search

aws / aws-iot-device-sdk-embedded-C

SDK for connecting to AWS IoT from a device using embedded C.
MIT License
976 stars 629 forks source link

Issue with "subscribe_publish_sample," Error(-12) #315

Closed whbernard closed 5 years ago

whbernard commented 5 years ago

I'm trying to run the "subscribe_publish_example" but I am unable to get the sample running without the following error below:

AWS IoT SDK Version 3.0.1-

DEBUG: main L#159 rootCA /home/williambernard/openwrt_projects/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/root-CA.crt DEBUG: main L#160 clientCRT /home/williambernard/openwrt_projects/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/06a6c3a55b-certificate.pem.crt DEBUG: main L#161 clientKey /home/williambernard/openwrt_projects/aws-iot-device-sdk-embedded-C/samples/linux/subscribe_publish_sample/../../../certs/06a6c3a55b-private.pem.key Connecting... DEBUG: iot_tls_connect L#130 . Seeding the random number generator... DEBUG: iot_tls_connect L#138 . Loading the CA root certificate ... DEBUG: iot_tls_connect L#144 ok (0 skipped)

DEBUG: iot_tls_connect L#146 . Loading the client cert. and key... DEBUG: iot_tls_connect L#159 ok

DEBUG: iot_tls_connect L#161 . Connecting to a1a369bkd22ij0-ats.iot.eu-west-1.amazonaws.com/443... DEBUG: iot_tls_connect L#180 ok

DEBUG: iot_tls_connect L#182 . Setting up the SSL/TLS structure... DEBUG: iot_tls_connect L#223

SSL state connect : 0 DEBUG: iot_tls_connect L#226 ok

DEBUG: iot_tls_connect L#228

SSL state connect : 0 DEBUG: iot_tls_connect L#229 . Performing the SSL/TLS handshake... DEBUG: _iot_tls_verify_cert L#49 Verify requested for (Depth 2):

DEBUG: _iot_tls_verify_cert L#51 cert. version : 3 serial number : 06:6C:9F:CF:99:BF:8C:0A:39:E2:F0:78:8A:43:E6:96:36:5B:CA issuer name : C=US, O=Amazon, CN=Amazon Root CA 1 subject name : C=US, O=Amazon, CN=Amazon Root CA 1 issued on : 2015-05-26 00:00:00 expires on : 2038-01-17 00:00:00 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true key usage : Digital Signature, Key Cert Sign, CRL Sign

DEBUG: _iot_tls_verify_cert L#54 This certificate has no flags

DEBUG: _iot_tls_verify_cert L#49 Verify requested for (Depth 1):

DEBUG: _iot_tls_verify_cert L#51 cert. version : 3 serial number : 06:7F:94:57:85:87:E8:AC:77:DE:B2:53:32:5B:BC:99:8B:56:0D issuer name : C=US, O=Amazon, CN=Amazon Root CA 1 subject name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon issued on : 2015-10-22 00:00:00 expires on : 2025-10-19 00:00:00 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign

DEBUG: _iot_tls_verify_cert L#54 This certificate has no flags

DEBUG: _iot_tls_verify_cert L#49 Verify requested for (Depth 0):

DEBUG: _iot_tls_verify_cert L#51 cert. version : 3 serial number : 06:C9:C7:B7:84:F0:8F:8B:34:87:5D:DD:81:FF:E4:F0 issuer name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon subject name : CN=.iot.eu-west-1.amazonaws.com issued on : 2018-08-02 00:00:00 expires on : 2019-08-02 12:00:00 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false subject alt name : iot.eu-west-1.amazonaws.com, .iot.eu-west-1.amazonaws.com key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

DEBUG: _iot_tls_verify_cert L#54 This certificate has no flags

DEBUG: iot_tls_connect L#246 ok [ Protocol is TLSv1.2 ] [ Ciphersuite is TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 ]

DEBUG: iot_tls_connect L#248 [ Record expansion is 29 ]

DEBUG: iot_tls_connect L#253 . Verifying peer X.509 certificate... DEBUG: iot_tls_connect L#262 ok

DEBUG: iot_tls_connect L#272 . Peer certificate information ...

DEBUG: iot_tls_connect L#274 cert. version : 3 serial number : 06:C9:C7:B7:84:F0:8F:8B:34:87:5D:DD:81:FF:E4:F0 issuer name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon subject name : CN=.iot.eu-west-1.amazonaws.com issued on : 2018-08-02 00:00:00 expires on : 2019-08-02 12:00:00 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false subject alt name : iot.eu-west-1.amazonaws.com, .iot.eu-west-1.amazonaws.com key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

ERROR: main L#190 Error(-12) connecting to a1a369bkd22ij0-ats.iot.eu-west-1.amazonaws.com:443

I have creating the following security policy and attached it to my device's certificate:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "arn:aws:iot:eu-west-1:521108970238:*" } ] }

I've consulted issue #183 but have had no luck as of yet. I'm guessing there must be an issue in my security policy? Any help would be greatly appreciated.

