- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
I have verified MQTT on my AWS-IoT endpoint using MQTT.fx and mosquito_pub/sub commands from the desktop.
I am trying to get the was_iot/publisher demo to run. Unfortunately, the DNS lookup failed for my endpoint. This is the same DNS issue that still persists with Apple Airport Wireless Access Points and WICED (since 3.3.1 or earlier as well). So, I increased the number of DNS servers to 4 and added two more DNS, with one of them being the gateway. So that got me to the point where the MQTT broker address is resolved.
The rootCA.pem, cert.pem, and privKey.pem is put in resources/apps/secure_mqtt.
Unfortunately, there is some security problem that results in secure mqtt connection fail ...
Starting WICED v3.4.0-AWS
Platform BCM943341WCD1 initialised
Started ThreadX v5.6
Initialising NetX_Duo v5.7_sp2
Creating Packet pools
WWD SDIO interface initialised
WLAN MAC Address : 6C:AD:F8:F0:E9:3B
WLAN Firmware : wl0: Oct 13 2014 15:25:13 version 6.10.190.51 (r507746) FWID 01-60cadeb3
Joining : Nirvana
Successfully joined : Nirvana
Obtaining IPv4 address via DHCP
DHCP CLIENT hostname WICED IP
IPv4 network ready IP: 10.1.10.134
Setting IPv6 link-local address
IPv6 network ready IP: FE80:0000:0000:0000:6EAD:F8FF:FEF0:E93B
Resolving IP address of MQTT broker
Error in resolving DNS
Starting WICED v3.4.0-AWS
Platform BCM943341WCD1 initialised
Started ThreadX v5.6
Initialising NetX_Duo v5.7_sp2
Creating Packet pools
WWD SDIO interface initialised
WLAN MAC Address : 6C:AD:F8:F0:E9:3B
WLAN Firmware : wl0: Oct 13 2014 15:25:13 version 6.10.190.51 (r507746) FWID 01-60cadeb3
Joining : Nirvana
Successfully joined : Nirvana
Obtaining IPv4 address via DHCP
DHCP CLIENT hostname WICED IP
IPv4 network ready IP: 10.1.10.134
Setting IPv6 link-local address
IPv6 network ready IP: FE80:0000:0000:0000:6EAD:F8FF:FEF0:E93B
Can't ping the DNS server at 8.8.8.8
Resolving IP address of MQTT broker
[MQTT] Connecting to broker 52.25.74.199 ...
[MQTT] Opening connection...Failed
[MQTT] Deinit connection...
Solved! Go to Solution.
- Labels:
-
SDK 3.x
-
Web Services
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally, was able to resolve this.
If you look at the function x509_convert_pem_to_der(), this function gets called regardless of whether you read the PEM certs from a file or whether is in a string array. In case of the string array, we explicitly put in '\n' for every line. But there is a risk here, if you don't really know what the bytes in the certificate stand for. Essentially, the DER format requires types/values to be parsed from the bytes and every line signifies something relevant according to its position.
Regardless, the same function for conversion is supposed to work for both type of inputs.
For certificates copied (from AWS/Parse/...), please have it formatted, so that the indentations, newlines etc are inserted properly ... There is an online tool that helps you just that (instead you manually doing it and still running into conversion problems).
Use this link: https://www.samltool.com/format_x509cert.php
Copy the converted with header and save it in a file. It should work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are my certs and private key ...
