aws / aws-iot-device-sdk-python-v2

Next generation AWS IoT Client SDK for Python using the AWS Common Runtime
Apache License 2.0
408 stars 213 forks source link

getting AWS_IO_FILE_VALIDATION_FAILURE when trying to use multi-account-registration setup #250

Closed keshrisohit closed 2 years ago

keshrisohit commented 2 years ago

Platform/OS/Device What are you running the SDK on? macOS

I am trying to set up multi-account registration for IOT core , where I can connect to IoT without registering the CA. I am getting the error while I a trying to do so . I have validated that rootCA is correct and device cert and key are valid .Policy attached to certificate grants access to connect to IoT core. If anyone can help that will be great.


    http_proxy_options=proxy_options)
  File "/Users/sohitkumar/multi_cert/venv/lib/python3.7/site-packages/awsiot/mqtt_connection_builder.py", line 231, in mtls_from_path
    return _builder(tls_ctx_options, **kwargs)
  File "/Users/sohitkumar/multi_cert/venv/lib/python3.7/site-packages/awsiot/mqtt_connection_builder.py", line 189, in _builder
    tls_ctx = awscrt.io.ClientTlsContext(tls_ctx_options)
  File "/Users/sohitkumar/multi_cert/venv/lib/python3.7/site-packages/awscrt/io.py", line 433, in __init__
    options.verify_peer
RuntimeError: 1038 (AWS_IO_FILE_VALIDATION_FAILURE): A file was read and the input did not match the expected value
jmklix commented 2 years ago

Can you provide more details about what you are trying to do? Are you trying to run the pubsub sample? What are the arguments that you pass when trying to run it? What is the format the certificates?

And you mentioned the policy attached grants access to connect, but have you granted it access to do anything else? You can use the unrestricted policy show below to test this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
keshrisohit commented 2 years ago

@jmklix Yes, the policy is exactly the same as you have mentioned.Yes, I am using pubsub sample.

python3 aws-iot-device-sdk-python-v2/samples/pubsub.py --endpoint  *-ats.iot.us-west-2.amazonaws.com  --root-ca AmazonRootCA1.pem  --cert device_cert_pem_filename  --key device_cert_key_filename --port 8883 --client-id TESTMULTI1  --signing-region us-west-2 --topic=/custom/topic

File is generated using the command below

openssl x509 -req \
    -in device_cert_csr_filename \
    -CA root_CA_pem_filename \
    -CAkey root_CA_key_filename \
    -CAcreateserial \
    -out device_cert_pem_filename \
    -days 500 -sha256

Using the same file format as generated by the command. I have followed mentioned here. https://docs.aws.amazon.com/iot/latest/developerguide/create-device-cert.html

jmklix commented 2 years ago

Did you register and activate the certificate?

aws iot register-certificate-without-ca \
    --status ACTIVE \
    --certificate-pem file://device_cert_pem_filename
github-actions[bot] commented 2 years ago

Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.

keshrisohit commented 2 years ago

@jmklix Yes i did

bonyaws commented 2 years ago

@keshrisohit What version of python SDK is used?

jmklix commented 2 years ago

I was able to get it working by following these steps:

Create a CA certificate here:

openssl genrsa -out root_CA_key_filename 2048
openssl req -x509 -new -nodes \
    -key root_CA_key_filename \
    -sha256 -days 1024 \
    -out root_CA_pem_filename

Create a client certificate here:

openssl genrsa -out device_cert_key_filename 2048
openssl req -new \
    -key device_cert_key_filename \
    -out device_cert_csr_filename
openssl x509 -req \
    -in device_cert_csr_filename \
    -CA root_CA_pem_filename \
    -CAkey root_CA_key_filename \
    -CAcreateserial \
    -out device_cert_pem_filename \
    -days 500 -sha256

Register a client certificate signed by an unregistered CA here:

aws iot register-certificate-without-ca \
    --status ACTIVE \
    --certificate-pem file://device_cert_pem_filename

Attach thing and policy to client certificate here:

aws iot attach-thing-principal \
    --principal certificateArn \
    --thing-name thingName
aws iot attach-policy \
    --target certificateArn \
    --policy-name policyName

And then tested the pubsub with this:

python3 samples/pubsub.py --endpoint *-ats.iot.us-west-2.amazonaws.com \
    --root-ca AmazonRootCA1.pem \
    --cert device_cert_pem_filename  \
    --key device_cert_key_filename

Can you let me know if this still doesn't work for you?

github-actions[bot] commented 2 years ago

Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.