Connect Failed! (-10) issue using BasicPubSub example

[eugenPtr]

Hi,

I followed #28 having the same issue but it didn't help.

First, I made sure the certificates worked by publishing a message from my machine via command line and receiving it in the AWS Console. I was able to receive it successfully.

mosquitto_pub --cafile ./root-CA.pem --cert ./cert.pem --key ./privateKey.pem -h a2jutn9ff4v3vz-ats.iot.eu-west-2.amazonaws.com -p 8883 -q 1 -d -t test -i clientY -m "Test message"

After setting up the SDK and getting the connection error I added Serial.println(rw_buf); to aws_iot_mqtt.cpp and received the following output.

AWS IoT SDK Version(dev) 2.2.0-

root@Yun123:~/AWS-IoT-Python-Runtime/runtime# 
/bin/ash: 1: not found
/bin/ash: /root: Permission denied
/bin/ash: 1: not found
/bin/ash: /root: Permission denied
/bin/ash: 1: not found
/bin/ash: /root: Permission denied
/bin/ash: 1: not found
/bin/ash: /root: Permission denied
Linux
/

I T

G T

C3F: Mutual Auth issues.
Connect failed!
-10

Next, I downloaded [(https://github.com/aws/aws-iot-device-sdk-python)] as zip, unzipped it, scp-ed it onto the board, ran the setup script and the included example.

root@Yun123:~/aws-iot-device-sdk-python-1.0.0/samples/basicPubSub# python basicPubSub.py -e a2jutn9ff4v3vz-ats.iot.eu-west-2.amazonaws.com -r ./root-CA.pem -c ./cert.pem -k ./privateKey.pem

2018-11-30 10:24:48,714 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Paho MQTT Client init.
2018-11-30 10:24:48,718 - AWSIoTPythonSDK.core.protocol.mqttCore - INFO - ClientID: basicPubSub
2018-11-30 10:24:48,721 - AWSIoTPythonSDK.core.protocol.mqttCore - INFO - Protocol: MQTTv3.1.1
2018-11-30 10:24:48,723 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Register Paho MQTT Client callbacks.
2018-11-30 10:24:48,726 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - mqttCore init.
2018-11-30 10:24:48,729 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Load CAFile from: ./root-CA.pem
2018-11-30 10:24:48,733 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Load Key from: ./privateKey.pem
2018-11-30 10:24:48,736 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Load Cert from: ./cert.pem
2018-11-30 10:24:48,740 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for backoff timing: baseReconnectTime = 1 sec
2018-11-30 10:24:48,743 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for backoff timing: maximumReconnectTime = 32 sec
2018-11-30 10:24:48,747 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for backoff timing: minimumConnectTime = 20 sec
2018-11-30 10:24:48,750 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for publish queueing: queueSize = -1
2018-11-30 10:24:48,754 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for publish queueing: dropBehavior = Drop Newest
2018-11-30 10:24:48,757 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for draining interval: 0.5 sec
2018-11-30 10:24:48,760 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Set maximum connect/disconnect timeout to be 10 second.
2018-11-30 10:24:48,763 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Set maximum MQTT operation timeout to be 5 second
2018-11-30 10:24:48,767 - AWSIoTPythonSDK.core.protocol.mqttCore - INFO - Connection type: TLSv1.2 Mutual Authentication
Traceback (most recent call last):
  File "basicPubSub.py", line 137, in <module>
    myAWSIoTMQTTClient.connect()
  File "/usr/lib/python2.7/site-packages/AWSIoTPythonSDK/MQTTLib.py", line 355, in connect
    return self._mqttCore.connect(keepAliveIntervalSecond)
  File "/usr/lib/python2.7/site-packages/AWSIoTPythonSDK/core/protocol/mqttCore.py", line 282, in connect
    self._pahoClient.connect(self._host, self._port, keepAliveInterval)  # Throw exception...
  File "/usr/lib/python2.7/site-packages/AWSIoTPythonSDK/core/protocol/paho/client.py", line 655, in connect
    return self.reconnect()
  File "/usr/lib/python2.7/site-packages/AWSIoTPythonSDK/core/protocol/paho/client.py", line 798, in reconnect
    ciphers=self._tls_ciphers)
  File "/usr/lib/python2.7/ssl.py", line 381, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib/python2.7/ssl.py", line 143, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 305, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:504: error:14090086:lib(20):func(144):reason(134)

Then, I checked the policy attached to my certificate and it looked perfectly fine.

  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Edit: I started thinking that I might have a wrong OpenSSL version that doesn't support TLSv1.2 but this 1.0.1 should do

python -c "import ssl; print ssl.OPENSSL_VERSION"
OpenSSL 1.0.1h 5 Jun 2014

Can anyone give me a hand regarding this?

[akshitkh]

Were you able to resolve this? I am running into the same issue.

[eugenPtr]

Nope, I went for Firebase instead of AWS

[akshitkh]

I used openssl to debug this, and after trying out multiple things I was finally able to connect successfully.

Troubleshooting Steps:

#Install Openssl Utility
root@yun:~ opkg update
root@yun:~ opkg install libopenssl
root@yun:~ opkg install openssl-util

#Inside the certs/ folder in the AWS-IoT-Python-Runtime/
root@yun:~ openssl s_client -connect xxxxxxtesttqnj-ats.iot.us-east-1.amazonaws.com:8883 -CAfile rootCA.crt -cert xxxxxx-certificate.pem.crt -key xxxxxxx-private.pem.key

This kept erroring out with:

Verify return code: 20 (unable to get local issuer certificate)

I decided to replace the Amazon ATS CA crt with the public Verisign one. That failed again with the same error because the legacy Verisign certs only work with non-ats AWS endpoints.

I was finally able to to connect with the Verisign Cert (cert) and non-ATS endpoint:

root@yun:~ openssl s_client -connect xxxxxxtesttqnj.iot.us-east-1.amazonaws.com:8883 -CAfile
VeriSign-Class\ 3-Public-Primary-Certification-Authority-G5.pem -cert xxxxxxx-certificate.pem.crt -key xxxxxxx-private.pem.key