10 Replies Latest reply on Jan 2, 2018 11:31 PM by chintan

    3.4.0-AWS mqtt connect failed

    mkochhal

      Hi.

      I have verified MQTT on my AWS-IoT endpoint using MQTT.fx and mosquito_pub/sub commands from the desktop.

       

      I am trying to get the was_iot/publisher demo to run. Unfortunately, the DNS lookup failed for my endpoint. This is the same DNS issue that still persists with Apple Airport Wireless Access Points and WICED (since 3.3.1 or earlier as well). So, I increased the number of DNS servers to 4 and added two more DNS, with one of them being the gateway. So that got me to the point where the MQTT broker address is resolved.

       

      The rootCA.pem, cert.pem, and privKey.pem is put in resources/apps/secure_mqtt.

       

      Unfortunately, there is some security problem that results in secure mqtt connection fail ...

       

      Starting WICED v3.4.0-AWS

      Platform BCM943341WCD1 initialised

      Started ThreadX v5.6

      Initialising NetX_Duo v5.7_sp2

      Creating Packet pools

      WWD SDIO interface initialised

      WLAN MAC Address : 6C:AD:F8:F0:E9:3B

      WLAN Firmware    : wl0: Oct 13 2014 15:25:13 version 6.10.190.51 (r507746) FWID 01-60cadeb3

      Joining : Nirvana

      Successfully joined : Nirvana

      Obtaining IPv4 address via DHCP

      DHCP CLIENT hostname WICED IP

      IPv4 network ready IP: 10.1.10.134

      Setting IPv6 link-local address

      IPv6 network ready IP: FE80:0000:0000:0000:6EAD:F8FF:FEF0:E93B

      Resolving IP address of MQTT broker

      Error in resolving DNS

       

      Starting WICED v3.4.0-AWS

      Platform BCM943341WCD1 initialised

      Started ThreadX v5.6

      Initialising NetX_Duo v5.7_sp2

      Creating Packet pools

      WWD SDIO interface initialised

      WLAN MAC Address : 6C:AD:F8:F0:E9:3B

      WLAN Firmware    : wl0: Oct 13 2014 15:25:13 version 6.10.190.51 (r507746) FWID 01-60cadeb3

      Joining : Nirvana

      Successfully joined : Nirvana

      Obtaining IPv4 address via DHCP

      DHCP CLIENT hostname WICED IP

      IPv4 network ready IP: 10.1.10.134

      Setting IPv6 link-local address

      IPv6 network ready IP: FE80:0000:0000:0000:6EAD:F8FF:FEF0:E93B

      Can't ping the DNS server at 8.8.8.8

      Resolving IP address of MQTT broker

      [MQTT] Connecting to broker 52.25.74.199 ...

       

      [MQTT] Opening connection...Failed

      [MQTT] Deinit connection...

        • 1. Re: 3.4.0-AWS mqtt connect failed
          mkochhal

          Here are my certs and private key ...

           

          Sunculture-Manish-Kochhal:secure_mqtt sunculturesolar$ ls -l

          total 40

          -rw-r--r--  1 sunculturesolar  staff   261 Oct  8 09:49 README.txt

          -rw-r--r--  1 sunculturesolar  staff  1221 Nov  6 10:48 cert.pem

          -rw-r--r--  1 sunculturesolar  staff  1676 Nov  6 10:48 privKey.pem

          -rw-r--r--@ 1 sunculturesolar  staff  1732 Nov  6 10:48 rootCA.pem

          -rw-r--r--  1 sunculturesolar  staff  1038 Oct  8 09:49 secure_mqtt_root_cacert.cer

          Sunculture-Manish-Kochhal:secure_mqtt sunculturesolar$ pwd

          /Users/sunculturesolar/work/Workspaces/WICED-SDK-3.4.0-AWS/resources/apps/secure_mqtt

          Sunculture-Manish-Kochhal:secure_mqtt sunculturesolar$

          • 2. Re: 3.4.0-AWS mqtt connect failed
            mkochhal

            There is a mismatch between the security files (.cer v/s .pem)

             

            The publisher.mk list these resources to be:

             

            $(NAME)_RESOURCES  := apps/aws_iot/rootca.cer \

                                  apps/aws_iot/client.cer \

                                  apps/aws_iot/privkey.cer

             

            whereas the comments in the publisher.c application says:

             

            *  3. Copy required certificates( rootCA.pem, cert.pem, privkey.pem ) in resources/apps/secure_mqtt folder.

            • 3. Re: 3.4.0-AWS mqtt connect failed
              mkochhal

              result = wiced_tls_init_identity( &socket->tls_identity, (char*) security->key, (const uint8_t*) security->cert, strlen( security->cert ) );

                         if ( result != WICED_SUCCESS )

                         {

                             WPRINT_APP_INFO( ( "%s: Error TLS init identity\n", __FUNCTION__ ) );

                             goto ERROR_TLS_INIT;

                         }

              I am having error in the function mqtt_network_init when the wiced_tls_init_identity() is called ... I just put a printf there to check what fails ...

              • 4. Re: 3.4.0-AWS mqtt connect failed
                mkochhal

                Failed parsing TLS certificate in PEM format in wiced_tls_load_certificate() function:

                 

                Starting WICED v3.4.0-AWS

                Platform BCM943341WCD1 initialised

                Started ThreadX v5.6

                Initialising NetX_Duo v5.7_sp2

                Creating Packet pools

                WWD SDIO interface initialised

                WLAN MAC Address : 6C:AD:F8:F0:E9:3B

                WLAN Firmware    : wl0: Oct 13 2014 15:25:13 version 6.10.190.51 (r507746) FWID 01-60cadeb3

                Joining : Nirvana

                Successfully joined : Nirvana

                Obtaining IPv4 address via DHCP

                DHCP CLIENT hostname WICED IP

                IPv4 network ready IP: 10.1.10.134

                Setting IPv6 link-local address

                IPv6 network ready IP: FE80:0000:0000:0000:6EAD:F8FF:FEF0:E93B

                Can't ping the DNS server at 8.8.8.8

                Resolving IP address of MQTT broker

                [MQTT] Connecting to broker 52.27.22.196 ...

                 

                [MQTT] Opening connection...mqtt_network_init: Security is not null

                mqtt_network_init: Cert and Private Key are not null

                wiced_tls_load_certificate: loading TLS cert in PEM format

                wiced_tls_load_certificate: failed parsing TLS cert in PEM format

                wiced_tls_init_identity: wiced tls load cert failed

                mqtt_network_init: Error TLS init identity

                [MQTT LIB] : error intializing the  mqtt connection setup

                mqtt_conn_open: error wiced mqtt connect 3035

                mqtt_network_init: Security is not null

                mqtt_network_init: Cert and Private Key are not null

                wiced_tls_load_certificate: loading TLS cert in PEM format

                wiced_tls_load_certificate: failed parsing TLS cert in PEM format

                wiced_tls_init_identity: wiced tls load cert failed

                mqtt_network_init: Error TLS init identity

                [MQTT LIB] : error intializing the  mqtt connection setup

                mqtt_conn_open: error wiced mqtt connect 3035

                mqtt_network_init: Security is not null

                mqtt_network_init: Cert and Private Key are not null

                wiced_tls_load_certificate: loading TLS cert in PEM format

                wiced_tls_load_certificate: failed parsing TLS cert in PEM format

                wiced_tls_init_identity: wiced tls load cert failed

                mqtt_network_init: Error TLS init identity

                [MQTT LIB] : error intializing the  mqtt connection setup

                mqtt_conn_open: error wiced mqtt connect 3035

                Failed

                [MQTT] Deinit connection...

                • 5. Re: 3.4.0-AWS mqtt connect failed
                  vikr

                  Make sure the certificates you downloaded from AWS are in proper format and aligned with proper indentation and new line spaces.

                  Also name them accordingly with their respective extensions. Presently we are not parsing .cert format, instead .pem format is supported.

                  • 6. Re: 3.4.0-AWS mqtt connect failed
                    mkochhal

                    where should I place these files ...

                     

                    As of now, even after removing new lines and having the certificates as one block and in .pem format, it still fails as failed parsing TLS cert in wiced_tls_load_certificate.

                    • 7. Re: 3.4.0-AWS mqtt connect failed
                      mkochhal

                      where are these defined:

                       

                      resources_apps_DIR_aws_iot_DIR_rootca_cer?

                      • 8. Re: 3.4.0-AWS mqtt connect failed
                        mkochhal

                        Can you give me an example certificate in PEM that I can put in the resources app directory.

                        • 9. Re: 3.4.0-AWS mqtt connect failed
                          mkochhal

                          Finally, was able to resolve this.

                           

                          If you look at the function x509_convert_pem_to_der(), this function gets called regardless of whether you read the PEM certs from a file or whether is in a string array. In case of the string array, we explicitly put in '\n' for every line. But there is a risk here, if you don't really know what the bytes in the certificate stand for. Essentially, the DER format requires types/values to be parsed from the bytes and every line signifies something relevant according to its position.

                           

                          Regardless, the same function for conversion is supposed to work for both type of inputs.

                           

                          For certificates copied (from AWS/Parse/...), please have it formatted, so that the indentations, newlines etc are inserted properly ... There is an online tool that helps you just that (instead you manually doing it and still running into conversion problems).

                           

                          Use this link: https://www.samltool.com/format_x509cert.php

                           

                          Copy the converted with header and save it in a file. It should work.

                          • 10. Re: 3.4.0-AWS mqtt connect failed
                            chintan

                            hello mkochhal,

                             

                            We are working on same as you have done.

                            We face the same issue as you faced.

                             

                            We have need your help for solving the certificate update issue.

                            we convert rootca, privcer and pubkey and update in aws_certificate but issue not resolved.

                             

                            but issue is connect with AWS Broker.

                            is it possible to send your sample code for step for resolve issue as same ?

                             

                            thanks

                            chintan patel