Closed iqramali closed 4 years ago
Hello @iqramali,
To get started with the samples in the v3.1.0 tag of the CSDK, ensure you have followed the steps in the README.md of the samples directory, specifically the steps in creating an AWS IoT Thing (instructions for that can be found here or here). You'll need to download your Thing's private key and certificate, as well as the Amazon Root CA certificate, and place these in the certs/
directory. Ensure that you configure your thing name in aws_iot_config.h
, and set your AWS_IOT_MQTT_HOST
as your AWS IoT endpoint (From the AWS IoT Console, can be found in Settings -> Custom endpoint).
Hi @muneebahmed10
Thanks for the reply. In aws_config.h
is configured as mentioned in the readme. I have identical thing name what I registered in aws console.
#define AWS_IOT_MQTT_HOST "xxx.amazonaws.com"
#define AWS_IOT_MQTT_PORT 443 ///< default port for MQTT/S
#define AWS_IOT_ROOT_CA_FILENAME "rootCA.crt" ///< Root CA file name
#define AWS_IOT_CERTIFICATE_FILENAME "cert.pem" ///< device signed certificate file name
#define AWS_IOT_PRIVATE_KEY_FILENAME "privkey.pem" ///< Device private key filename
Steps I followed to create rootCA.cert file,
After following the steps mentioned in the docs still, I face the rootCA authentication problem. These are the steps I did to generate rootCA.crt
file from this page
Another approach: I tried to download the rootCA.pem from this site but SDK needs rootCA.crt file. I just converted the .pem to .crt using this command openssl x509 -outform der -in your-cert.pem -out your-cert.crt
still, I get the same problem. Don't know is the right way to convert .pem to .crt?
Step1: openssl genrsa -out rootCA.key 2048
Step2:openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
Common Name (e.g. server FQDN or YOUR name) [] : here added the registration code
Got rootCA.pem and rootCA.key file
Step3:openssl genrsa -out verificationCert.key 2048
Step4: openssl req -new -key verificationCert.key -out verificationCert.csr
Common Name (e.g. server FQDN or YOUR name) [] : here added the registration code
Step5: openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.crt -days 500 -sha256
Output of step5 generated verificationCert.crt file.
Step 6: converted rootCA.pem file to rootCA.crt and placed this file in dir certs/
openssl x509 -outform der -in rootCA.pem -out rootCA.crt
This is my cert dir tree My cert dir: ├── README.txt ├── cert.pem ├── privkey.pem └── rootCA.crt
I uploaded the rootCA.pem and verificationCert.crt on the aws console and there isn't any error shown during the upload and it was a success and CA is active.
Error logs:
AWS IoT SDK Version 3.0.1-
....
Connecting...
DEBUG: iot_tls_connect L#130
. Seeding the random number generator...
DEBUG: iot_tls_connect L#138 . Loading the CA root certificate ...
DEBUG: iot_tls_connect L#144 ok (0 skipped)
DEBUG: iot_tls_connect L#146 . Loading the client cert. and key...
DEBUG: iot_tls_connect L#159 ok
DEBUG: iot_tls_connect L#161 . Connecting to xxx.amazonaws.com/443...
DEBUG: iot_tls_connect L#180 ok
DEBUG: iot_tls_connect L#182 . Setting up the SSL/TLS structure...
DEBUG: iot_tls_connect L#223
SSL state connect : 0
DEBUG: iot_tls_connect L#226 ok
DEBUG: iot_tls_connect L#228
SSL state connect : 0
DEBUG: iot_tls_connect L#229 . Performing the SSL/TLS handshake...
