Custom domain for iot endpoint

Question

I want a custom domain for my mqtt endpoint like mqtt.abc.example.org.
I followed this guide https://aws.amazon.com/it/blogs/iot/migrating-devices-aws-iot-custom-domains/

All seems to be correct compared with screenshot on guide, but when I do

mosquitto_pub --cert test-2022b.pem --key test-2022b.key -h mqtt.abc.example.org -p 8883 -d  -t 'test/pippo' -i pub -m "Ciao mondo" --tls-version tlsv1.2 --cafile AmazonRootCA1.pem

I got:
Client pub sending CONNECT
OpenSSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Error: Success

I also tried with this Python srcipt:

from AWSIoTPythonSDK.MQTTLib import AWSIoTMQTTClient

myMQTTClient = AWSIoTMQTTClient("myClientID")

myMQTTClient.configureEndpoint("mqtt.abc.example.org", 8883)

myMQTTClient.configureCredentials("AmazonRootCA1.pem", "test-2022b.key", "test-2022b.pem")

myMQTTClient.connect()

Result: ssl.SSLCertVerificationError: ("hostname 'mqtt.abc.example.org' doesn't match either of 'iot.eu-west-3.amazonaws.com', '*.iot.eu-west-3.amazonaws.com'",)

If I use  xxxxxxxxx-ats.iot.eu-west-3.amazonaws.com it works.
Server side I use a certificate issued by aws.

Answer

Can you please check the certificate your domain is returning? It should look like this:

```
$ openssl s_client -showcerts -servername mqtt.abc.example.org -connect mqtt.abc.example.org:8883
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = mqtt.abc.example.org
verify return:1
write:errno=0
```

Based on your error message though, I think it won't look like that.

Custom domain for iot endpoint

Contenuto pertinente