3.4.0-AWS mqtt connect failed

Anonymous · ‎Nov 06, 2015

Hi.

I have verified MQTT on my AWS-IoT endpoint using MQTT.fx and mosquito_pub/sub commands from the desktop.

I am trying to get the was_iot/publisher demo to run. Unfortunately, the DNS lookup failed for my endpoint. This is the same DNS issue that still persists with Apple Airport Wireless Access Points and WICED (since 3.3.1 or earlier as well). So, I increased the number of DNS servers to 4 and added two more DNS, with one of them being the gateway. So that got me to the point where the MQTT broker address is resolved.

The rootCA.pem, cert.pem, and privKey.pem is put in resources/apps/secure_mqtt.

Unfortunately, there is some security problem that results in secure mqtt connection fail ...

Starting WICED v3.4.0-AWS

Platform BCM943341WCD1 initialised

Started ThreadX v5.6

Initialising NetX_Duo v5.7_sp2

Creating Packet pools

WWD SDIO interface initialised

WLAN MAC Address : 6C:AD:F8:F0:E9:3B

WLAN Firmware : wl0: Oct 13 2014 15:25:13 version 6.10.190.51 (r507746) FWID 01-60cadeb3

Joining : Nirvana

Successfully joined : Nirvana

Obtaining IPv4 address via DHCP

DHCP CLIENT hostname WICED IP

IPv4 network ready IP: 10.1.10.134

Setting IPv6 link-local address

IPv6 network ready IP: FE80:0000:0000:0000:6EAD:F8FF:FEF0:E93B

Resolving IP address of MQTT broker

Error in resolving DNS

Starting WICED v3.4.0-AWS

Platform BCM943341WCD1 initialised

Started ThreadX v5.6

Initialising NetX_Duo v5.7_sp2

Creating Packet pools

WWD SDIO interface initialised

WLAN MAC Address : 6C:AD:F8:F0:E9:3B

WLAN Firmware : wl0: Oct 13 2014 15:25:13 version 6.10.190.51 (r507746) FWID 01-60cadeb3

Joining : Nirvana

Successfully joined : Nirvana

Obtaining IPv4 address via DHCP

DHCP CLIENT hostname WICED IP

IPv4 network ready IP: 10.1.10.134

Setting IPv6 link-local address

IPv6 network ready IP: FE80:0000:0000:0000:6EAD:F8FF:FEF0:E93B

Can't ping the DNS server at 8.8.8.8

Resolving IP address of MQTT broker

[MQTT] Connecting to broker 52.25.74.199 ...

[MQTT] Opening connection...Failed

[MQTT] Deinit connection...

Anonymous · ‎Nov 10, 2015

Finally, was able to resolve this.

If you look at the function x509_convert_pem_to_der(), this function gets called regardless of whether you read the PEM certs from a file or whether is in a string array. In case of the string array, we explicitly put in '\n' for every line. But there is a risk here, if you don't really know what the bytes in the certificate stand for. Essentially, the DER format requires types/values to be parsed from the bytes and every line signifies something relevant according to its position.

Regardless, the same function for conversion is supposed to work for both type of inputs.

For certificates copied (from AWS/Parse/...), please have it formatted, so that the indentations, newlines etc are inserted properly ... There is an online tool that helps you just that (instead you manually doing it and still running into conversion problems).

Use this link: https://www.samltool.com/format_x509cert.php

Copy the converted with header and save it in a file. It should work.

View solution in original post

Anonymous · ‎Nov 06, 2015

Here are my certs and private key ...

Sunculture-Manish-Kochhal:secure_mqtt sunculturesolar$ ls -l

total 40

-rw-r--r-- 1 sunculturesolar staff 261 Oct 8 09:49 README.txt

-rw-r--r-- 1 sunculturesolar staff 1221 Nov 6 10:48 cert.pem

-rw-r--r-- 1 sunculturesolar staff 1676 Nov 6 10:48 privKey.pem

-rw-r--r--@ 1 sunculturesolar staff 1732 Nov 6 10:48 rootCA.pem

-rw-r--r-- 1 sunculturesolar staff 1038 Oct 8 09:49 secure_mqtt_root_cacert.cer

Sunculture-Manish-Kochhal:secure_mqtt sunculturesolar$ pwd

/Users/sunculturesolar/work/Workspaces/WICED-SDK-3.4.0-AWS/resources/apps/secure_mqtt

Sunculture-Manish-Kochhal:secure_mqtt sunculturesolar$

Anonymous · ‎Nov 06, 2015

There is a mismatch between the security files (.cer v/s .pem)

The publisher.mk list these resources to be:

$(NAME)_RESOURCES := apps/aws_iot/rootca.cer \

apps/aws_iot/client.cer \

apps/aws_iot/privkey.cer

whereas the comments in the publisher.c application says:

* 3. Copy required certificates( rootCA.pem, cert.pem, privkey.pem ) in resources/apps/secure_mqtt folder.

Anonymous · ‎Nov 06, 2015

result = wiced_tls_init_identity( &socket->tls_identity, (char*) security->key, (const uint8_t*) security->cert, strlen( security->cert ) );

if ( result != WICED_SUCCESS )

{

WPRINT_APP_INFO( ( "%s: Error TLS init identity\n", __FUNCTION__ ) );

goto ERROR_TLS_INIT;

}

I am having error in the function mqtt_network_init when the wiced_tls_init_identity() is called ... I just put a printf there to check what fails ...