Thanks, Will Bernard

yuhui-zheng commented 5 years ago

Hi Will,

From your posting, the policy is created in eu-west-1, which allows all iot actions via endpoint a1a369bkd22ij0-ats.iot.eu-west-1.amazonaws.com. Also from above log lines, it seems client is able to somewhat "connect" to IoT with given certs/key. So far, I don't see a red flag.

Error(-12) is defined as 

/** A Generic error based on the platform used */
NETWORK_SSL_READ_ERROR = -12,

in aws_iot_error.h. And this error is only assigned in iot_tls_read(), network_mbedtls_wrapper.c, which calls into 3rd party mbed TLS layer.

I may not be able to conclude what's happening exactly, but some suspicions --

-------- Updated -------- I would suggest check IoT console once again (which you might have done for a couple of times already...) and see if policy is attached to the Thing correctly. Also, may want to check aws_iot_config.h AWS_IOT_MY_THING_NAME, see if this matches what you have setup in AWS IoT console. This is definitely not great user experience, which requires understanding on both client and server side implicitly. Apologies...

whbernard commented 5 years ago

mbedTLS customized configuration? Under external_libs/mbedTLS/, do you have mbedTLS configurations customized?

The mbedTLS source code is directly cloned from mbedTLS Github repo. Not sure if I should or should not be customizing it. If I'm just trying to get the "subscribe_publish_sample" to run, should the mbedTLS source remain unmodified? I tried deleting the mbedTLS source code I had, recloning it, and then recompiling the sample. I am still receiving the Error(-12).

in AWS IoT console EU-WEST-1 region, monitoring dashboard, could you see any event got triggered by this demo?

Yes, the AWS IoT console shows a successful connection. As seen from the screenshot below:

Screen Shot 2019-03-16 at 12 54 51 AM

I would suggest check IoT console once again (which you might have done for a couple of times already...) and see if policy is attached to the Thing correctly. Also, may want to check aws_iot_config.h AWS_IOT_MY_THING_NAME, see if this matches what you have setup in AWS IoT console.

Checked this too. Looks the same to me. My "Thing" name is GL-iNet on the online dashboard and AWS_IOT_MY_THING_NAME is set to GL-iNet within aws_iot_config.h.

Another thing I tried was adding an ATS endpoint through AWS CLI using the following: aws iot describe-endpoint --endpoint-type iot:Data-ATS

Still, no luck.

Any advice on next steps? I appreciate your assistance thus far.

yuhui-zheng commented 5 years ago

One question... For the root-CA.crt you are using. Is it originally named as "VeriSign Class 3 Public Primary G5 root CA certificate"? This cert may not work well with -ats endpoint... (The log you attached in the first post shows you are using endpoint *-ats.iot.eu-west-1.amazonaws.com which is an ATS endpoint.)

https://docs.aws.amazon.com/iot/latest/developerguide/managing-device-certs.html under "Amazon Trust Services Endpoints (preferred)".

This post may not resolve your issue... Based on the symptom may be worth a shot though....

whbernard commented 5 years ago

I'm using one of the ATS endpoint keys in the above case (RSA 2048 bit key). Should I be using a different ATS endpoint key?

Quick question: I'm trying to build the sample and run it on Ubuntu 18.04 LTS within VirtualBox on my Mac. Could this be causing an issue? I'm going to build it locally on macOS and see if that changes anything.

yuhui-zheng commented 5 years ago

I'm assuming the RSA 2048 bit key you mentioned is AmazonRootCA1.pem. This is perfectly fine, and also exactly what I'm using for ATS endpoint in eu-west-1.

To your question, I'm not entirely sure about your VirtualBox configuration, and it could be caused by network configuration (bridging etc.) I'm building/running the pub-sub example with macOS High Sierra, and my GCC version looks like below. Current version of C-SDK might emit a couple of warnings when building on Mac, but at least you should be able to run the sample and talk to AWS IoT backend. 

subscribe_publish_sample yuhzheng$ gcc --version
Configured with: --prefix=/Library/Developer/CommandLineTools/usr --with-gxx-include-dir=/usr/include/c++/4.2.1
Apple LLVM version 10.0.0 (clang-1000.10.44.4)
Target: x86_64-apple-darwin17.7.0
Thread model: posix
InstalledDir: /Library/Developer/CommandLineTools/usr/bin

