Trouble running sample code. Root CA issue, unable to verify the server's certificate.

I just want to try AWS IoT SDK in microcontrollers. I started testing the C sample pub-sub sample, unfortunately, I get server authentication failure.

Tried with disable rootCA no success

Just for testing sake, I commented out this line at network_mbedtls_wrapper.c ret = mbedtls_x509_crt_parse_file(&(tlsDataParams->cacert), pNetwork->tlsConnectParams.pRootCALocation); Deactivate the CA in AWS console. Still, I get server authentical failure.

Error logs after disabling server authentication

DEBUG:   _iot_tls_verify_cert L#54   This certificate has no flags

ERROR: iot_tls_connect L#232  failed
  ! mbedtls_ssl_handshake returned -0x2700

ERROR: iot_tls_connect L#239     Unable to verify the server's certificate. Either it is invalid,
    or you didn't set ca_file or ca_path to an appropriate value.
    Alternatively, you may want to use auth_mode=optional for testing purposes.

Created rootCA and still no success However, I created the root CA pem and key file following steps mentioned here: https://unix.stackexchange.com/questions/73836/failed-to-sign-csr-with-the-ca-root-key and added uploaded that in aws console, I got the following error.

Error logs from enabling the rootCA.

DEBUG:   _iot_tls_verify_cert L#51 cert. version     : 3
subject name      : CN=*.iot.eu-north-1.amazonaws.com
issued  on        : 2020-04-17 00:00:00
expires on        : 2021-04-08 12:00:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : iot.eu-north-1.amazonaws.com, *.iot.eu-north-1.amazonaws.com
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication

ERROR: iot_tls_connect L#232  failed
  ! mbedtls_ssl_handshake returned -0x2700

ERROR: iot_tls_connect L#239     Unable to verify the server's certificate. Either it is invalid,
    or you didn't set ca_file or ca_path to an appropriate value.
    Alternatively, you may want to use auth_mode=optional for testing purposes.

ERROR: main L#190 Error(-4) connecting to a25i8y5elqpeck-ats.iot.eu-north-1.amazonaws.com:443

Hello @iqramali,

To get started with the samples in the v3.1.0 tag of the CSDK, ensure you have followed the steps in the README.md of the samples directory, specifically the steps in creating an AWS IoT Thing (instructions for that can be found here or here). You'll need to download your Thing's private key and certificate, as well as the Amazon Root CA certificate, and place these in the certs/ directory. Ensure that you configure your thing name in aws_iot_config.h, and set your AWS_IOT_MQTT_HOST as your AWS IoT endpoint (From the AWS IoT Console, can be found in Settings -> Custom endpoint).

Hi @muneebahmed10

Thanks for the reply. In aws_config.h is configured as mentioned in the readme. I have identical thing name what I registered in aws console.

#define AWS_IOT_MQTT_HOST              "xxx.amazonaws.com" 
#define AWS_IOT_MQTT_PORT              443 ///< default port for MQTT/S
#define AWS_IOT_ROOT_CA_FILENAME       "rootCA.crt" ///< Root CA file name
#define AWS_IOT_CERTIFICATE_FILENAME   "cert.pem" ///< device signed certificate file name
#define AWS_IOT_PRIVATE_KEY_FILENAME   "privkey.pem" ///< Device private key filename

Steps I followed to create rootCA.cert file,

After following the steps mentioned in the docs still, I face the rootCA authentication problem. These are the steps I did to generate rootCA.crt file from this page

Another approach: I tried to download the rootCA.pem from this site but SDK needs rootCA.crt file. I just converted the .pem to .crt using this command openssl x509 -outform der -in your-cert.pem -out your-cert.crt still, I get the same problem. Don't know is the right way to convert .pem to .crt?

Step1: openssl genrsa -out rootCA.key 2048

Step2:openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem Common Name (e.g. server FQDN or YOUR name) [] : here added the registration code Got rootCA.pem and rootCA.key file

Step3:openssl genrsa -out verificationCert.key 2048 Step4: openssl req -new -key verificationCert.key -out verificationCert.csr Common Name (e.g. server FQDN or YOUR name) [] : here added the registration code

Step5: openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.crt -days 500 -sha256 Output of step5 generated verificationCert.crt file.

Step 6: converted rootCA.pem file to rootCA.crt and placed this file in dir certs/ openssl x509 -outform der -in rootCA.pem -out rootCA.crt

This is my cert dir tree My cert dir: ├── README.txt ├── cert.pem ├── privkey.pem └── rootCA.crt

I uploaded the rootCA.pem and verificationCert.crt on the aws console and there isn't any error shown during the upload and it was a success and CA is active.

