Open TCROC opened 1 year ago
It should work (MQTTnet and AWS IoT working with certificates). I'll try to find some time in the coming days to compare with what I have.
It looks like the TLS connection on dotnet wants certificates created from PKCS12 format, otherwise I get exception "No credentials are available in the security package" (more info on the Internet). I have also noticed that the TCP connection logs show connection attempts to port 443, I don't know if that is intentional?
Creating the cert
from PKCS12 solved the problem for me:
....
var cert = new X509Certificate2(tempCrt.Export(X509ContentType.Pkcs12));
// Export to PKCS12 and re-create
var bytes = cert.Export(X509ContentType.Pkcs12);
cert = new X509Certificate2(bytes);
optionsBuilder = optionsBuilder
.WithTls(
new MqttClientOptionsBuilderTlsParameters
{
UseTls = true,
ApplicationProtocols = new List<SslApplicationProtocol> { new("mqtt") },
Certificates = new X509Certificate[]
{
ca,
cert
},
}
);
....
Creating a separate issue for what we discovered about certs while debugging the custom authorizer:
https://github.com/dotnet/MQTTnet/issues/1729#issuecomment-1537521184
var caCrtKey = authorizer.Split(","); var tempCaText = File.ReadAllText(caCrtKey[0]); // AmazonRootCA1.pem var tempCrtText = File.ReadAllText(caCrtKey[1]); // certificate.pem.crt var tempKeyText = File.ReadAllText(caCrtKey[2]); // private.pem.key var tempCa = new X509Certificate2(X509Certificate2.CreateFromPem(tempCaText)); var tempCrt = X509Certificate2.CreateFromPem(tempCrtText, tempKeyText); var ca = new X509Certificate2(tempCa.Export(X509ContentType.Pkcs12)); var cert = new X509Certificate2(tempCrt.Export(X509ContentType.Pkcs12)); optionsBuilder = optionsBuilder .WithTls( new MqttClientOptionsBuilderTlsParameters { UseTls = true, ApplicationProtocols = new List<SslApplicationProtocol> { new("mqtt") }, Certificates = new X509Certificate[] { ca, cert }, } );
original logs
```log Running mqtt example application! =================== Args Used username: testid password: testpassword endpoint: a1jbgnrm1s76uh-ats.iot.us-east-1.amazonaws.com rootTopic: open authType: cert authorizer: target/certs/AmazonRootCA1.pem,target/certs/certificate.pem.crt,target/certs/private.pem.key transportImplementation: dotnet transport: tcp =================== [2023-05-07T19:16:06.8111116Z] [MqttNet] [1] [MqttClient] [Verbose]: Trying to connect with server 'a1jbgnrm1s76uh-ats.iot.us-east-1.amazonaws.com:443' [2023-05-07T19:16:08.8696516Z] [MqttNet] [8] [MqttClient] [Verbose]: Connection with server established [2023-05-07T19:16:08.8711942Z] [MqttNet] [6] [MqttClient] [Verbose]: Start receiving packets. [2023-05-07T19:16:08.8780964Z] [MqttNet] [8] [MqttChannelAdapter] [Verbose]: TX (40 bytes) >>> Connect: [ClientId=testid] [Username=] [Password=] [KeepAlivePeriod=35] [CleanSession=True] [2023-05-07T19:16:09.6253017Z] [MqttNet] [6] [MqttChannelAdapter] [Verbose]: RX (113 bytes) <<< ConnAck: [ReturnCode=ConnectionAccepted] [ReasonCode=NotAuthorized] [IsSessionPresent=False] [2023-05-07T19:16:09.6314154Z] [MqttNet] [6] [MqttClient] [Verbose]: Disconnecting [Timeout=00:01:40] [2023-05-07T19:16:09.6361834Z] [MqttNet] [6] [MqttClient] [Verbose]: Disconnected from adapter. [2023-05-07T19:16:09.6383619Z] [MqttNet] [6] [MqttClient] [Info]: Disconnected. [2023-05-07T19:16:09.6386716Z] [MqttNet] [6] [MqttClient] [Verbose]: Stopped receiving packets. [2023-05-07T19:16:09.6310225Z] [MqttNet] [9] [MqttClient] [Error]: Error while connecting with server. MQTTnet.Adapter.MqttConnectingFailedException: Connecting with MQTT server failed (NotAuthorized). at MQTTnet.Client.MqttClient.AuthenticateAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 450 at MQTTnet.Client.MqttClient.ConnectInternal(CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 501 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 143 Unhandled exception. MQTTnet.Adapter.MqttConnectingFailedException: Connecting with MQTT server failed (NotAuthorized). at MQTTnet.Client.MqttClient.AuthenticateAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 450 at MQTTnet.Client.MqttClient.ConnectInternal(CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 501 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 143 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 181 at Program.$(String[] args) in /home/tcroc/dev/aws-iot-custom-auth/aws-iot-custom-auth-mqttnet/Program.cs:line 109 at Program. (String[] args) ``` logs with fixed ConnAck