If none of above helps, I don't mind send over a zip. You may still need to configure your AWS account a little bit, as I could not access that part......

whbernard commented 5 years ago

My example is now working locally on macOS Mojave 10.14.2. As you said, there are a few warnings but everything appears to be working fine. There must be some issue with my network configuration in VirtualBox that's causing Error(-12), although I'm not entirely sure what that is. Thanks for your help, this post really helped clarify some missing holes I had. Closing the issue for now.

longinux commented 5 years ago

I am having the same problem trying to connect my AWS IOT raspberry pi to mbed TLS. It seems this problem has been solved but no body has provided a clear step by step way it was solved and so new people like me will continue to post the same problem that has been solved. Please if some can reproduce how he/she solved it, that will save a lot of time of members of the forum. Here is my problem: DEBUG: _iot_tls_verify_cert L#51 cert. version : 3 serial number : 06:7F:94:57:85:87:E8:AC:77:DE:B2:53:32:5B:BC:99:8B:56:0D issuer name : C=US, O=Amazon, CN=Amazon Root CA 1 subject name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon issued on : 2015-10-22 00:00:00 expires on : 2025-10-19 00:00:00 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign

DEBUG: _iot_tls_verify_cert L#54 This certificate has no flags

DEBUG: _iot_tls_verify_cert L#49 Verify requested for (Depth 0):

DEBUG: _iot_tls_verify_cert L#51 cert. version : 3 serial number : 06:66:B4:8C:67:DF:2F:E7:A9:A2:26:55:3E:71:EE:24 issuer name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon subject name : CN=.iot.us-east-1.amazonaws.com issued on : 2018-08-02 00:00:00 expires on : 2019-08-02 12:00:00 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false subject alt name : iot.us-east-1.amazonaws.com, .iot.us-east-1.amazonaws.com key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

DEBUG: _iot_tls_verify_cert L#54 This certificate has no flags

DEBUG: iot_tls_connect L#246 ok [ Protocol is TLSv1.2 ] [ Ciphersuite is TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 ]

DEBUG: iot_tls_connect L#248 [ Record expansion is 29 ]

DEBUG: iot_tls_connect L#253 . Verifying peer X.509 certificate... DEBUG: iot_tls_connect L#262 ok

DEBUG: iot_tls_connect L#272 . Peer certificate information ...

DEBUG: iot_tls_connect L#274 cert. version : 3 serial number : 06:66:B4:8C:67:DF:2F:E7:A9:A2:26:55:3E:71:EE:24 issuer name : C=US, O=Amazon, OU=Server CA 1B, CN=Amazon subject name : CN=.iot.us-east-1.amazonaws.com issued on : 2018-08-02 00:00:00 expires on : 2019-08-02 12:00:00 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false subject alt name : iot.us-east-1.amazonaws.com, .iot.us-east-1.amazonaws.com key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

ERROR: main L#190 Error(-12) connecting to aulbe3dts2fmj-ats.iot.us-east-1.amazonaws.com:8883

lakshmisivareddy commented 5 years ago

i am also facing the same issue , -12 says policy error ? i checked policy rules and add iotfull access but still getting same error

DEBUG: iot_tls_connect L#248 [ Record expansion is 29 ]

DEBUG: iot_tls_connect L#253 . Verifying peer X.509 certificate... DEBUG: iot_tls_connect L#262 ok

DEBUG: iot_tls_connect L#272 . Peer certificate information ...

DEBUG: iot_tls_connect L#274 cert. version : 3 serial number : 72:6C:3C:AD:BC:66:02:DA:81:68:3F:C2:46:55:C4:84 issuer name : C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 ECC 256 bit SSL CA - G2 subject name : C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=.iot.us-east-2.amazonaws.com issued on : 2018-09-11 00:00:00 expires on : 2019-09-12 23:59:59 signed using : ECDSA with SHA256 EC key size : 256 bits basic constraints : CA=false subject alt name : iot.us-east-2.amazonaws.com, .iot.us-east-2.amazonaws.com key usage : Digital Signature ext key usage : TLS Web Server Authentication, TLS Web Client Authentication

Subscribing... ERROR: main L#207 Error subscribing : -12

sosaucily commented 4 years ago

For me this error was due to an issue with policy or permissions on AWS in the IoT platform. In the end I don't know what was the problem, but deleting the cert / device / groups / policy and starting over fresh worked. Maybe I had a bad configuration, or maybe there was something that got corrupt on the AWS side

volzinnovation commented 4 years ago

Hi, can confirm that this issue may relate to having a certificate without an appropriate policy attached. Once I attached the policy to the certificate, the communication worked.