DEBUG: _iot_tls_verify_cert L#49
Verify requested for (Depth 3):
DEBUG: _iot_tls_verify_cert L#51 cert. version : 3
issuer name : C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
subject name : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
issued on : 2009-09-02 00:00:00
expires on : 2034-06-28 17:39:16
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Digital Signature, Key Cert Sign, CRL Sign
DEBUG: _iot_tls_verify_cert L#56 cert. version : 3
issuer name : C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
subject name : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
issued on : 2009-09-02 00:00:00
expires on : 2034-06-28 17:39:16
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Digital Signature, Key Cert Sign, CRL Sign
DEBUG: _iot_tls_verify_cert L#57 cert. version : 3
issuer name : C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
subject name : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
issued on : 2009-09-02 00:00:00
expires on : 2034-06-28 17:39:16
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Digital Signature, Key Cert Sign, CRL Sign
DEBUG: _iot_tls_verify_cert L#49
Verify requested for (Depth 2):
DEBUG: _iot_tls_verify_cert L#51 cert. version : 3
issuer name : C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2
subject name : C=US, O=Amazon, CN=Amazon Root CA 1
issued on : 2015-05-25 12:00:00
expires on : 2037-12-31 01:00:00
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Digital Signature, Key Cert Sign, CRL Sign
DEBUG: _iot_tls_verify_cert L#54 This certificate has no flags
DEBUG: _iot_tls_verify_cert L#49
Verify requested for (Depth 1):
DEBUG: _iot_tls_verify_cert L#51 cert. version : 3
issuer name : C=US, O=Amazon, CN=Amazon Root CA 1
subject name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon
issued on : 2015-10-22 00:00:00
expires on : 2025-10-19 00:00:00
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true, max_pathlen=0
key usage : Digital Signature, Key Cert Sign, CRL Sign
DEBUG: _iot_tls_verify_cert L#54 This certificate has no flags
DEBUG: _iot_tls_verify_cert L#49
Verify requested for (Depth 0):
DEBUG: _iot_tls_verify_cert L#51 cert. version : 3
issuer name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon
subject name : CN=*.iot.eu-north-1.amazonaws.com
issued on : 2020-04-17 00:00:00
expires on : 2021-04-08 12:00:00
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : iot.eu-north-1.amazonaws.com, *.iot.eu-north-1.amazonaws.com
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
DEBUG: _iot_tls_verify_cert L#54 This certificate has no flags
ERROR: iot_tls_connect L#232 failed
! mbedtls_ssl_handshake returned -0x2700
ERROR: iot_tls_connect L#239 Unable to verify the server's certificate. Either it is invalid,
or you didn't set ca_file or ca_path to an appropriate value.
Alternatively, you may want to use auth_mode=optional for testing purposes.
ERROR: main L#190 Error(-4) connecting to a25i8y5elqpeck-ats.iot.eu-north-1.amazonaws.com:443
Hi @iqramali,
I renamed AmazonRootCA1.pem
to rootCA.crt
, as well as my private.pem.key
to privkey.pem
and certificate.pem.crt
to cert.pem
. You should try with pem encoded certs instead of der encoded ones.
Can you follow the instructions here for creating an IoT Thing, and try using One-click certificate creation to use AWS IoT generated certs instead of creating your own, to see if that will work with the demo?
Facing issue with rootCA.key file
In order to generated verificationCert.crt it needs rootCA.key(this file generated using openssl genrsa -out rootCA.key 2048
) and rootCA.pem(this downloaded from site AmazonRootCA1.pem).
In AWS console, these two files rootCA.pem and verificationCert.crt needs to be uploaded.
I am not able to generate the verificationCert.crt due to private key mismatch.
What is the correct way to create rootCA.key file?
Error logs
$ openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.crt -days 500 -sha256
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = MY_REGISTRY
Getting CA Private Key
CA certificate and CA private key do not match
4668571072:error:06067099:digital envelope routines:EVP_PKEY_copy_parameters:different parameters:crypto/evp/p_lib.c:93:
4668571072:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:crypto/x509/x509_cmp.c:297:
Hi @iqramali,
Are you trying to use the Amazon Root CA to create your certs? If you're creating your own certs, you should be using your CA. Since uploading certificates is an issue separate from this C SDK, have you tried running the sample code with AWS generated certs (example instructions here and here)? You don't need to upload anything to use certs generated by AWS IoT Core.
Hi @muneebahmed10
Thanks for your support.
You don't need to upload anything to use certs generated by AWS IoT Core.
Your above info solved the issue. This info is not mentioned on the AWS console or I am not able to find in the documents. If you use AWS generated CA skip registering that CA in AWS console.
Ok. I isolated the problem now.
Downloading rootCA from AWS using it no problem. I can able to run the demo application without any problem.
I tried to create my own CA and then uploaded that in AWS console then I confronted the above mentioned problem. However, I just learned from your comment its other issue separated from C SDK.
I just want to try AWS IoT SDK in microcontrollers. I started testing the C sample pub-sub sample, unfortunately, I get server authentication failure.
Tried with disable rootCA no success
ret = mbedtls_x509_crt_parse_file(&(tlsDataParams->cacert), pNetwork->tlsConnectParams.pRootCALocation);
Deactivate the CA in AWS console. Still, I get server authentical failure.Error logs after disabling server authentication
Error logs from enabling the rootCA.