New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not able to establish MQTT connection #111
Comments
We are also facing the same issue, we get @ChetanPundhir you can try to provide the root cert as a String for this builder parameter: withCertificateAuthority Certificate link: https://www.amazontrust.com/repository/AmazonRootCA1.pem Can someone from AWS please pitch in and let us know why we need to provide a root certificate now? It will be extra effort to keep it up-to-date. |
It has been sometime but received no response form technical team. Request to share some input. |
You will need to manually provide the certificate for v2. |
Yeah this is what exactly we don't want to do. In previous SDK it wasn't required and from the JavaDoc it overrides the default Trust Store.
Why can't the new SDK use the default TrustStore and if it doesn't work then use the default Certificate internally so the consumers of the SDK don't have to manage & communicate to their customers why we need to override default System trust store. |
you shouldn't need to set a CA if it's already in the system CA store. The CA isn't for your client certificate anyways; it's for verifying the server's identify. There's no x.509 validation on the client of your MTLS certs. If you're getting:
This is a different scenario. If that's happening the CA isn't in your OS's CA store. You can add it, update the OS's store (those should be in the store by now), or specify it as described. As for why it's different now? The v2 SDKs go through the operating system's PKI system, not the java keystore. So for windows, this would go through CertManager, on Apple OS: keychain, and on Unix systems, the typical locations for that distribution (/etc/ssl/certs and friends). |
As you can see in the screenshot attached at the end, the But the SDK still throws
|
We are also using the Java SDK version
Same would be the expected behaviour on Android as well since |
Well, if it's in the trust store, and the SDK isn't picking it up, that's definitely a bug we need to track down. Thanks for clarifying! |
I am passing the rootCA certificate as well but it does not work with v2 for ECC certificates. With RSA, it works fine. Are ECC certificates supported with v2? I tested the ssl hadshake using below command:
which works well, means the certificates are correct. Please suggest what could be the issue. |
Is this on windows? I think we have an open issue for aws-c-io where ecc certs werent importing correctly. |
@JonathanHenson yes, I am testing on Windows. Do you mean it does not work on windows. Does it work with linux or any issues with that as well. |
I mean, this code on windows: doesn't explicitly handle ECC key pairs, where as the apple and unix integrations work transparently. When I read the dotnet core source code I see a separate branch and import for ECC. |
I have the same problem with implementation of JITR. I'm on Mac OS. I implemented this process with aws-iot-device-sdk-js and it works. The error change if i change the endpoint. I read also this https://aws.amazon.com/it/blogs/iot/aws-iot-core-ats-endpoints/ but my java version is 8u202 and it haven't I validated the certificates with However, the error occurs only if the certificate in not active yet (first time to connect to mqtt client, the step 1 of JITR). (sorry for my english) EDIT: i enabled the crt log [ERROR] [2020-11-30T15:56:16Z] [0000700010535000] [socket] - id=0x7fa8171497d0 fd=78: connect failed with error code 65. After some research on these errors, i discovered there is a similar bug in aws/aws-iot-device-sdk-js-v2#30 |
|
Platform/OS/Hardware/Device
Windows 10
Describe the question
I am trying to use JITP feature to onboard my client certificate.
Its working with aws iot device sdk for java old version(https://github.com/aws/aws-iot-device-sdk-java) using PublishSubscribeSample.java but with this new version the same I try to do using PubSub.java sample, its not working.
Issue 1 is that as mentioned for JITP (https://aws.amazon.com/blogs/iot/setting-up-just-in-time-provisioning-with-aws-iot-core), for first connection attempt, a concatenated(device + ca) certificate should be used. If I try to do that I get the error: TLS (SSL) negotiation failed
Issue 2 is that If I do the client JITP using old sdk for java and use this new sdk sample code to just connect with client certificate, I still get the error: TLS (SSL) negotiation failed.
If I use RSA certificates, issue one still appears but issue 2 does not and with rsa certificates connection is established.
If I use ECC certificates, I get both issue 1 and issue 2.
However, I get no issue if I do same steps with old sdk for java. With old sdk, it work fine for both rsa and ecc certificates.
What additional need to be done for ECC certificates to make the connection work and why concatenated certificate not work as explained here: https://aws.amazon.com/blogs/iot/setting-up-just-in-time-provisioning-with-aws-iot-core/.
I am using ats endpoint.
Please help.
The text was updated successfully, but these errors were encountered: