Closed keshrisohit closed 2 years ago
Can you provide more details about what you are trying to do? Are you trying to run the pubsub sample? What are the arguments that you pass when trying to run it? What is the format the certificates?
And you mentioned the policy attached grants access to connect, but have you granted it access to do anything else? You can use the unrestricted policy show below to test this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*"
],
"Resource": [
"*"
]
}
]
}
@jmklix Yes, the policy is exactly the same as you have mentioned.Yes, I am using pubsub sample.
python3 aws-iot-device-sdk-python-v2/samples/pubsub.py --endpoint *-ats.iot.us-west-2.amazonaws.com --root-ca AmazonRootCA1.pem --cert device_cert_pem_filename --key device_cert_key_filename --port 8883 --client-id TESTMULTI1 --signing-region us-west-2 --topic=/custom/topic
File is generated using the command below
openssl x509 -req \
-in device_cert_csr_filename \
-CA root_CA_pem_filename \
-CAkey root_CA_key_filename \
-CAcreateserial \
-out device_cert_pem_filename \
-days 500 -sha256
Using the same file format as generated by the command. I have followed mentioned here. https://docs.aws.amazon.com/iot/latest/developerguide/create-device-cert.html
Did you register and activate the certificate?
aws iot register-certificate-without-ca \
--status ACTIVE \
--certificate-pem file://device_cert_pem_filename
Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.
@jmklix Yes i did
@keshrisohit What version of python SDK is used?
I was able to get it working by following these steps:
Create a CA certificate here:
openssl genrsa -out root_CA_key_filename 2048
openssl req -x509 -new -nodes \
-key root_CA_key_filename \
-sha256 -days 1024 \
-out root_CA_pem_filename
Create a client certificate here:
openssl genrsa -out device_cert_key_filename 2048
openssl req -new \
-key device_cert_key_filename \
-out device_cert_csr_filename
openssl x509 -req \
-in device_cert_csr_filename \
-CA root_CA_pem_filename \
-CAkey root_CA_key_filename \
-CAcreateserial \
-out device_cert_pem_filename \
-days 500 -sha256
Register a client certificate signed by an unregistered CA here:
aws iot register-certificate-without-ca \
--status ACTIVE \
--certificate-pem file://device_cert_pem_filename
Attach thing
and policy
to client certificate here:
aws iot attach-thing-principal \
--principal certificateArn \
--thing-name thingName
aws iot attach-policy \
--target certificateArn \
--policy-name policyName
And then tested the pubsub with this:
python3 samples/pubsub.py --endpoint *-ats.iot.us-west-2.amazonaws.com \
--root-ca AmazonRootCA1.pem \
--cert device_cert_pem_filename \
--key device_cert_key_filename
Can you let me know if this still doesn't work for you?
Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.
Platform/OS/Device What are you running the SDK on? macOS
I am trying to set up multi-account registration for IOT core , where I can connect to IoT without registering the CA. I am getting the error while I a trying to do so . I have validated that rootCA is correct and device cert and key are valid .Policy attached to certificate grants access to connect to IoT core. If anyone can help that will be great.