```log Running mqtt example application! =================== Args Used username: testid password: testpassword endpoint: a1jbgnrm1s76uh-ats.iot.us-east-1.amazonaws.com rootTopic: open authType: cert authorizer: target/certs/AmazonRootCA1.pem,target/certs/certificate.pem.crt,target/certs/private.pem.key transportImplementation: dotnet transport: tcp =================== [2023-05-08T14:02:50.3208038Z] [MqttNet] [1] [MqttClient] [Verbose]: Trying to connect with server 'a1jbgnrm1s76uh-ats.iot.us-east-1.amazonaws.com:443' [2023-05-08T14:02:50.6974135Z] [MqttNet] [6] [MqttClient] [Verbose]: Connection with server established [2023-05-08T14:02:50.7044800Z] [MqttNet] [6] [MqttChannelAdapter] [Verbose]: TX (40 bytes) >>> Connect: [ClientId=testid] [Username=] [Password=] [KeepAlivePeriod=35] [CleanSession=True] [2023-05-08T14:02:50.9013140Z] [MqttNet] [9] [MqttChannelAdapter] [Verbose]: RX (113 bytes) <<< ConnAck: [ReturnCode=ConnectionRefusedNotAuthorized] [ReasonCode=NotAuthorized] [IsSessionPresent=False] [2023-05-08T14:02:50.9045582Z] [MqttNet] [9] [MqttClient] [Error]: Error while connecting with server MQTTnet.Adapter.MqttConnectingFailedException: Connecting with MQTT server failed (NotAuthorized). at MQTTnet.Client.MqttClient.Authenticate(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 452 at MQTTnet.Client.MqttClient.ConnectInternal(CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 500 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 136 [2023-05-08T14:02:50.9184819Z] [MqttNet] [9] [MqttClient] [Verbose]: Disconnecting [Timeout=00:01:40] [2023-05-08T14:02:50.9231366Z] [MqttNet] [9] [MqttClient] [Verbose]: Disconnected from adapter. [2023-05-08T14:02:50.9250369Z] [MqttNet] [9] [MqttClient] [Info]: Disconnected. Unhandled exception. MQTTnet.Adapter.MqttConnectingFailedException: Connecting with MQTT server failed (NotAuthorized). at MQTTnet.Client.MqttClient.Authenticate(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 452 at MQTTnet.Client.MqttClient.ConnectInternal(CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 500 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 136 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 175 at Program.$(String[] args) in /home/tcroc/dev/aws-iot-custom-auth/aws-iot-custom-auth-mqttnet/Program.cs:line 109 at Program. (String[] args) ``` I tried following this ticket here, but it didn't help: https://github.com/dotnet/MQTTnet/issues/1359
The issue can be reproduced by running this project over here:
https://github.com/TCROC/aws-iot-custom-auth.git
./create-cert.sh
^ This will use the aws cli to create certificates in your aws account and then download them to the working directory's
target/certs
folder../run-client-cert.sh
^ This will run the MQTTnet client and pass command line args to those certificates. Which should result in the following error:
Running mqtt example application! =================== Args Used username: testid password: testpassword endpoint: a1jbgnrm1s76uh-ats.iot.us-east-1.amazonaws.com rootTopic: open authType: cert authorizer: target/certs/AmazonRootCA1.pem,target/certs/certificate.pem.crt,target/certs/private.pem.key transportImplementation: dotnet transport: tcp =================== [2023-05-08T14:02:50.3208038Z] [MqttNet] [1] [MqttClient] [Verbose]: Trying to connect with server 'a1jbgnrm1s76uh-ats.iot.us-east-1.amazonaws.com:443' [2023-05-08T14:02:50.6974135Z] [MqttNet] [6] [MqttClient] [Verbose]: Connection with server established [2023-05-08T14:02:50.7044800Z] [MqttNet] [6] [MqttChannelAdapter] [Verbose]: TX (40 bytes) >>> Connect: [ClientId=testid] [Username=] [Password=] [KeepAlivePeriod=35] [CleanSession=True] [2023-05-08T14:02:50.9013140Z] [MqttNet] [9] [MqttChannelAdapter] [Verbose]: RX (113 bytes) <<< ConnAck: [ReturnCode=ConnectionRefusedNotAuthorized] [ReasonCode=NotAuthorized] [IsSessionPresent=False] [2023-05-08T14:02:50.9045582Z] [MqttNet] [9] [MqttClient] [Error]: Error while connecting with server MQTTnet.Adapter.MqttConnectingFailedException: Connecting with MQTT server failed (NotAuthorized). at MQTTnet.Client.MqttClient.Authenticate(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 452 at MQTTnet.Client.MqttClient.ConnectInternal(CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 500 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 136 [2023-05-08T14:02:50.9184819Z] [MqttNet] [9] [MqttClient] [Verbose]: Disconnecting [Timeout=00:01:40] [2023-05-08T14:02:50.9231366Z] [MqttNet] [9] [MqttClient] [Verbose]: Disconnected from adapter. [2023-05-08T14:02:50.9250369Z] [MqttNet] [9] [MqttClient] [Info]: Disconnected. Unhandled exception. MQTTnet.Adapter.MqttConnectingFailedException: Connecting with MQTT server failed (NotAuthorized). at MQTTnet.Client.MqttClient.Authenticate(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 452 at MQTTnet.Client.MqttClient.ConnectInternal(CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 500 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 136 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 175 at Program.<Main>$(String[] args) in /home/tcroc/dev/aws-iot-custom-auth/aws-iot-custom-auth-mqttnet/Program.cs:line 109 at Program.<Main>(String[] args)
Even though the certificates are currently configured with a permissive AWS IoT Core policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:*", "Resource": "*" } ] }
NOTE: This issue is much less severity for me personally as I'm currently using custom authorizers instead of certificates. This was discovered while debugging the custom authorizer over here: https://github.com/dotnet/MQTTnet/issues/1729. Just adding for tracking purposes. I will help debug as we may want to use certificates in the future.
Creating a separate issue for what we discovered about certs while debugging the custom authorizer:
https://github.com/dotnet/MQTTnet/issues/1729#issuecomment-1537521184
original logs
```log Running mqtt example application! =================== Args Used username: testid password: testpassword endpoint: a1jbgnrm1s76uh-ats.iot.us-east-1.amazonaws.com rootTopic: open authType: cert authorizer: target/certs/AmazonRootCA1.pem,target/certs/certificate.pem.crt,target/certs/private.pem.key transportImplementation: dotnet transport: tcp =================== [2023-05-07T19:16:06.8111116Z] [MqttNet] [1] [MqttClient] [Verbose]: Trying to connect with server 'a1jbgnrm1s76uh-ats.iot.us-east-1.amazonaws.com:443' [2023-05-07T19:16:08.8696516Z] [MqttNet] [8] [MqttClient] [Verbose]: Connection with server established [2023-05-07T19:16:08.8711942Z] [MqttNet] [6] [MqttClient] [Verbose]: Start receiving packets. [2023-05-07T19:16:08.8780964Z] [MqttNet] [8] [MqttChannelAdapter] [Verbose]: TX (40 bytes) >>> Connect: [ClientId=testid] [Username=] [Password=] [KeepAlivePeriod=35] [CleanSession=True] [2023-05-07T19:16:09.6253017Z] [MqttNet] [6] [MqttChannelAdapter] [Verbose]: RX (113 bytes) <<< ConnAck: [ReturnCode=ConnectionAccepted] [ReasonCode=NotAuthorized] [IsSessionPresent=False] [2023-05-07T19:16:09.6314154Z] [MqttNet] [6] [MqttClient] [Verbose]: Disconnecting [Timeout=00:01:40] [2023-05-07T19:16:09.6361834Z] [MqttNet] [6] [MqttClient] [Verbose]: Disconnected from adapter. [2023-05-07T19:16:09.6383619Z] [MqttNet] [6] [MqttClient] [Info]: Disconnected. [2023-05-07T19:16:09.6386716Z] [MqttNet] [6] [MqttClient] [Verbose]: Stopped receiving packets. [2023-05-07T19:16:09.6310225Z] [MqttNet] [9] [MqttClient] [Error]: Error while connecting with server. MQTTnet.Adapter.MqttConnectingFailedException: Connecting