Error logs:

AWS IoT SDK Version 3.0.1-
....
Connecting...
DEBUG:   iot_tls_connect L#130 
  . Seeding the random number generator...
DEBUG:   iot_tls_connect L#138   . Loading the CA root certificate ...
DEBUG:   iot_tls_connect L#144  ok (0 skipped)

DEBUG:   iot_tls_connect L#146   . Loading the client cert. and key...
DEBUG:   iot_tls_connect L#159  ok

DEBUG:   iot_tls_connect L#161   . Connecting to xxx.amazonaws.com/443...
DEBUG:   iot_tls_connect L#180  ok

DEBUG:   iot_tls_connect L#182   . Setting up the SSL/TLS structure...
DEBUG:   iot_tls_connect L#223 

SSL state connect : 0 
DEBUG:   iot_tls_connect L#226  ok

DEBUG:   iot_tls_connect L#228 

SSL state connect : 0 
DEBUG:   iot_tls_connect L#229   . Performing the SSL/TLS handshake...
DEBUG:   _iot_tls_verify_cert L#49 
Verify requested for (Depth 3):

DEBUG:   _iot_tls_verify_cert L#51 cert. version     : 3
issuer name       : C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
subject name      : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
issued  on        : 2009-09-02 00:00:00
expires on        : 2034-06-28 17:39:16
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Digital Signature, Key Cert Sign, CRL Sign

DEBUG:   _iot_tls_verify_cert L#56 cert. version     : 3
issuer name       : C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
subject name      : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
issued  on        : 2009-09-02 00:00:00
expires on        : 2034-06-28 17:39:16
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Digital Signature, Key Cert Sign, CRL Sign

DEBUG:   _iot_tls_verify_cert L#57 cert. version     : 3
issuer name       : C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
subject name      : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
issued  on        : 2009-09-02 00:00:00
expires on        : 2034-06-28 17:39:16
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Digital Signature, Key Cert Sign, CRL Sign

DEBUG:   _iot_tls_verify_cert L#49 
Verify requested for (Depth 2):

DEBUG:   _iot_tls_verify_cert L#51 cert. version     : 3
issuer name       : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
subject name      : C=US, O=Amazon, CN=Amazon Root CA 1
issued  on        : 2015-05-25 12:00:00
expires on        : 2037-12-31 01:00:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Digital Signature, Key Cert Sign, CRL Sign

DEBUG:   _iot_tls_verify_cert L#54   This certificate has no flags

DEBUG:   _iot_tls_verify_cert L#49 
Verify requested for (Depth 1):

DEBUG:   _iot_tls_verify_cert L#51 cert. version     : 3
issuer name       : C=US, O=Amazon, CN=Amazon Root CA 1
subject name      : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon
issued  on        : 2015-10-22 00:00:00
expires on        : 2025-10-19 00:00:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage         : Digital Signature, Key Cert Sign, CRL Sign

DEBUG:   _iot_tls_verify_cert L#54   This certificate has no flags

DEBUG:   _iot_tls_verify_cert L#49 
Verify requested for (Depth 0):

DEBUG:   _iot_tls_verify_cert L#51 cert. version     : 3
issuer name       : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon
subject name      : CN=*.iot.eu-north-1.amazonaws.com
issued  on        : 2020-04-17 00:00:00
expires on        : 2021-04-08 12:00:00
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : iot.eu-north-1.amazonaws.com, *.iot.eu-north-1.amazonaws.com
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication

DEBUG:   _iot_tls_verify_cert L#54   This certificate has no flags

ERROR: iot_tls_connect L#232  failed
  ! mbedtls_ssl_handshake returned -0x2700

ERROR: iot_tls_connect L#239     Unable to verify the server's certificate. Either it is invalid,
    or you didn't set ca_file or ca_path to an appropriate value.
    Alternatively, you may want to use auth_mode=optional for testing purposes.

ERROR: main L#190 Error(-4) connecting to a25i8y5elqpeck-ats.iot.eu-north-1.amazonaws.com:443

Hi @iqramali,

I renamed AmazonRootCA1.pem to rootCA.crt, as well as my private.pem.key to privkey.pem and certificate.pem.crt to cert.pem. You should try with pem encoded certs instead of der encoded ones.

Can you follow the instructions here for creating an IoT Thing, and try using One-click certificate creation to use AWS IoT generated certs instead of creating your own, to see if that will work with the demo?

Facing issue with rootCA.key file

In order to generated verificationCert.crt it needs rootCA.key(this file generated using openssl genrsa -out rootCA.key 2048) and rootCA.pem(this downloaded from site AmazonRootCA1.pem).

In AWS console, these two files rootCA.pem and verificationCert.crt needs to be uploaded.

I am not able to generate the verificationCert.crt due to private key mismatch.

What is the correct way to create rootCA.key file?

Error logs

$ openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.crt -days 500 -sha256
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = MY_REGISTRY
Getting CA Private Key
CA certificate and CA private key do not match
4668571072:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:crypto/evp/p_lib.c:93:
4668571072:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:crypto/x509/x509_cmp.c:297:

Hi @iqramali,

Are you trying to use the Amazon Root CA to create your certs? If you're creating your own certs, you should be using your CA. Since uploading certificates is an issue separate from this C SDK, have you tried running the sample code with AWS generated certs (example instructions here and here)? You don't need to upload anything to use certs generated by AWS IoT Core.

Hi @muneebahmed10

Thanks for your support.

You don't need to upload anything to use certs generated by AWS IoT Core.

Your above info solved the issue. This info is not mentioned on the AWS console or I am not able to find in the documents. If you use AWS generated CA skip registering that CA in AWS console.

Ok. I isolated the problem now.

Downloading rootCA from AWS using it no problem. I can able to run the demo application without any problem.
I tried to create my own CA and then uploaded that in AWS console then I confronted the above mentioned problem. However, I just learned from your comment its other issue separated from C SDK.

aws / aws-iot-device-sdk-embedded-C

Trouble running sample code. Root CA issue, unable to verify the server's certificate. #1198