aws / aws-iot-device-sdk-embedded-C

SDK for connecting to AWS IoT from a device using embedded C.
MIT License
979 stars 630 forks source link

Device defender demo application is not connecting to iot core #1791

Closed Hemanth826-dev closed 2 years ago

Hemanth826-dev commented 2 years ago

Hi, I tried to run the device defender demo application by providing the required certificates but it showing tls handshake failed.

[INFO] [DEFENDER_DEMO] [defender_demo.c:640] Establishing MQTT session... [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:325] fopen failed to find the root CA certificate file: ROOT_CA_PATH=certificates/AmazonRootCA1.crt. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:651] Setting up credentials failed. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:434] Connection to the broker failed. Retrying connection after 49 ms backoff. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:325] fopen failed to find the root CA certificate file: ROOT_CA_PATH=certificates/AmazonRootCA1.crt. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:651] Setting up credentials failed. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:434] Connection to the broker failed. Retrying connection after 297 ms backoff. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:325] fopen failed to find the root CA certificate file: ROOT_CA_PATH=certificates/AmazonRootCA1.crt. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:651] Setting up credentials failed. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:434] Connection to the broker failed. Retrying connection after 328 ms backoff. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:325] fopen failed to find the root CA certificate file: ROOT_CA_PATH=certificates/AmazonRootCA1.crt. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:651] Setting up credentials failed. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:434] Connection to the broker failed. Retrying connection after 3597 ms backoff.

but i have stored the file in this folder and given the path. Can you please suggest me with the solution.

Thankyou, Hemanth

aggarg commented 2 years ago

Which folder have you stored the file? can you share your file tree and command history?

Hemanth826-dev commented 2 years ago

I have stored the certificates in /aws-iot-device-sdk-embedded-c/demos/certificates folder. I have provided the path in Demo_config.h as

ifndef ROOT_CA_CERT_PATH

#define ROOT_CA_CERT_PATH    "certificates/AmazonRootCA1.crt"

endif

define CLIENT_CERT_PATH "certificates/device.pem.crt"

define CLIENT_PRIVATE_KEY_PATH "certificates/private.pem.key"

In root directory i created a build folder and inside build i used commands cmake .. and then make

aggarg commented 2 years ago

Here are my content of the demos/certificates/ directory:

$ ls demos/certificates/
AmazonRootCA1.crt  device_cert.crt  device_private_key.pem

Here are the commands I executed:

cmake -S . -Bbuild
cd build/
make
cd bin/
./defender_demo 

Here is the output:

[INFO] [DEFENDER_DEMO] [defender_demo.c:640] Establishing MQTT session...
[INFO] [DEFENDER_DEMO] [defender_demo.c:686] Subscribing to defender topics...
[INFO] [DEFENDER_DEMO] [defender_demo.c:704] Collecting device metrics...
[INFO] [DEFENDER_DEMO] [defender_demo.c:722] Generating device defender report...
[INFO] [DEFENDER_DEMO] [defender_demo.c:740] Publishing device defender report...
[INFO] [DEFENDER_DEMO] [defender_demo.c:294] A valid reponse with reportId 1647454477 received from the AWS IoT Device Defender Service.
[INFO] [DEFENDER_DEMO] [defender_demo.c:340] The defender report was accepted by the service. Response: {"thingName":"mything","reportId":1647454477,"status":"ACCEPTED","timestamp":1647454479932}.
[INFO] [DEFENDER_DEMO] [defender_demo.c:786] Unsubscribing from defender topics...
[INFO] [DEFENDER_DEMO] [defender_demo.c:794] Closing MQTT session...
[INFO] [DEFENDER_DEMO] [defender_demo.c:812] Demo iteration 1 is successful.
[INFO] [DEFENDER_DEMO] [defender_demo.c:831] Demo completed successfully.

Can you check what are you doing differently?

Hemanth826-dev commented 2 years ago

Even followed the same process. Can you please give some details on how you mentioned the path of the certificates, because i am again facing the same issue. Is there anything else that i have to do other than configuring endpoint, certificates and thing name.

/aws-iot-device-sdk-embedded-c/build/bin$ ./defender_demo [INFO] [DEFENDER_DEMO] [defender_demo.c:640] Establishing MQTT session... [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:280] SSL_connect failed to perform TLS handshake. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:436] Connection to the broker failed. Retrying connection after 295 ms backoff. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:280] SSL_connect failed to perform TLS handshake. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:436] Connection to the broker failed. Retrying connection after 733 ms backoff. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:280] SSL_connect failed to perform TLS handshake. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:436] Connection to the broker failed. Retrying connection after 1159 ms backoff.

aggarg commented 2 years ago

The error is different this time - it is not file not found. How did you create your certificate and key?

Hemanth826-dev commented 2 years ago

I Auto generated while creating a thing in iot core console

aggarg commented 2 years ago

Increase the log level to debug - https://github.com/aws/aws-iot-device-sdk-embedded-C/blob/main/demos/defender/defender_demo_json/demo_config.h#L45

Also, can you verify your cert and key using mosquitto client?

Hemanth826-dev commented 2 years ago

Certificate and key are working fine and i'm able publish and subscribe using mosquitto. It's same even if i change the log level to debug. I have done git checkout on 202108.00, could this be the problem.

aggarg commented 2 years ago

I have done git checkout on 202108.00, could this be the problem.

Should not be the case but just to eliminate the possibility, can you checkout main? Are you able to run any other demo like mqtt_demo_mutual_auth?

