.py -e <PREFIX>.iot.us-east-1.amazonaws.com -r aws-iot-rootCA.crt -c 8d23e57394-certificate.pem.crt -k 8d23e57394-private.pem.key 
   2017-05-22 11:06:16,573 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Paho MQTT Client init.
   2017-05-22 11:06:16,574 - AWSIoTPythonSDK.core.protocol.mqttCore - INFO - ClientID: basicPubSub
   2017-05-22 11:06:16,574 - AWSIoTPythonSDK.core.protocol.mqttCore - INFO - Protocol: MQTTv3.1.1
   2017-05-22 11:06:16,574 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Register Paho MQTT Client callbacks.
   2017-05-22 11:06:16,574 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - mqttCore init.
   2017-05-22 11:06:16,574 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Load CAFile from: <path>/aws-iot-rootCA.crt
   2017-05-22 11:06:16,574 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Load Key from: <path>/8d23e57394-private.pem.key
   2017-05-22 11:06:16,574 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Load Cert from: <path>/8d23e57394-certificate.pem.crt
   2017-05-22 11:06:16,574 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for backoff timing: baseReconnectTime = 1 sec
   2017-05-22 11:06:16,574 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for backoff timing: maximumReconnectTime = 32 sec
   2017-05-22 11:06:16,574 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for backoff timing: minimumConnectTime = 20 sec
   2017-05-22 11:06:16,574 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for publish queueing: queueSize = -1
   2017-05-22 11:06:16,575 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for publish queueing: dropBehavior = Drop Newest
   2017-05-22 11:06:16,575 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for draining interval: 0.5 sec
   2017-05-22 11:06:16,575 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Set maximum connect/disconnect timeout to be 10 second.
   2017-05-22 11:06:16,575 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Set maximum MQTT operation timeout to be 5 second
   2017-05-22 11:06:16,575 - AWSIoTPythonSDK.core.protocol.mqttCore - INFO - Connection type: TLSv1.2 Mutual Authentication
   2017-05-22 11:06:17,015 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Connect result code 0
   2017-05-22 11:06:17,020 - AWSIoTPythonSDK.core.protocol.mqttCore - INFO - Connected to AWS IoT.
   2017-05-22 11:06:17,020 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Connect time consumption: 130.0ms.
   2017-05-22 11:06:17,020 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Started a subscribe request 1
   2017-05-22 11:06:17,102 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - _resubscribeCount: -1
   2017-05-22 11:06:17,102 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Subscribe request 1 sent.
   2017-05-22 11:06:17,106 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Subscribe request 1 succeeded. Time consumption: 70.0ms.
   2017-05-22 11:06:17,107 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Recover subscribe context for the next request: subscribeSent: False
   2017-05-22 11:06:19,109 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Try to put a publish request 2 in the TCP stack.
   2017-05-22 11:06:19,109 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Publish request 2 succeeded.
   Received a new message: 
   b'New Message 0'
   from topic: 
   sdk/test/Python
   --------------

Usually, certificate_unknown happens when the server is not able to recognize your certificate, which might be caused by an inactive certificate or the server simply just cannot find it in its identity store.

Hope the above helps.

Thanks, Liusu

[ryanhliu]

Thank you! It seems I didn't generate my certificates/keys properly since it works now after following your steps.