Add AWS IoT Core documentation

[UrizielTSD]

Hello,

I try to use MQTT-Explorer to connect to IoT Core from AWS. I saw that it should be possible from another issue.

But whenever I try to connect I get Server disconnected.

1. I set my certificate from AWS in my certificates: Server Certificate: AmazonRootCA1.pem Client Certificate: AWS Certificate.pem.crt Client Key: AWS private.pem.key

2. I deleted the Default subscriptions, and set sdk/test/python as an example

3. Connection Protocol: mqtt:// AWS ENDPOINT 443 Encryption enabled

4. AWS Thing is registered and connected to certificates, and the following Policy is attached to the certificate: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:", "Resource": "" } ] }

Using Wireshark I can see the Connection being established but after a few app data it Restart the TLS connection Establishment. But I find it also odd that the Client never sends his certificate to the Server. And I receive the error "disconnected from Server".

Any Ideas what Im doing wrong ? Trying to make this work for 2 days now…

Thank you

[thomasnordquist]

Try removing tue default subscryptions to "#" and $SYS. Whenever you subscribe to a topic wich you are not allowed to, a mqtt broker should simply disconnect you.

[UrizielTSD]

Thanks for the quick Reply! I already removed them and Im still unable to connect, I added screenshots of my configuration. I omnitted the endpoint.

[thomasnordquist]

Try port 8883. (Port 443 apparently needs some other authentication mechanism)

https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html

Edit: (add quote)

†Clients that connect on port 443 with X.509 client certificate authentication must implement the Application Layer Protocol Negotiation (ALPN) TLS extension and use the ALPN ProtocolName listed above in the ALPN ProtocolNameList sent by the client as part of the ClientHello message.

[UrizielTSD]

Im sorry for my French but HOLY SHIT, that was it. Thank you very much was stuck for so Long there!

[thomasnordquist]

Please share your further experience with AWS IoT Core =)

[RobertPaulson90]

Thank you @UrizielTSD for the detailed issue. It helped me get started with AWS IoT Core... which is pretty awesome btw @thomasnordquist 👍

I guess you want to close the issue ;)

[thomasnordquist]

Well, I'd like to have a documentation page for IoT Core on https://mqtt-explorer.com/ but I haven't had the opportunity yet 😅

[thomasnordquist]

Note: See https://github.com/thomasnordquist/MQTT-Explorer/issues/17#issuecomment-514644104 for more infomration (documentation)

[UrizielTSD]

@binaryPUNCH Glad, it could help you!

@thomasnordquist A bit late reply, but we used it to compare the workflow with our new WiFi chip, using mqttexplorer we discovered some errors in its workflow. Which the company then fixed after informing them about it. But we didn't use it afterward since we moved over to the chip. But it saved us when nobody could figure out why the chip couldn't connect to AWS.

If you want a how-to page for connecting to IoT Core, I could provide it for you.

[thomasnordquist]

@UrizielTSD This would be awesome. I think there are quite a lot people who will benefit from that. I added some documentation on how to update the website, but any format will do (Word, pdf, Google Docs): https://github.com/thomasnordquist/MQTT-Explorer#write-docs

By the way, greetings from Darmstadt 😆

[kickusb]

@UrizielTSD any updates on this? I tried to do connect with AWS IoT Core (on port 8883 with certs), but it disconnects immediately. Any hints?

[thomasnordquist]

You will be disconnected if you subscribe to a topic which you do not have the permissions to subscribe to.

you might want to remove the $SYS/# subscription

[kickusb]

You will be disconnected if you subscribe to a topic which you do not have the permissions to subscribe to.

you might want to remove the $SYS/# subscription

Thanks, I noticed that from this discussion thread. Therefore I removed both of them, and used a topic from the AWS IoT Core console instead (found under Things / my thing / Interact).

However, I get disconnected immediately. I haven't yet figured out why.

[UrizielTSD]

Wow how time flies by, I have to apologies. I wanted to make some documentation, but a lot has happened since back then. So I did not have any time yet. Honestly sorry about that.

I might come around at one point, but not anytime soon. If you want I can check out your connection settings, pls post the MQTT Connection panel Advanced panel certificates panel

[kickusb]

Here are some screenshots from my sandbox experiments. Any ideas why it disconnects?