Sunculture-Manish-Kochhal:secure_mqtt sunculturesolar$ ls -l
total 40
-rw-r--r-- 1 sunculturesolar staff 261 Oct 8 09:49 README.txt
-rw-r--r-- 1 sunculturesolar staff 1221 Nov 6 10:48 cert.pem
-rw-r--r-- 1 sunculturesolar staff 1676 Nov 6 10:48 privKey.pem
-rw-r--r--@ 1 sunculturesolar staff 1732 Nov 6 10:48 rootCA.pem
-rw-r--r-- 1 sunculturesolar staff 1038 Oct 8 09:49 secure_mqtt_root_cacert.cer
Sunculture-Manish-Kochhal:secure_mqtt sunculturesolar$ pwd
/Users/sunculturesolar/work/Workspaces/WICED-SDK-3.4.0-AWS/resources/apps/secure_mqtt
Sunculture-Manish-Kochhal:secure_mqtt sunculturesolar$
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a mismatch between the security files (.cer v/s .pem)
The publisher.mk list these resources to be:
$(NAME)_RESOURCES := apps/aws_iot/rootca.cer \
apps/aws_iot/client.cer \
apps/aws_iot/privkey.cer
whereas the comments in the publisher.c application says:
* 3. Copy required certificates( rootCA.pem, cert.pem, privkey.pem ) in resources/apps/secure_mqtt folder.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
result = wiced_tls_init_identity( &socket->tls_identity, (char*) security->key, (const uint8_t*) security->cert, strlen( security->cert ) );
if ( result != WICED_SUCCESS )
{
WPRINT_APP_INFO( ( "%s: Error TLS init identity\n", __FUNCTION__ ) );
goto ERROR_TLS_INIT;
}
I am having error in the function mqtt_network_init when the wiced_tls_init_identity() is called ... I just put a printf there to check what fails ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Failed parsing TLS certificate in PEM format in wiced_tls_load_certificate() function:
Starting WICED v3.4.0-AWS
Platform BCM943341WCD1 initialised
Started ThreadX v5.6
Initialising NetX_Duo v5.7_sp2
Creating Packet pools
WWD SDIO interface initialised
WLAN MAC Address : 6C:AD:F8:F0:E9:3B
WLAN Firmware : wl0: Oct 13 2014 15:25:13 version 6.10.190.51 (r507746) FWID 01-60cadeb3
Joining : Nirvana
Successfully joined : Nirvana
Obtaining IPv4 address via DHCP
DHCP CLIENT hostname WICED IP
IPv4 network ready IP: 10.1.10.134
Setting IPv6 link-local address
IPv6 network ready IP: FE80:0000:0000:0000:6EAD:F8FF:FEF0:E93B
Can't ping the DNS server at 8.8.8.8
Resolving IP address of MQTT broker
[MQTT] Connecting to broker 52.27.22.196 ...
[MQTT] Opening connection...mqtt_network_init: Security is not null
mqtt_network_init: Cert and Private Key are not null
wiced_tls_load_certificate: loading TLS cert in PEM format
wiced_tls_load_certificate: failed parsing TLS cert in PEM format
wiced_tls_init_identity: wiced tls load cert failed
mqtt_network_init: Error TLS init identity
[MQTT LIB] : error intializing the mqtt connection setup
mqtt_conn_open: error wiced mqtt connect 3035
mqtt_network_init: Security is not null
mqtt_network_init: Cert and Private Key are not null
wiced_tls_load_certificate: loading TLS cert in PEM format
wiced_tls_load_certificate: failed parsing TLS cert in PEM format
wiced_tls_init_identity: wiced tls load cert failed
mqtt_network_init: Error TLS init identity
[MQTT LIB] : error intializing the mqtt connection setup
mqtt_conn_open: error wiced mqtt connect 3035
mqtt_network_init: Security is not null
mqtt_network_init: Cert and Private Key are not null
wiced_tls_load_certificate: loading TLS cert in PEM format
wiced_tls_load_certificate: failed parsing TLS cert in PEM format
wiced_tls_init_identity: wiced tls load cert failed
mqtt_network_init: Error TLS init identity
[MQTT LIB] : error intializing the mqtt connection setup
mqtt_conn_open: error wiced mqtt connect 3035
Failed
[MQTT] Deinit connection...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure the certificates you downloaded from AWS are in proper format and aligned with proper indentation and new line spaces.
Also name them accordingly with their respective extensions. Presently we are not parsing .cert format, instead .pem format is supported.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
where should I place these files ...
As of now, even after removing new lines and having the certificates as one block and in .pem format, it still fails as failed parsing TLS cert in wiced_tls_load_certificate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
where are these defined:
resources_apps_DIR_aws_iot_DIR_rootca_cer?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you give me an example certificate in PEM that I can put in the resources app directory.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally, was able to resolve this.
If you look at the function x509_convert_pem_to_der(), this function gets called regardless of whether you read the PEM certs from a file or whether is in a string array. In case of the string array, we explicitly put in '\n' for every line. But there is a risk here, if you don't really know what the bytes in the certificate stand for. Essentially, the DER format requires types/values to be parsed from the bytes and every line signifies something relevant according to its position.
Regardless, the same function for conversion is supposed to work for both type of inputs.
For certificates copied (from AWS/Parse/...), please have it formatted, so that the indentations, newlines etc are inserted properly ... There is an online tool that helps you just that (instead you manually doing it and still running into conversion problems).
Use this link: https://www.samltool.com/format_x509cert.php
Copy the converted with header and save it in a file. It should work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello mkochhal,
We are working on same as you have done.
We face the same issue as you faced.
We have need your help for solving the certificate update issue.
we convert rootca, privcer and pubkey and update in aws_certificate but issue not resolved.
but issue is connect with AWS Broker.
is it possible to send your sample code for step for resolve issue as same ?
thanks
chintan patel