MQTT Client (C#) unable to connect to AWS IoT MQTT Broker

[sivshan]

I'm unable to connect my C# code to AWS IoT MQTT Broker, however I'm able to connect using AWS MQTT Client to MQTT broker. I'm using M2MQTT as the MQTT Client in my C# code (https://www.nuget.org/packages/M2Mqtt). Note that .pfx file is created using openSSL using the certificate and private key downloaded from AWS IoT. The certificate is activated and attached to a thing. The rootca.crt is Amazon's root CA.

I keep getting error at Client.Connect(clientId)" {uPLibrary.Networking.M2Mqtt.Exceptions.MqttCommunicationException: Exception of type 'uPLibrary.Networking.M2Mqtt.Exceptions.MqttCommunicationException' was thrown. at uPLibrary.Networking.M2Mqtt.MqttClient.SendReceive(Byte[] msgBytes, Int32 timeout) at uPLibrary.Networking.M2Mqtt.MqttClient.Connect(String clientId, String username, String password, Boolean willRetain, Byte willQosLevel, Boolean willFlag, String willTopic, String willMessage, Boolean cleanSession, UInt16 keepAlivePeriod) at uPLibrary.Networking.M2Mqtt.MqttClient.Connect(String clientId)

Below is my code private const string IotEndpoint = "xxvf6ihlpxlxf6.iot.us-east-2.amazonaws.com";

    private const int BrokerPort = 8883;

    private const string Topic = "GaneshM2MQTT/#";
     var clientCert = new X509Certificate2("C:\\Program Files (x86)\\GnuWin32\\bin\\XXXX.pfx", "XXX#");

            var caCert = X509Certificate.CreateFromCertFile("C:\\Program Files (x86)\\GnuWin32\\bin\\rootca.crt");

            // create the client
            var client = new MqttClient(IotEndpoint, BrokerPort, true, caCert, clientCert, MqttSslProtocols.TLSv1_2);
            //message to publish - could be anything
            var message = "Test message";
            string clientId = Guid.NewGuid().ToString();
            //client naming has to be unique if there was more than one publisher
            client.Connect(clientId);
            //publish to the topic
            client.Publish(Topic, Encoding.UTF8.GetBytes(message));

I also looked at this link (https://stackoverflow.com/questions/47793400/getting-authenticationexception-when-connect-m2mqtt-mqttclient-to-mosquitto-brok/48414980#48414980) and (https://stackoverflow.com/questions/43993106/a-call-to-sspi-failed-see-inner-exception-paho-m2mqtt-dot-netc-client-ssl-tl?rq=1) they fixed the issue by converting .crt to .pfx but in my case its Amazon Root CA , I'm not sure how I can convert to .pfx without private key. This looks like an authentication issue but not sure what is wrong.

Been struggling for a while with this issue. Any help or implementation is appreciated.

[sivshan]

Latest update is tried the below to diagnose the connectivity to Aws IOt and I get the below

OpenSSL> s_client -connect a2vf6ihlpxlxf6.iot.us-east-2.amazonaws.com:8443 -CAfile rootca.pem -cert 848511847e-certificate.pem.crt -key 848511847e-private.pem.key Loading 'screen' into random state - done CONNECTED(00000224) 29252:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:./ssl/ s23_clnt.c:585: OpenSSL>

[dpmcgarry]

Your code seems to be correct. It is likely a problem with the PFX file.
Try creating a new PFX file using openssl: openssl pkcs12 -export -out XXX.pfx -inkey XXX.private.key -in XXX.cert.pem -certfile root-CA.crt

[sivshan]

This issue is resolved. I had issues with my policy. Correcting the policies fixed the issue

[pmastey]

Hi sivshan, How did you correct policy? Please provide details.

[minseokjo]

hi, @sivshan .

I also had the same problem. My solution is to check if Thing, Certificate, Policy are all attached. I think you should doubt the Policy part.

[DerekCalder]

In my case, the problem was that I was using the default Thing access policy, which only allows connections from the Java, Node.js, and Python SDKs. The "iot:Connect" action in the policy associated with the Thing must be set to allow connections from other client types.