[UrizielTSD]

Hey, from the first overview it looks correct. Please try: 1) connecting without any topic subscription 2) if 1) successful use one random topic without any $ prefix

Personally whenever I try to connect with a topic prefixed by a $ it never works. But any other string should work.

[kickusb]

Thanks @UrizielTSD, I tried as you suggested, but it is still failing on 1. It disconnects.. :-/

I also tried with 2., but no difference.

[UrizielTSD]

Mhm, I think this might be an AWS Policy issue.

Pls check the Policy attached to the Thing X Certificates.

Try giving it this one:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iot:", "Resource": "" } ] }

This is a really broad Policy, but enough to test it.

[networkfusion]

Given that I have managed to connect to AWS okay, I believe the original fault is the fact that the default topics need unsubscribing to and the asker of this question needs to swap from websockets to MQTT (using port 8883).

[xmoulin]

Thanks for this post. I spend 2 hours before asking Google ans found this page! Thanks all for sharing. Thanks @UrizielTSD for your POST. I miss to kick the $aws... in my topic name.

[SeanHavanas]

A lot of these posts are from 2 years ago. I have been playing around with this and I am having some issues. AWS has examples for Python that is working on my PC, I am using all the seme certificates and keep getting a 'Disconnected from Server Error' when I connect. I am also trying with another visual MQTT app and I am having issues with that as well. It tells me the certificate is bad. I think the certificates are not working because they are outdated somewhere. Here is my setup

Does anyone have any advice is getting this working. AWS has a web based test MQTT client that you can subscribe and publish. It works. Also the Phyton app sends and receieves JSON messages. So it is either a bad setting or something to do with certificates.

[SeanHavanas]

I know what is missing. It is the client id. It is required for access. Does anyone know how to enter that? Here is an example using Mosquitto Pub that works.

The client ID is 'basicSub'

[networkfusion]

As per your picture above, you have it set to None!

[networkfusion]

Also, when connecting to AWS, it is unlikely that the following topic will work (and should be removed from the subscription)

[SeanHavanas]

Thank you. I did not see the ID section. I removed $SYS/# all I have right now is test/sean as the topic. I am having a different issue now. It connects but when I Publish from a remote device to the topic it disconnects. When I Publish from MQTT Explorer it disconnects. When I Publish from my remote device I can see it in the console of AWS IoT but MQTT Explore disconnects when it is send and I never see it.

[xmoulin]

Maybe you have 2 client with the same client ID. Or you subscribe to a topic not allowed by your policy...

[SeanHavanas]

Thanks for your help. I am getting closer. I created a new client ID and I can now subscribe to the AWS broker. MQTT Explorer receives data when I post it from a mosquito client and it and it showed up. From the AWS console I published to the AWS broker and it worked. One last problem is when I press the Publish button in MQTT Explorer it disconnects from AWS. I do have AWS setup to connect, publish and receive to that topics with that client ID.

[xmoulin]

Try with a Policy "Full access" like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iot:*"
      ],
      "Resource": [
        "arn:aws:iot:eu-west-1:672xxxxxxxx2:*"
      ],
      "Effect": "Allow"
    }
  ]
}

---

And then if it's ok, you should use a more production ready Policy, like maybe this one (one Thing can only publish to a topic having his name):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Receive",
        "iot:RetainPublish"
      ],
      "Resource": [
        "arn:aws:iot:eu-west-1:672xxxxxxxx2:topic/action/devices/${iot:Connection.Thing.ThingName}",
        "arn:aws:iot:eu-west-1:672xxxxxxxx2:topic/detail/devices/${iot:Connection.Thing.ThingName}"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Subscribe"
      ],
      "Resource": [
        "arn:aws:iot:eu-west-1:672xxxxxxxx2:topicfilter/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iot:Connect"
      ],
      "Resource": [
        "arn:aws:iot:eu-west-1:672xxxxxxxx2:client/${iot:Connection.Thing.ThingName}"
      ]
    }
  ]
}

[lodemo]

I have an use case where i need to connect to AWS IoT core using a custom authorizer, thus needing to set the Application Layer Protocol Negotiation (ALPN) TLS extension protocol to mqtt.

Would be great if MQTT-Explorer could support this, i could look into it and, if successful, write a pull request.