Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can NOT sent a certificate chain which contains two certificate #174

Closed
gmlan opened this issue Jul 29, 2021 · 8 comments
Closed

Can NOT sent a certificate chain which contains two certificate #174

gmlan opened this issue Jul 29, 2021 · 8 comments
Labels
bug This issue is a bug. needs-review

Comments

@gmlan
Copy link

gmlan commented Jul 29, 2021

Confirm by changing [ ] to [x] below to ensure that it's a bug:

Known Issue

  • [x ] I'm using ATS data type endpoint: the endpoint should look like <prefix>-ats.iot.<region>.amazonaws.com

Describe the bug
As following code, mqttConnectionCertPem contains two PEM, one for device and one for CA. This is to implement JITP (https://aws.amazon.com/blogs/iot/setting-up-just-in-time-provisioning-with-aws-iot-core/) where cat deviceCert.crt rootCA.pem > deviceCertAndCACert.crt

AwsIotMqttConnectionBuilder.newMtlsBuilder(mqttConnectionCertPem, mqttConnectionKeyPem)

The error I got is "PEM has greater than expected depth, Expected Max: 1, Acutal: 2"

SDK version number
1.0.x

Platform/OS/Hardware/Device
macOS

To Reproduce (observed behavior)

  1. Get a CA, and use it to sign a device Cert
  2. Put the two Certs PEM into one
  3. call AwsIotMqttConnectionBuilder.newMtlsBuilder

Expected behavior
MQTT should connected

Logs/output
If applicable, add logs or error output.

To enable logging, set the following system properties:

REMEMBER TO SANITIZE YOUR PERSONAL INFO

-Daws.crt.debugnative=true
-Daws.crt.log.destination=File
-Daws.crt.log.level=Trace
-Daws.crt.log.filename=<path and filename>

Additional context
Add any other context about the problem here.
@gmlan gmlan added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 29, 2021
@jmklix
Copy link
Member

jmklix commented Aug 3, 2021

It looks like you are running into this error, which isn't expecting the concatenated certs. I can't seem to reproduce the exact same error that you are getting, but I can get the same error as mentioned here.

Are you generating your certs the same as in the guide you linked? and are you using the pubsub to test this?

@jmklix jmklix added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 2 days. and removed needs-triage This issue or PR still needs to be triaged. labels Aug 3, 2021
@gmlan
Copy link
Author

gmlan commented Aug 3, 2021

  1. I got concatenated certs as mqttConnectionCertPem according here
    cat deviceCert.crt rootCA.pem > deviceCertAndCACert.crt

  2. I call AwsIotMqttConnectionBuilder.newMtlsBuilder(mqttConnectionCertPem, mqttConnectionKeyPem)

  3. I got PEM has greater than expected depth, Expected Max: 1, Acutal: 2 as you.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 2 days. label Aug 3, 2021
@jmklix
Copy link
Member

jmklix commented Aug 6, 2021

If everything is done correctly you shouldn't need to concatenate the deviceCert.crt and rootCA.pem. This step:
aws iot register-ca-certificate --ca-certificate file://rootCA.pem --verification-cert file://verificationCert.pem --set-as-active --allow-auto-registration --registration-config file://provisioning-template.json

registers your cert so when you call AwsIotMqttConnectionBuilder.newMtlsBuilder(mqttConnectionCertPem, mqttConnectionKeyPem) just pass deviceCert.crt as the first parameter.

@gmlan
Copy link
Author

gmlan commented Aug 6, 2021

No, that wont work.

  1. If customer call register-ca-certificate twice to register two CAs, then pass deviceCert.crt as the first parameter? Which CA will be used on IoT backend?

  2. Current IoT backend logic is:
    a. get passed concatenate cert: deviceCert & CA
    b. Check whether CA is registered, if fail, reject connection.
    c. If pass, check passed deviceCert is signed by passed CA
    d. If pass, add deviceCert to DB and do other provisioning thing.

Also this blog use Mosquitto pass concatenated PEM, this is the correct way.

$ cat deviceCert.crt rootCA.pem > deviceCertAndCACert.crt
$ mosquitto_pub --cafile root.cert --cert deviceCertAndCACert.crt --key deviceCert.key -h <prefix>.iot.us-east-1.amazonaws.com -p 8883 -q 1 -t foo/bar -I anyclientID --tls-version tlsv1.2 -m "Hello" -d

@jmklix jmklix added the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Aug 10, 2021
@zosnap zosnap mentioned this issue Oct 2, 2021
Closed
@jmklix jmklix removed the investigating This issue is being investigated and/or work is in progress to resolve the issue. label Feb 16, 2022
@jmklix
Copy link
Member

jmklix commented Mar 24, 2022

This should be fixed now. Please let us know if you run into any more problems with certificate chains

@jmklix jmklix closed this as completed Mar 24, 2022
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@tonisives
Copy link

tonisives commented Apr 4, 2022
edited

@jmklix In which release is it fixed? I tried https://github.com/aws/aws-iot-device-sdk-java-v2/releases/tag/v1.8.0 (software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk:1.8.0), but it still returns the error

PEM has greater than expected depth, Expected Max: 1, Acutal: 2

This is just like the OP described in the Describe the bug section.

@jmklix
Copy link
Member

jmklix commented May 18, 2023
edited

@tonisives the fix was in one of the dependencies: aws-c-io.
Here is an updated guide for how create certs for JITP. It currently works with this sdk, but please open a new issue if you are still having any problems while using this sdk

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. needs-review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tonisives @jmklix @gmlan