Closed Hemanth826-dev closed 2 years ago
Which folder have you stored the file? can you share your file tree and command history?
I have stored the certificates in /aws-iot-device-sdk-embedded-c/demos/certificates folder. I have provided the path in Demo_config.h as
#define ROOT_CA_CERT_PATH "certificates/AmazonRootCA1.crt"
In root directory i created a build folder and inside build i used commands cmake .. and then make
Here are my content of the demos/certificates/
directory:
$ ls demos/certificates/
AmazonRootCA1.crt device_cert.crt device_private_key.pem
Here are the commands I executed:
cmake -S . -Bbuild
cd build/
make
cd bin/
./defender_demo
Here is the output:
[INFO] [DEFENDER_DEMO] [defender_demo.c:640] Establishing MQTT session...
[INFO] [DEFENDER_DEMO] [defender_demo.c:686] Subscribing to defender topics...
[INFO] [DEFENDER_DEMO] [defender_demo.c:704] Collecting device metrics...
[INFO] [DEFENDER_DEMO] [defender_demo.c:722] Generating device defender report...
[INFO] [DEFENDER_DEMO] [defender_demo.c:740] Publishing device defender report...
[INFO] [DEFENDER_DEMO] [defender_demo.c:294] A valid reponse with reportId 1647454477 received from the AWS IoT Device Defender Service.
[INFO] [DEFENDER_DEMO] [defender_demo.c:340] The defender report was accepted by the service. Response: {"thingName":"mything","reportId":1647454477,"status":"ACCEPTED","timestamp":1647454479932}.
[INFO] [DEFENDER_DEMO] [defender_demo.c:786] Unsubscribing from defender topics...
[INFO] [DEFENDER_DEMO] [defender_demo.c:794] Closing MQTT session...
[INFO] [DEFENDER_DEMO] [defender_demo.c:812] Demo iteration 1 is successful.
[INFO] [DEFENDER_DEMO] [defender_demo.c:831] Demo completed successfully.
Can you check what are you doing differently?
Even followed the same process. Can you please give some details on how you mentioned the path of the certificates, because i am again facing the same issue. Is there anything else that i have to do other than configuring endpoint, certificates and thing name.
/aws-iot-device-sdk-embedded-c/build/bin$ ./defender_demo [INFO] [DEFENDER_DEMO] [defender_demo.c:640] Establishing MQTT session... [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:280] SSL_connect failed to perform TLS handshake. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:436] Connection to the broker failed. Retrying connection after 295 ms backoff. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:280] SSL_connect failed to perform TLS handshake. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:436] Connection to the broker failed. Retrying connection after 733 ms backoff. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:280] SSL_connect failed to perform TLS handshake. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:436] Connection to the broker failed. Retrying connection after 1159 ms backoff.
The error is different this time - it is not file not found. How did you create your certificate and key?
I Auto generated while creating a thing in iot core console
Increase the log level to debug - https://github.com/aws/aws-iot-device-sdk-embedded-C/blob/main/demos/defender/defender_demo_json/demo_config.h#L45
Also, can you verify your cert and key using mosquitto client?
Certificate and key are working fine and i'm able publish and subscribe using mosquitto. It's same even if i change the log level to debug. I have done git checkout on 202108.00, could this be the problem.
I have done git checkout on 202108.00, could this be the problem.
Should not be the case but just to eliminate the possibility, can you checkout main? Are you able to run any other demo like mqtt_demo_mutual_auth
?
In addition, please share the output of the following commands (both from the root of your repo):
$ ls demos/certificates
$ git diff
Thanks.
Yes mqtt_demo_mutual_auth is running fine and it is abble to publish and subscribe messages.
$ ls demos/certificates
AmazonRootCA1.crt device.pem.crt private.pem.key
$ git diff
diff --git a/demos/defender/defender_demo_json/demo_config.h b/demos/defender/defender_demo_json/demo_config.h
index 9e26ae00..3d77a985 100644
--- a/demos/defender/defender_demo_json/demo_config.h
+++ b/demos/defender/defender_demo_json/demo_config.h
@@ -57,8 +57,8 @@
* @note Your AWS IoT Core endpoint can be found in the AWS IoT console under
* Settings/Custom Endpoint, or using the describe-endpoint API.
*
- * #define AWS_IOT_ENDPOINT "...insert here..."
- */
+ */ #define AWS_IOT_ENDPOINT "a140ax8j255ia-ats.iot.us-east-1.amazonaws.com"
+
/**
* @brief AWS IoT MQTT broker port number.
@@ -98,8 +98,8 @@
*
* @note This certificate should be PEM-encoded.
*
- * #define CLIENT_CERT_PATH "...insert here..."
- */
+ */ #define CLIENT_CERT_PATH "certificates/device.pem.crt"
+
/**
* @brief Path of the file containing the client's private key.
@@ -110,8 +110,8 @@
*
* @note This private key should be PEM-encoded.
