Certificate issues abound

pelted commented 8 years ago

Worked through this several times and get nothing but cert issues whether running the examples or using a basic test JS. Not really sure where to go from here with this.

Cert is created in the console, policy attached as well as a couple of devices.

Using this:

openssl s_client -connect custom_endpoint.iot.us-west-2.amazonaws.com:8443 -CAfile CA.pem -cert cert.pem -key privateKey.pem

seems to work without failing, but running the device-example.js produces this:

❯ node node_modules/aws-iot-device-sdk/examples/device-example.js -f ./certs --test-mode=1                                                             

error { Error: write EPROTO 140735163940864:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/s3_pkt.c:1472:SSL alert
 number 46
140735163940864:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:../deps/openssl/openssl/ssl/s3_pkt.c:656:

    at exports._errnoException (util.js:1012:11)
    at WriteWrap.afterWrite (net.js:793:14) code: 'EPROTO', errno: 'EPROTO', syscall: 'write' }
offline
close
reconnect

rongsaws commented 8 years ago

If you add '-D' argument to your command line, you will see the debug information. In particular, can you check if the host it tries to connect to is in the same region as your certs were created? If not, you could always try to specify the endpoint using -H argument.

pelted commented 8 years ago

Okay, that got me further. I need to use the -g argument and set it to us-west-2. No I'm getting more data and the error is unable to get local issuer certificate.

(Note: the -F option to read a config file is being completely ignored so everything seems to need to be passed as args.)

> node node_modules/aws-iot-device-sdk/examples/device-example.js -f ./certs --test-mode=1 -g us-west-2 -D

{ keyPath: './certs/private.pem.key',
  certPath: './certs/certificate.pem.crt',
  caPath: './certs/root-CA.crt',
  clientId: 'xxxxxxxx',
  region: 'us-west-2',
  baseReconnectTimeMs: 4000,
  keepalive: 30,
  protocol: 'mqtts',
  port: 8883,
  host: 'data.iot.us-west-2.amazonaws.com',
  debug: true,
  reconnectPeriod: 4000,
  fastDisconnectDetection: true,
  key: <Buffer xxxx ... >,
  cert: <Buffer xxxx ... >,
  ca: <Buffer xxxx ... >,
  requestCert: true,
  rejectUnauthorized: true }
attempting new mqtt connection...
error { Error: unable to get local issuer certificate
    at Error (native)
    at TLSSocket.<anonymous> (_tls_wrap.js:1060:38)
    at emitNone (events.js:86:13)
    at TLSSocket.emit (events.js:185:7)
    at TLSSocket._finishInit (_tls_wrap.js:584:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:416:38) code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' }
offline
connection lost - will attempt reconnection in 4 seconds...
close

chaurah commented 8 years ago

Hi @pelted, Are you running the sample behind a proxy? Can you also tell us which platform you are running the sample on?

Rahul

fengsongAWS commented 7 years ago

No response for a while. Assume resolved

iotgeek commented 7 years ago

I am also facing the same issue. Can you please tell me what is wrong here ? Regarding the platform, I am using LinkIt Smart 7688 device to execute the thing-example

root@mylinkit:~/node_modules/aws-iot-device-sdk# node examples/device-example.js -f ~/certs --test-mode=1 -D { keyPath: '/root/certs/f0107f3745-private.pem.key', certPath: '/root/certs/f0107f3745-certificate.pem.crt', caPath: '/root/certs/root-CA.crt', clientId: 'Smart7688', region: 'us-east-1', baseReconnectTimeMs: 4000, keepalive: 30, protocol: 'mqtts', port: 8883, host: 'data.iot.us-east-1.amazonaws.com', debug: true, reconnectPeriod: 4000, fastDisconnectDetection: true, key: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 45 6f 77 49 42 41 41 4b 43 41 51 45 41 30 7a ... >, cert: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 0a 4d 49 49 44 57 6a 43 43 41 6b 4b 67 41 77 49 42 41 67 49 56 41 4f ... >, ca: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 0d 0a 4d 49 49 45 30 7a 43 43 41 37 75 67 41 77 49 42 41 67 49 51 47 ... >, requestCert: true, rejectUnauthorized: true } attempting new mqtt connection... offline connection lost - will attempt reconnection in 4 seconds... close reconnect offline connection lost - will attempt reconnection in 8 seconds... close reconnect offline

sandangel commented 7 years ago

{ keyPath: 'OpenBlocks-GBH00046.private.key',
certPath: 'OpenBlocks-GBH00046.cert.pem',
caPath: 'root-CA.crt',
clientId: 'root964',
region: 'ap-northeast-1',
baseReconnectTimeMs: 4000,
keepalive: 30,
protocol: 'mqtts',
port: 8883,
host: 'a2ec78say6r7nc.iot.ap-northeast-1.amazonaws.com',
debug: true,
reconnectPeriod: 4000,
fastDisconnectDetection: true,
key: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49, cert: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 0a 4d 49 49 44 57 6, ca: ,
requestCert: true,
rejectUnauthorized: true }
attempting new mqtt connection...
error { Error: unable to get local issuer certificate
at Error (native)
at TLSSocket. (_tls_wrap.js:1092:38)
at emitNone (events.js:86:13)
at TLSSocket.emit (events.js:185:7)
at TLSSocket._finishInit (_tls_wrap.js:610:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:440:38) code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' }
offline
connection lost - will attempt reconnection in 4 seconds...
close
I'm running this on a debian 8 linux device, kernel 4.4, node 6.10.3, npm 3.10 This device use a 3G SIM with global ip address so I guess there is no firewall issue here.

fengsongAWS commented 7 years ago

Hi @sandangel , Are you using self-signed certificates? If so, did you register your ca with AWS IoT? More information could be found here http://docs.aws.amazon.com/iot/latest/developerguide/device-certs-your-own.html

sandangel commented 7 years ago

Hi @fengsongAWS , I'm using certificates provided when download SDK and run start.sh with option when run node node_modules/.... appended with --region=ap-northeast-1

sandangel commented 7 years ago

@fengsongAWS Sorry my mistake, I haven't register my ca with aws iot. I thought it would automatically register for me when i download the sdk.

mattmeye commented 7 years ago

I have the same error - and i'm not behind a proxy.

{ clientId: 'xxx', clientCert: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 0a 4d 49 49 44 57 6a 43 43 41 6b 4b 67 41 77 49 42 41 67 49 56 41 49 ... >, privateKey: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 45 70 41 49 42 41 41 4b 43 41 51 45 41 73 76 ... >, caCert: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 4d 49 49 45 30 7a 43 43 41 37 75 67 41 77 49 42 41 67 49 51 47 4e 72 ... >, host: 'xxx', region: 'eu-central-1', debug: true, reconnectPeriod: 1000, fastDisconnectDetection: true, protocol: 'mqtts', port: 8883, ca: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 4d 49 49 45 30 7a 43 43 41 37 75 67 41 77 49 42 41 67 49 51 47 4e 72 ... >, key: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 45 70 41 49 42 41 41 4b 43 41 51 45 41 73 76 ... >, cert: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 0a 4d 49 49 44 57 6a 43 43 41 6b 4b 67 41 77 49 42 41 67 49 56 41 49 ... >, requestCert: true, rejectUnauthorized: true }

windows 10, node 8.2.1

@sandangel what do you mean with register caCert ? download? or call specific funtion? upload the symantec certificate into aws iot certificates?

lusentis commented 7 years ago

Just experienced the same issue. We found out that we forgot to activate the certificate from the console...

aws / aws-iot-device-sdk-js

Certificate issues abound #88