AWS IoT MQTT Certificate failed verification | Thales IoT Developer Community
January 3, 2020 - 11:48am, 3508 views
Hi,
Just to add on further on the question.
My JAVA version is Cinterion,EHS6,Rev 03.001, A-Rev 00.000.51.
AT^SJMSEC? = 1,1,1,1
I'm using AWS IOT One click to generate all the certificates.
I download the rootCA from AWS (https://docs.aws.amazon.com/iot/latest/developerguide/server-authenticat...)
Below were the CA certs that i tested out.
1.VeriSign Endpoints (legacy) RSA 2048 bit key
2. RSA 2048 bit key: Amazon Root CA 1
3. Starfield Root CA Certificate
4. Cross-signed Amazon Root CA 1
I have double check with the python SDK program and OpenSSL conneciton.
openssl s_client -connect a2px87lo8v4uea.iot.us-west-2.amazonaws.com:8443 -CAfile SFSRootCAG2.pem -cert 1certificate.pem.crt -key private.pem.key
openssl s_client -connect a2px87lo8v4uea-ats.iot.us-west-2.amazonaws.com:8443 -CAfile SFSRootCAG2.pem -cert 1certificate.pem.crt -key private.pem.key
Below were the findings:
Test for endpoint with ats (Python SDK, OpenSSL)
The success CA cert will as below
1. RSA 2048 bit key: Amazon Root CA 1
2. Starfield Root CA Certificate
Test for endpoint without ats (Python SDK, OpenSSL)
The success CA cert will as below
1. VeriSign Endpoints (legacy) RSA 2048 bit key
With that, i proceed to test with midlet program and i was able to make connection only on endpoint without ATS and VeriSign Endpoints Cert.
I was able to connected to server, published the message, the strange part is i never see it at the server. If i'm using Python to endpoint without ATS , i was able to see the message.
If i use the Amazon Root CA 1 or Starfield Root CA Certificate, i wasn't able to have successful connection at all.
Each time when i try to replace the cert, i get the command code
java -jar jseccmd.jar -cmd DelAllHttpsCertificatesUntrusted > DelAllHttpsCertificatesUntrusted.txt
So i run this cmd code, AT^SJMSEC="cmd","060091000000" , then i restart the terminal and reinstall the cert again.
Appreciate if someone could give some advise on this.
Hello,
It seems to me that you may have 2 problems.
One with the application you are using - maybe it does not relly sent the message or there's some configuration issue. Does the server really allow the connection with no authentication? Are there any exceptions thrown by your MIDlet?
The other problem is related to the certificates. What is the application output? If the verification fails the reason could be that the certificates are in a wrong format.
Regards,
Bartłomiej
Hi Bartłomiej,
Thanks for your reply.
Currently i was able to send the message over to endpoint without ATS.
I follow the instruction from youtube tutorial to setup the AWS Cloud Watch.
https://www.youtube.com/watch?v=ipS-4LbvGoo&t=301s
With that, i was able to find out what actually the error that causing this.
The error that i found from the AWS Cloud Watch log is MESSAGE:PublishIn Status: CLIENT_ERROR
With that, i set message retained to false, message.setRetained(false);
With that, i was then able to publish the message to AWS IoT through endpoint without ATS.
I will continue to troubleshot the connection to the endpoint with ATS.
Will keep you posted when i have any update on the error found.
Regarding the certificate, the format of the client certificate,
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
The format of the private key is
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
So i believe both were in correct PEM format, as it was generated from AWS IoT directly ?
Regards,
CL
Hello,
The certificate should be in binary encoded X.509 format (.der or .cer) before you convert it to bin file. I'm not experienced with Amazon AWS but maybe the certificates need some conversions - you should find a tutorial here: https://iot-developer.thalesgroup.com/showcase/concept-board-connection-...
On the module you only need the root certificate for server verification.
According to the exception the certificate verification failed so either the certificate on the module was not the same as received form the server or the cert on the module was malformed. You could display the received certificate in your app to see what server sends.
Regards,
Bartłomiej
Hi, I got the exact same problem as CL, even though I'm running a different module ELS61_R2, Revision 02.000, A-Revision 01.000.05.
What was explained by Amazon AWS (here) is that there are 2 endpoints that can be used, with or without "ats" in the url. New devices should use the one with "ats", however, I cannot setup the module to communicate with "ats" type with either the Amazon CA1 Root certificate or Starfield Root CA certificate. In both cases, I receive ^SIS: 0,0,50,"Fatal: Service has detected an internal error" when calling AT^SISO=0, which is not helpful at all.
The only chance I got it to work, exactly like CL described, is to use non "ats" URL with Verisign certificate. Unfortunately, this certificate is now legacy and should not be used going forward.
Has anyone got the answer to this issue? Or maybe anyone got the module using TLS to communicate successfully with AWS IoT using Amazon CA / Starfield CA certificate? Any help would be appreciated.
@Bartłomiej: I read quite many answer from you that the client certificate must be in binary format (.der). It's actually wrong! I know this because I managed to get my module connect to AWS IoT (non ats) using client .pem format, not .der binary format. Using .der always give me "Remote peer has closed the connection". Also, if you look at Java User's Guide v05, section 11.1.1, it's written that "The client certificate file and the client private key file must be in the file format *.pem". It would be good if the module would verify and give an answer right away if the client/server certificate is acceptable or not.
Hello,
As described in our Java User's Guide client certificate should be provided in PEM format, however, server certificate must be provided in DER/CER (binary) format. What Bartłomiej was referring to was loading and verification of the AWS server certificate.
BR,
Ida