search

aws / aws-iot-device-sdk-embedded-C

SDK for connecting to AWS IoT from a device using embedded C.
MIT License
978 stars 625 forks source link

SSL_CTX_use_certificate_chain_file error #1723

Closed waqar48 closed 2 years ago

waqar48 commented 3 years ago

SDK version 202108.00

demo_config.h configuration // =================================================

define AWS_IOT_ENDPOINT "redacted-ats.iot.ca-central-1.amazonaws.com"

define AWS_MQTT_PORT 8883

define CLIENT_IDENTIFIER "testclient"

define ROOT_CA_CERT_PATH "certificates/AmazonRootCA1.crt"

define CLIENT_CERT_PATH "certificates/certficate.pem"

define CLIENT_PRIVATE_KEY_PATH "certificates/private.pem.key"

// =================================================

./mqtt_demo_mutual_auth [INFO] [DEMO] [mqtt_demo_mutual_auth.c:642] Establishing a TLS session to -ats.iot.ca-central-1.amazonaws.com:8883. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:399] SSL_CTX_use_certificate_chain_file failed to import client certificate at certificates/certficate.pem. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:621] Setting up credentials failed. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:666] Failed to establish a TLS connection. [WARN] [DEMO] [mqtt_demo_mutual_auth.c:681] Connection to the broker failed. Retrying connection after 72 ms backoff. [INFO] [DEMO] [mqtt_demo_mutual_auth.c:642] Establishing a TLS session to -ats.iot.ca-central-1.amazonaws.com:8883. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:399] SSL_CTX_use_certificate_chain_file failed to import client certificate at certificates/certficate.pem. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:621] Setting up credentials failed. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:666] Failed to establish a TLS connection. [WARN] [DEMO] [mqtt_demo_mutual_auth.c:681] Connection to the broker failed. Retrying connection after 684 ms backoff. [INFO] [DEMO] [mqtt_demo_mutual_auth.c:642] Establishing a TLS session to -ats.iot.ca-central-1.amazonaws.com:8883. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:399] SSL_CTX_use_certificate_chain_file failed to import client certificate at certificates/certficate.pem. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:621] Setting up credentials failed. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:666] Failed to establish a TLS connection. [WARN] [DEMO] [mqtt_demo_mutual_auth.c:681] Connection to the broker failed. Retrying connection after 214 ms backoff. [INFO] [DEMO] [mqtt_demo_mutual_auth.c:642] Establishing a TLS session to -ats.iot.ca-central-1.amazonaws.com:8883. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:399] SSL_CTX_use_certificate_chain_file failed to import client certificate at certificates/certficate.pem. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:621] Setting up credentials failed. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:666] Failed to establish a TLS connection. [WARN] [DEMO] [mqtt_demo_mutual_auth.c:681] Connection to the broker failed. Retrying connection after 2686 ms backoff. ^C

SSL keeps failing to establish. Openssl version 1.1.1f 31 Mar 2020

waqar48 commented 3 years ago

I'm trying to publish to mqtt topic /example/topic with default message. Old config on nodejs driver code had client certificate in .crt format where as here I also tried converting to .pem ( certificates/certficate.pem) as some fixed SSL_CTX_use_certificate_chain_file error with command openssl x509 -in certificates/certificate.pem.crt -out certificates/certficate.pem

Yet still the error is occuring

waqar48 commented 3 years ago

Also same result for different port 443 as #define AWS_MQTT_PORT 443

dachalco commented 2 years ago

Hi @waqar48

Looking into your issue now, will get back to you shortly.

dachalco commented 2 years ago

Hi @waqar48

The encoding conversion you made should be unnecessary as .crt and .pem are colloquially both PEM encoding. I suspect the result of the unnecessary conversion may have given rise to these issues. Were you hitting errors complaining about the file extension (i.e. .crt vs .pem)? If so you should be able to simply change the filename of the original certificates/certficate.crt to certificates/certficate.pem -- no openssl conversion needed.

