root-CA.crt

[andreasofthings]

README mentions to use the Symantec's

https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem 
  Subject: subject= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

as the root-CA.crt for all the examples.

However, the certificates issued from the IoT Console are issued by an apparently intermediate CA:

issuer= /OU=Amazon Web Services O=Amazon.com Inc. L=Seattle ST=Washington C=US

The documentation doesn't mention where to get this intermediary CA.

[gkwicker]

Hi Andreas,

Connections between devices and the AWS IoT platform are authenticated using mutual authentication. In this process, each side presents the other with its certificate, and each side verifies the authenticity of the certificate it has received. Your device only needs the Symantec root CA certificate because that certificate can be used to authenticate the identity of the AWS IoT platform. The certificates you generate with the AWS IoT console or CLI are authenticated by the AWS IoT platform using its certificate chain.

Let us know if this answers your question, and thanks for trying out the AWS IoT platform.

[andreasofthings]

Hi Gary,

thanks for the pointer, I was misinterpreting the issued certificate in that case. Coming from a failed ssl connection, I was looking for hints in that area.

Apparently I am running into the same issue as #18, but cannot solve this on my own yet. The call to the example looks like the following:

andreas@notebook:~/aws-iot-device-sdk-js/examples$ nodejs device-example.js -F ../../device.js

With device.js containing this:

{
    "host": "[redacted].iot.eu-west-1.amazonaws.com",
    "port": 8883,
    "clientId": "client",
    "thingName": "client",
    "caCert": "root-CA.crt",
    "clientCert": "[redacted]-certificate.pem.crt",
    "privateKey": "[redacted]-private.pem.key"
}

and produces this:

ws-iot-device-sdk-js/device/index.js:81
        throw new Error(error);
        ^

Error: Error: write EPROTO
    at MqttClient.<anonymous> (/home/andreas/aws-iot-device-sdk-js/device/index.js:81:15)
    at emitOne (events.js:82:20)
    at MqttClient.emit (events.js:169:7)
    at TLSSocket.handleTLSerrors (/home/andreas/aws-iot-device-sdk-js/node_modules/mqtt/lib/connect/tls.js:39:18)
    at emitOne (events.js:82:20)
    at TLSSocket.emit (events.js:169:7)
    at onwriteError (_stream_writable.js:304:10)
    at onwrite (_stream_writable.js:322:5)
    at WritableState.onwrite (_stream_writable.js:89:5)
    at fireErrorCallbacks (net.js:442:13)

Any pointer is appreciated.

Node.js is v5.3.0

Andreas

[gkwicker]

Hi Andreas,

When running the example programs in any region other than the default (us-east-1), you need to specify your region on the command line, e.g.:

nodejs device-example.js -F ../../device.js -g eu-west-1

When using a configuration file as you are here, it might be nice if the code picked up your region from the 'host' property, but it doesn't do that yet. We'll look into that for a future release, but in the meantime just specify your region with the '-g' flag and everything should work. Let us know if that fixes the problem.

[andreasofthings]

Hi Gary,

thanks for the pointer. That helped.

Regards,

Andreas

[louissimps]

@gkwicker been schwacking my head on this one for some time now thanks.

[RAdil]

Hi, I am trying to run one AWS IoT example (device-example.js) which seems to fail as it tries to find the root-ca in the folder. Please suggest h
ow can I get a root-CA.crt

node device-example.js -f ~/.aws
/home/pi/.aws/root-CA.crt doesn't exist (--help for usage)

[gabrielkaputa]

@RAdil in the IoT console go to Security -> Certificates there click create -> one click certificate and on the next screen you can download the certificate and also the root CA

[RAdil]

Thanks for prompt response, I was trying to find the option in CLI but web console seems more straight forward.

[RAdil]

Seems certificates are working but MQTT connectivity is not establishing. Please suggest if I need to configure/setup anything on AWS side.
node device-example.js -f ~/.aws --test-mode=1
offline
close
reconnect
offline
node device-example.js -f ~/.aws --test-mode=2
offline
close
reconnect
offline

[gabrielkaputa]

can you show your policy?

[RAdil]

Oh .. seems the policy is not linked to the device/thing. Perhaps I also need to configure some AWS end-point .. not sure though

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:*",
"Resource": "arn:aws:iot:eu-west-2:919634038332:topic/replaceWithATopic"
}
]
}

[RAdil]

Perhaps I need to create two resources ( Topics also)? Topic 1 and Topic 2?

[RAdil]

Thanks a lot for your help. I have now linked the certificate with the "thing" and the "policy" but I am not sure if the policy make sense and perhaps the resource url in the policy needs to be changed.

[RAdil]

I think I got the example to work now by changing resource URL to * and reassigning the policy to cerificate

[gabrielkaputa]

ok cool :) * is fine for now, you can restrict it later

[RAdil]

Thanks !

[sirianni]

@gkwicker wrote:

The certificates you generate with the AWS IoT console or CLI are authenticated by the AWS IoT platform using its certificate chain.

Is it possible for AWS to publish this certificate chain? Or at least the certificate used to immediately sign the device certificate? We have use cases where we would like to leverage the AWS IoT CA as a trust anchor for peer-to-peer authentication of devices.

(Sorry to hijack this thread, but I have a question on the above and not sure what other forum to use.)