How to connect to Greengrass core using C AWS IOT SDK

[amarnath87]

Hi,

We are trying to connect to Greengrass core using C AWS IOT SDK

Here are the steps we followed

• Created greengrass group using AWS console
• Downloaded the certificates associated with the group/greengrass core
• Deployed the certificates on greengrass core device at /greengrass/certs folder
• On the greengrass core device executed the following command at /greengrass/certs folder
  • sudo wget -O root.ca.pem http://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem
• Added new device within the greengrass console
• Downloaded the certificates for the device
• Added subscriptions
  • 1 -Device as source and Local Device Shadow as target(/update topic)
  • 2 -Local Device Shadow as source and device as target(/update/accepted topic)
  • 3 -Local Device Shadow as source and device as target(/update/rejected topic)
• Deployed AWS IOT C SDK sample connecting to greengrass core device on another ubuntu machine
• Deployed the device certificates on ubuntu machine where C SDK sample was pointing
• Generated the root certificate on ubuntu machine where C SDK sample was pointing
  • curl -o ./root-ca-cert.pem http://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem
• Launched the AWS IOT C SDK sample app

When we launch sample app its throwing the following error. How to address this issue

ERROR: iot_tls_connect L#222 failed ! mbedtls_ssl_handshake returned -0x2700

ERROR: iot_tls_connect L#229 Unable to verify the server's certificate. Either it is invalid, or you didn't set ca_file or ca_path to an appropriate value. Alternatively, you may want to use auth_mode=optional for testing purposes.

[huguesBouvier]

Hello,

Are you trying to connect directly via greengrass? To do that, you need to retrieve a different certificate than the one you use to connect to AWS cloud. This certificate is requested directly from the cloud using an http request at the address: "GET /greengrass/discover/thing/-your thing name- HTTP/1.1\r\n\r\n" on port 8443 The http response will contain a JSON file that has that certificate + the IP you can use.

Another possibility is IP resolution. If you are using SNI, it is possible that your server IP resolution is different than the one entered in the certificate.

Hugues

[amarnath87]

Hi Hugues,

We have followed your instructions still we are getting the same issue.

Amarnath

[huguesBouvier]

Hello,

I will need more information to be able to help you:

• Are you trying to connect directly via greengrass?
• Did you manage to receive the JSON file? How are you extracting the certificate?
• Do you use SNI?
• Have you tried disabling the SNI?
• Are you using Linux?

Amazon FreeRTOS has a library for greengrass discovery: You could try doing a greengrass discovery with their windows simulator and see if you experience the same issue: https://github.com/aws/amazon-freertos

Hugues

[amarnath87]

Hi Hugues,

Please find the details below

Are you trying to connect directly via greengrass?

• I am unable to follow your question. We have an application which earlier used to connect to AWS IOT directly. Using the same application we are now connecting to greengrass. We changed the #define in aws_iot_config.h to point to greengrass core device. We have generated the JSON file and extracted the Certificate content into a file without the \n and used as root certificate.

Did you manage to receive the JSON file? How are you extracting the certificate?

• Yes. See the command used below
• curl --tlsv1.2 --cacert root-ca-cert.pem --cert xxxxxxxxxx.cert.pem --key xxxxxxxxxx.private.key -G "https://yyyyyyyyyy.iot.us-east-1.amazonaws.com:8443/greengrass/discover/thing/MyGGThing"
• We have extracted the CA content from JSON and removed the \n and saved into a file. That file is referred in the aws_iot_config.h file

Do you use SNI?

• Not sure about this Have you tried disabling the SNI?
• Not done anything specific

Are you using Linux?

• We have deployed greengrass core on ubuntu running on upsquared board
• We tried running our application from the same board as well as from other ubuntu PC

Please let us know if we are doing something unusual.

As suggested by you we have tried FreeRTOS windows simulator. Even though it says the Greengrass connection is successful. When we subscribe for messages on AWS IOT console Test page for freertos/demos/ggd we don't see any updates. We are not seeing any shadow updates as well. Not much information is available in the AWS documentation as well.

Please find the logs for FreeRTOS windows simulator here - https://gist.github.com/amarnath87/e9345fda3986c3c3d5577c3853d3ed1e

Amarnath

[huguesBouvier]

Hi,

1. For windows simulator: If you get connection to the greengrass, it means you are very close. You are probably not seeing messages because you need to add a subscription from the cloud to your device in the greengrass group. Like this (in your greengrass group, subscriptions) Source | Target | Topic |   IoT Cloud | My_device | # |   My_device | IoT Cloud | #

I have error 404 when trying to access the win simulator logs.

2. You need to configure the certificate you are getting as trusted: This is that line in the wrapper: mbedtls_ssl_conf_ca_chain(&(tlsDataParams->conf), &(tlsDataParams->cacert), NULL); Greengrass in freeRTOS does it inside aws_helper_secure_connect.c: if( pxHostAddressData->pcCertificate != NULL ) { if( SOCKETS_SetSockOpt( *pxSocket, 0, SOCKETS_SO_TRUSTED_SERVER_CERTIFICATE, pxHostAddressData->pcCertificate, ( size_t ) pxHostAddressData->ulCertificateSize ) != SOCKETS_ERROR_NONE ) { xStatus = pdFAIL; } } You need to do the same thing in SDK. If you use an IP, then you should also disable the SNI (server name indicator)

Hugues

[amarnath87]

Hi Hugues,

We could successfully connect to greengrass after doing the following changes to the code:

• Disable SNI
• Set to mbedtls_ssl_conf_authmode to MBEDTLS_SSL_VERIFY_NONE

We are not sure how to configure certificate as trusted in the mbedtls_ssl_conf_ca_chain function. Could you please let us know how to do that or point to online resource

[huguesBouvier]

Hi,

I would look into the MBEDTLS documentation for that. Otherwise, you can look at what Amazon FreeRTOS does to make a certificate trusted, this option need to be called: mbedtls_x509_crt_parse This will add your server certificate to the trusted chain list. Careful that your server CA is compatible with your root CA.

Hugues

[lt72]

Hi @amarnath87, did you have a chance to try @huguesBouvier 's suggestion?

[amarnath87]

Hi,

No, we are going through MBEDTLS documentation. Taking some time to understand as we are new to this.

Amarnath

[gordonwang0]

Hi @amarnath87,

Please let us know if you need any more help on this. Closing issue.