In addition, please share the output of the following commands (both from the root of your repo):

$ ls demos/certificates
$ git diff

Thanks.

Hemanth826-dev commented 2 years ago

Yes mqtt_demo_mutual_auth is running fine and it is abble to publish and subscribe messages.

$ ls demos/certificates
AmazonRootCA1.crt  device.pem.crt  private.pem.key

$ git diff

diff --git a/demos/defender/defender_demo_json/demo_config.h b/demos/defender/defender_demo_json/demo_config.h
index 9e26ae00..3d77a985 100644
--- a/demos/defender/defender_demo_json/demo_config.h
+++ b/demos/defender/defender_demo_json/demo_config.h
@@ -57,8 +57,8 @@
  * @note Your AWS IoT Core endpoint can be found in the AWS IoT console under
  * Settings/Custom Endpoint, or using the describe-endpoint API.
  *
- * #define AWS_IOT_ENDPOINT               "...insert here..."
- */
+ */ #define AWS_IOT_ENDPOINT               "a140ax8j255ia-ats.iot.us-east-1.amazonaws.com"
+ 

 /**
  * @brief AWS IoT MQTT broker port number.
@@ -98,8 +98,8 @@
  *
  * @note This certificate should be PEM-encoded.
  *
- * #define CLIENT_CERT_PATH    "...insert here..."
- */
+ */ #define CLIENT_CERT_PATH    "certificates/device.pem.crt"
+ 

 /**
  * @brief Path of the file containing the client's private key.
@@ -110,8 +110,8 @@
  *
  * @note This private key should be PEM-encoded.
  *
- * #define CLIENT_PRIVATE_KEY_PATH    "...insert here..."
- */
+ */ #define CLIENT_PRIVATE_KEY_PATH    "certificates/private.pem.key"
+ 

 /**
  * @brief Predefined thing name.
@@ -119,7 +119,7 @@
  * This is the example predefine thing name and could be compiled in ROM code.
  */

Thankyou

aggarg commented 2 years ago

Then it is most likely the policy attached to your certificate. Can you share the policy document?

Hemanth826-dev commented 2 years ago

This is the policy document .

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Publish",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Receive",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "*"
    }
  ]
}
aggarg commented 2 years ago

Change this line to the following and share output:

#define LIBRARY_LOG_LEVEL    LOG_DEBUG

Also, just for testing can you change the policy to the following (DO NOT DO THIS IN PRODUCTION):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}
Hemanth826-dev commented 2 years ago

After changing the log level to LOG_DEBUG this is the output i got. I even changed the policy document to what you have told.

  [INFO] [DEFENDER_DEMO] [defender_demo.c:595] Establishing MQTT session...
  [DEBUG] [DEFENDER_DEMO] [mqtt_operations.c:408] Establishing a TLS session to a140ax8j255ia-ats.iot.us-east-1.amazonaws.com:8883.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:189] Attempting to open Root CA certificate: Path=/home/hemanthk/Downloads/aws-iot-device-sdk-embedded-c/build/bin/certificates/AmazonRootCA1.crt.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:375] Successfully imported root CA.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:189] Attempting to open client's certificate: Path=/home/hemanthk/Downloads/aws-iot-device-sdk-embedded-c/build/bin/certificates/device.pem.crt.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:405] Successfully imported client certificate.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:189] Attempting to open client's key: Path=/home/hemanthk/Downloads/aws-iot-device-sdk-embedded-c/build/bin/certificates/private.pem.key.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:436] Successfully imported client certificate private key.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:532] Setting server name a140ax8j255ia-ats.iot.us-east-1.amazonaws.com for SNI.
  [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:272] SSL_connect failed to perform TLS handshake.
  [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:666] Failed to establish a TLS connection.
  [WARN] [DEFENDER_DEMO] [mqtt_operations.c:434] Connection to the broker failed. Retrying connection after 162 ms backoff.
  [DEBUG] [DEFENDER_DEMO] [mqtt_operations.c:408] Establishing a TLS session to a140ax8j255ia-ats.iot.us-east-1.amazonaws.com:8883.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:189] Attempting to open Root CA certificate: Path=/home/hemanthk/Downloads/aws-iot-device-sdk-embedded-c/build/bin/certificates/AmazonRootCA1.crt.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:375] Successfully imported root CA.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:189] Attempting to open client's certificate: Path=/home/hemanthk/Downloads/aws-iot-device-sdk-embedded-c/build/bin/certificates/device.pem.crt.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:405] Successfully imported client certificate.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:189] Attempting to open client's key: Path=/home/hemanthk/Downloads/aws-iot-device-sdk-embedded-c/build/bin/certificates/private.pem.key.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:436] Successfully imported client certificate private key.
  [DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:532] Setting server name a140ax8j255ia-ats.iot.us-east-1.amazonaws.com for SNI.
  [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:272] SSL_connect failed to perform TLS handshake.
  [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:666] Failed to establish a TLS connection.
  [WARN] [DEFENDER_DEMO] [mqtt_operations.c:434] Connection to the broker failed. Retrying connection after 477 ms backoff.
  [DEBUG] [DEFENDER_DEMO] [mqtt_operations.c:408] Establishing a TLS session to a140ax8j255ia-ats.iot.us-east-1.amazonaws.com:8883.
aggarg commented 2 years ago

At this point, we need to run WireShark to capture traffic to find out the reason of handshake failure. Can you do that please?

aggarg commented 2 years ago

I am closing this one. Feel free to re-open or create a new one, if you still face any issue.