Could you

  1. Revert debug config changes to default (Ex. Reset AWS_MQTT_PORT to 8883)
  2. Open/inspect your original certificates/certficate.crt and verify it's in PEM format
  3. If it's PEM encoding, change the filename of certificates/certficate.crt to certificates/certficate.pem
  4. Retry the demo

OpenSSL provides great documentation on X.509 encodings if you want to learn more about it.

waqar48 commented 2 years ago

I reverted port back to 8883 and also without using openSSL I renamed certificates/certficate.crt to certificates/certficate.pem yet same above result.

Findings but for mqtt_basic_tls client

Configuration // Get from demo_config.h // =================================================

define BROKER_ENDPOINT "redacted-ats.iot.ca-central-1.amazonaws.com"

define BROKER_PORT 443

define CLIENT_IDENTIFIER "testclient"

define ROOT_CA_CERT_PATH "certificates/AmazonRootCA1.crt" //.pem rename with or without openSSL doesn't work

define CLIENT_CERT_PATH "certificates/certficate.pem.crt" //.pem rename with or without openSSL doesn't work

define CLIENT_PRIVATE_KEY_PATH "certificates/private.pem.key"

// =================================================

Output after running root@ubuntu:/opt/aws-iot-device-sdk-embedded-C/build/bin# ./mqtt_demo_basic_tls [INFO] [DEMO] [mqtt_demo_basic_tls.c:499] Establishing a TLS session to redacted-ats.iot.ca-central-1.amazonaws.com:443. [ERROR] [MQTT] [core_mqtt.c:1534] Incorrect packet type 48 received while expecting CONNACK(20). [ERROR] [MQTT] [core_mqtt.c:1569] CONNACK recv failed with status = MQTTBadResponse. [ERROR] [MQTT] [core_mqtt.c:1840] MQTT connection failed with status = MQTTBadResponse. [ERROR] [DEMO] [mqtt_demo_basic_tls.c:978] Connection with MQTT broker failed with status MQTTBadResponse. [WARN] [DEMO] [mqtt_demo_basic_tls.c:538] Connection to the broker failed. Retrying connection after 497 ms backoff. [INFO] [DEMO] [mqtt_demo_basic_tls.c:499] Establishing a TLS session to redacted-ats.iot.ca-central-1.amazonaws.com:443. [ERROR] [MQTT] [core_mqtt.c:1534] Incorrect packet type 48 received while expecting CONNACK(20). [ERROR] [MQTT] [core_mqtt.c:1569] CONNACK recv failed with status = MQTTBadResponse. [ERROR] [MQTT] [core_mqtt.c:1840] MQTT connection failed with status = MQTTBadResponse. [ERROR] [DEMO] [mqtt_demo_basic_tls.c:978] Connection with MQTT broker failed with status MQTTBadResponse. [WARN] [DEMO] [mqtt_demo_basic_tls.c:538] Connection to the broker failed. Retrying connection after 344 ms backoff. [INFO] [DEMO] [mqtt_demo_basic_tls.c:499] Establishing a TLS session to redacted-ats.iot.ca-central-1.amazonaws.com:443. [ERROR] [MQTT] [core_mqtt.c:1534] Incorrect packet type 48 received while expecting CONNACK(20). [ERROR] [MQTT] [core_mqtt.c:1569] CONNACK recv failed with status = MQTTBadResponse. [ERROR] [MQTT] [core_mqtt.c:1840] MQTT connection failed with status = MQTTBadResponse. [ERROR] [DEMO] [mqtt_demo_basic_tls.c:978] Connection with MQTT broker failed with status MQTTBadResponse. [WARN] [DEMO] [mqtt_demo_basic_tls.c:538] Connection to the broker failed. Retrying connection after 1940 ms backoff. ^C

yourslab commented 2 years ago

@waqar48 It could be that the policy attached to your certificate has no permissions to CONNECT or SUBSCRIBE over MQTT. Also, have you tried using a different MQTT client to test if the issue lies with the code and not your policy?

waqar48 commented 2 years ago

Certificates format and permissions are fine. I've tested certificates with mqtt client by mosquitto.org and its working fine my aws IoT instance. I'll reopen this ticket when aws sdk is needed.