*
- * #define CLIENT_PRIVATE_KEY_PATH "...insert here..."
- */
+ */ #define CLIENT_PRIVATE_KEY_PATH "certificates/private.pem.key"
+
/**
* @brief Predefined thing name.
@@ -119,7 +119,7 @@
* This is the example predefine thing name and could be compiled in ROM code.
*/
Thankyou
Then it is most likely the policy attached to your certificate. Can you share the policy document?
This is the policy document .
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Publish",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "*"
}
]
}
Change this line to the following and share output:
#define LIBRARY_LOG_LEVEL LOG_DEBUG
Also, just for testing can you change the policy to the following (DO NOT DO THIS IN PRODUCTION):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
After changing the log level to LOG_DEBUG this is the output i got. I even changed the policy document to what you have told.
[INFO] [DEFENDER_DEMO] [defender_demo.c:595] Establishing MQTT session...
[DEBUG] [DEFENDER_DEMO] [mqtt_operations.c:408] Establishing a TLS session to a140ax8j255ia-ats.iot.us-east-1.amazonaws.com:8883.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:189] Attempting to open Root CA certificate: Path=/home/hemanthk/Downloads/aws-iot-device-sdk-embedded-c/build/bin/certificates/AmazonRootCA1.crt.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:375] Successfully imported root CA.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:189] Attempting to open client's certificate: Path=/home/hemanthk/Downloads/aws-iot-device-sdk-embedded-c/build/bin/certificates/device.pem.crt.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:405] Successfully imported client certificate.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:189] Attempting to open client's key: Path=/home/hemanthk/Downloads/aws-iot-device-sdk-embedded-c/build/bin/certificates/private.pem.key.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:436] Successfully imported client certificate private key.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:532] Setting server name a140ax8j255ia-ats.iot.us-east-1.amazonaws.com for SNI.
[ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:272] SSL_connect failed to perform TLS handshake.
[ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:666] Failed to establish a TLS connection.
[WARN] [DEFENDER_DEMO] [mqtt_operations.c:434] Connection to the broker failed. Retrying connection after 162 ms backoff.
[DEBUG] [DEFENDER_DEMO] [mqtt_operations.c:408] Establishing a TLS session to a140ax8j255ia-ats.iot.us-east-1.amazonaws.com:8883.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:189] Attempting to open Root CA certificate: Path=/home/hemanthk/Downloads/aws-iot-device-sdk-embedded-c/build/bin/certificates/AmazonRootCA1.crt.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:375] Successfully imported root CA.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:189] Attempting to open client's certificate: Path=/home/hemanthk/Downloads/aws-iot-device-sdk-embedded-c/build/bin/certificates/device.pem.crt.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:405] Successfully imported client certificate.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:189] Attempting to open client's key: Path=/home/hemanthk/Downloads/aws-iot-device-sdk-embedded-c/build/bin/certificates/private.pem.key.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:436] Successfully imported client certificate private key.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:532] Setting server name a140ax8j255ia-ats.iot.us-east-1.amazonaws.com for SNI.
[ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:272] SSL_connect failed to perform TLS handshake.
[ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:666] Failed to establish a TLS connection.
[WARN] [DEFENDER_DEMO] [mqtt_operations.c:434] Connection to the broker failed. Retrying connection after 477 ms backoff.
[DEBUG] [DEFENDER_DEMO] [mqtt_operations.c:408] Establishing a TLS session to a140ax8j255ia-ats.iot.us-east-1.amazonaws.com:8883.
At this point, we need to run WireShark to capture traffic to find out the reason of handshake failure. Can you do that please?
I am closing this one. Feel free to re-open or create a new one, if you still face any issue.
Hi, I tried to run the device defender demo application by providing the required certificates but it showing tls handshake failed.
[INFO] [DEFENDER_DEMO] [defender_demo.c:640] Establishing MQTT session... [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:325] fopen failed to find the root CA certificate file: ROOT_CA_PATH=certificates/AmazonRootCA1.crt. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:651] Setting up credentials failed. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:434] Connection to the broker failed. Retrying connection after 49 ms backoff. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:325] fopen failed to find the root CA certificate file: ROOT_CA_PATH=certificates/AmazonRootCA1.crt. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:651] Setting up credentials failed. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:434] Connection to the broker failed. Retrying connection after 297 ms backoff. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:325] fopen failed to find the root CA certificate file: ROOT_CA_PATH=certificates/AmazonRootCA1.crt. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:651] Setting up credentials failed. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:434] Connection to the broker failed. Retrying connection after 328 ms backoff. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:325] fopen failed to find the root CA certificate file: ROOT_CA_PATH=certificates/AmazonRootCA1.crt. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:651] Setting up credentials failed. [ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection. [WARN] [DEFENDER_DEMO] [mqtt_operations.c:434] Connection to the broker failed. Retrying connection after 3597 ms backoff.
but i have stored the file in this folder and given the path. Can you please suggest me with the solution.
Thankyou, Hemanth