with MQTT server failed (NotAuthorized). at MQTTnet.Client.MqttClient.AuthenticateAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 450 at MQTTnet.Client.MqttClient.ConnectInternal(CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 501 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 143 Unhandled exception. MQTTnet.Adapter.MqttConnectingFailedException: Connecting with MQTT server failed (NotAuthorized). at MQTTnet.Client.MqttClient.AuthenticateAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 450 at MQTTnet.Client.MqttClient.ConnectInternal(CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 501 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 143 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 181 at Program.logs with fixed ConnAck
```log Running mqtt example application! =================== Args Used username: testid password: testpassword endpoint: a1jbgnrm1s76uh-ats.iot.us-east-1.amazonaws.com rootTopic: open authType: cert authorizer: target/certs/AmazonRootCA1.pem,target/certs/certificate.pem.crt,target/certs/private.pem.key transportImplementation: dotnet transport: tcp =================== [2023-05-08T14:02:50.3208038Z] [MqttNet] [1] [MqttClient] [Verbose]: Trying to connect with server 'a1jbgnrm1s76uh-ats.iot.us-east-1.amazonaws.com:443' [2023-05-08T14:02:50.6974135Z] [MqttNet] [6] [MqttClient] [Verbose]: Connection with server established [2023-05-08T14:02:50.7044800Z] [MqttNet] [6] [MqttChannelAdapter] [Verbose]: TX (40 bytes) >>> Connect: [ClientId=testid] [Username=] [Password=] [KeepAlivePeriod=35] [CleanSession=True] [2023-05-08T14:02:50.9013140Z] [MqttNet] [9] [MqttChannelAdapter] [Verbose]: RX (113 bytes) <<< ConnAck: [ReturnCode=ConnectionRefusedNotAuthorized] [ReasonCode=NotAuthorized] [IsSessionPresent=False] [2023-05-08T14:02:50.9045582Z] [MqttNet] [9] [MqttClient] [Error]: Error while connecting with server MQTTnet.Adapter.MqttConnectingFailedException: Connecting with MQTT server failed (NotAuthorized). at MQTTnet.Client.MqttClient.Authenticate(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 452 at MQTTnet.Client.MqttClient.ConnectInternal(CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 500 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 136 [2023-05-08T14:02:50.9184819Z] [MqttNet] [9] [MqttClient] [Verbose]: Disconnecting [Timeout=00:01:40] [2023-05-08T14:02:50.9231366Z] [MqttNet] [9] [MqttClient] [Verbose]: Disconnected from adapter. [2023-05-08T14:02:50.9250369Z] [MqttNet] [9] [MqttClient] [Info]: Disconnected. Unhandled exception. MQTTnet.Adapter.MqttConnectingFailedException: Connecting with MQTT server failed (NotAuthorized). at MQTTnet.Client.MqttClient.Authenticate(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 452 at MQTTnet.Client.MqttClient.ConnectInternal(CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 500 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 136 at MQTTnet.Client.MqttClient.ConnectAsync(MqttClientOptions options, CancellationToken cancellationToken) in /_/Source/MQTTnet/Client/MqttClient.cs:line 175 at Program.I tried following this ticket here, but it didn't help: https://github.com/dotnet/MQTTnet/issues/1359
The issue can be reproduced by running this project over here:
https://github.com/TCROC/aws-iot-custom-auth.git
^ This will use the aws cli to create certificates in your aws account and then download them to the working directory's
target/certs
folder.^ This will run the MQTTnet client and pass command line args to those certificates. Which should result in the following error:
Even though the certificates are currently configured with a permissive AWS IoT Core policy
NOTE: This issue is much less severity for me personally as I'm currently using custom authorizers instead of certificates. This was discovered while debugging the custom authorizer over here: https://github.com/dotnet/MQTTnet/issues/1729. Just adding for tracking purposes. I will help debug as we may want to use certificates in the future.