Anonymous · ‎Nov 06, 2015

Failed parsing TLS certificate in PEM format in wiced_tls_load_certificate() function:

Starting WICED v3.4.0-AWS

Platform BCM943341WCD1 initialised

Started ThreadX v5.6

Initialising NetX_Duo v5.7_sp2

Creating Packet pools

WWD SDIO interface initialised

WLAN MAC Address : 6C:AD:F8:F0:E9:3B

WLAN Firmware : wl0: Oct 13 2014 15:25:13 version 6.10.190.51 (r507746) FWID 01-60cadeb3

Joining : Nirvana

Successfully joined : Nirvana

Obtaining IPv4 address via DHCP

DHCP CLIENT hostname WICED IP

IPv4 network ready IP: 10.1.10.134

Setting IPv6 link-local address

IPv6 network ready IP: FE80:0000:0000:0000:6EAD:F8FF:FEF0:E93B

Can't ping the DNS server at 8.8.8.8

Resolving IP address of MQTT broker

[MQTT] Connecting to broker 52.27.22.196 ...

[MQTT] Opening connection...mqtt_network_init: Security is not null

mqtt_network_init: Cert and Private Key are not null

wiced_tls_load_certificate: loading TLS cert in PEM format

wiced_tls_load_certificate: failed parsing TLS cert in PEM format

wiced_tls_init_identity: wiced tls load cert failed

mqtt_network_init: Error TLS init identity

[MQTT LIB] : error intializing the mqtt connection setup

mqtt_conn_open: error wiced mqtt connect 3035

mqtt_network_init: Security is not null

mqtt_network_init: Cert and Private Key are not null

wiced_tls_load_certificate: loading TLS cert in PEM format

wiced_tls_load_certificate: failed parsing TLS cert in PEM format

wiced_tls_init_identity: wiced tls load cert failed

mqtt_network_init: Error TLS init identity

[MQTT LIB] : error intializing the mqtt connection setup

mqtt_conn_open: error wiced mqtt connect 3035

mqtt_network_init: Security is not null

mqtt_network_init: Cert and Private Key are not null

wiced_tls_load_certificate: loading TLS cert in PEM format

wiced_tls_load_certificate: failed parsing TLS cert in PEM format

wiced_tls_init_identity: wiced tls load cert failed

mqtt_network_init: Error TLS init identity

[MQTT LIB] : error intializing the mqtt connection setup

mqtt_conn_open: error wiced mqtt connect 3035

Failed

[MQTT] Deinit connection...

VikramR_26 · ‎Nov 07, 2015

Make sure the certificates you downloaded from AWS are in proper format and aligned with proper indentation and new line spaces.

Also name them accordingly with their respective extensions. Presently we are not parsing .cert format, instead .pem format is supported.

Anonymous · ‎Nov 09, 2015

where should I place these files ...

As of now, even after removing new lines and having the certificates as one block and in .pem format, it still fails as failed parsing TLS cert in wiced_tls_load_certificate.

Anonymous · ‎Nov 09, 2015

where are these defined:

resources_apps_DIR_aws_iot_DIR_rootca_cer?

Anonymous · ‎Nov 10, 2015

Can you give me an example certificate in PEM that I can put in the resources app directory.

Anonymous · ‎Nov 10, 2015

Finally, was able to resolve this.

If you look at the function x509_convert_pem_to_der(), this function gets called regardless of whether you read the PEM certs from a file or whether is in a string array. In case of the string array, we explicitly put in '\n' for every line. But there is a risk here, if you don't really know what the bytes in the certificate stand for. Essentially, the DER format requires types/values to be parsed from the bytes and every line signifies something relevant according to its position.

Regardless, the same function for conversion is supposed to work for both type of inputs.

For certificates copied (from AWS/Parse/...), please have it formatted, so that the indentations, newlines etc are inserted properly ... There is an online tool that helps you just that (instead you manually doing it and still running into conversion problems).

Use this link: https://www.samltool.com/format_x509cert.php

Copy the converted with header and save it in a file. It should work.

Anonymous · ‎Jan 02, 2018

hello mkochhal,

We are working on same as you have done.

We face the same issue as you faced.

We have need your help for solving the certificate update issue.

we convert rootca, privcer and pubkey and update in aws_certificate but issue not resolved.

but issue is connect with AWS Broker.

is it possible to send your sample code for step for resolve issue as same ?

thanks

chintan patel

3.4.0-AWS mqtt connect failed

Re: 3.4.0-AWS mqtt connect failed

Re: 3.4.0-AWS mqtt connect failed

Re: 3.4.0-AWS mqtt connect failed

Re: 3.4.0-AWS mqtt connect failed

Re: 3.4.0-AWS mqtt connect failed

Re: 3.4.0-AWS mqtt connect failed

Re: 3.4.0-AWS mqtt connect failed

Re: 3.4.0-AWS mqtt connect failed

Re: 3.4.0-AWS mqtt connect failed

Re: 3.4.0-AWS mqtt connect failed

Re: 3.4.0-AWS mqtt connect failed