MQTT Client unable to connect to AWS IoT MQTT Broker

0

I'm unable to connect my C# code to AWS IoT MQTT Broker, however I'm able to connect using AWS MQTT Client to MQTT broker. I'm using M2MQTT as the MQTT Client in my C# code (https://www.nuget.org/packages/M2Mqtt). Note that .pfx file is created using openSSL using the certificate and private key downloaded from AWS IoT. The certificate is activated and attached to a thing. The rootca.crt is Amazon's root CA.

I keep getting error at Client.Connect(clientId)

"{uPLibrary.Networking.M2Mqtt.Exceptions.MqttCommunicationException: Exception of type 'uPLibrary.Networking.M2Mqtt.Exceptions.MqttCommunicationException' was thrown. at uPLibrary.Networking.M2Mqtt.MqttClient.SendReceive(Byte[] msgBytes, Int32 timeout) at uPLibrary.Networking.M2Mqtt.MqttClient.Connect(String clientId, String username, String password, Boolean willRetain, Byte willQosLevel, Boolean willFlag, String willTopic, String willMessage, Boolean cleanSession, UInt16 keepAlivePeriod) at uPLibrary.Networking.M2Mqtt.MqttClient.Connect(String clientId)

Below is my code

private const string IotEndpoint = "xxvf6ihlpxlxf6.iot.us-east-2.amazonaws.com";

    private const int BrokerPort = 8883;  

    private const string Topic = "GaneshM2MQTT/#";  
     var clientCert = new X509Certificate2("C:\\Program Files (x86)\\GnuWin32\\bin\\XXXX.pfx", "XXX#");  

            var caCert = X509Certificate.CreateFromCertFile("C:\\Program Files (x86)\\GnuWin32\\bin\\rootca.crt");  

            // create the client  
            var client = new MqttClient(IotEndpoint, BrokerPort, true, caCert, clientCert, MqttSslProtocols.TLSv1_2);  
            //message to publish - could be anything  
            var message = "Test message";  
            string clientId = Guid.NewGuid().ToString();  
            //client naming has to be unique if there was more than one publisher  
            client.Connect(clientId);  
            //publish to the topic  
            client.Publish(Topic, Encoding.UTF8.GetBytes(message));  

I'm unable to connect my C# code to AWS IoT MQTT Broker, however I'm able to connect using AWS MQTT Client to MQTT broker. I'm using M2MQTT as the MQTT Client in my C# code (https://www.nuget.org/packages/M2Mqtt). Note that .pfx file is created using openSSL using the certificate and private key downloaded from AWS IoT. The certificate is activated and attached to a thing. The rootca.crt is Amazon's root CA.

I keep getting error at Client.Connect(clientId)

"{uPLibrary.Networking.M2Mqtt.Exceptions.MqttCommunicationException: Exception of type 'uPLibrary.Networking.M2Mqtt.Exceptions.MqttCommunicationException' was thrown. at uPLibrary.Networking.M2Mqtt.MqttClient.SendReceive(Byte[] msgBytes, Int32 timeout) at uPLibrary.Networking.M2Mqtt.MqttClient.Connect(String clientId, String username, String password, Boolean willRetain, Byte willQosLevel, Boolean willFlag, String willTopic, String willMessage, Boolean cleanSession, UInt16 keepAlivePeriod) at uPLibrary.Networking.M2Mqtt.MqttClient.Connect(String clientId)

Below is my code

private const string IotEndpoint = "xxvf6ihlpxlxf6.iot.us-east-2.amazonaws.com";

    private const int BrokerPort = 8883;  

    private const string Topic = "GaneshM2MQTT/#";  
     var clientCert = new X509Certificate2("C:\\Program Files (x86)\\GnuWin32\\bin\\XXXX.pfx", "XXX#");  

            var caCert = X509Certificate.CreateFromCertFile("C:\\Program Files (x86)\\GnuWin32\\bin\\rootca.crt");  

            // create the client  
            var client = new MqttClient(IotEndpoint, BrokerPort, true, caCert, clientCert, MqttSslProtocols.TLSv1_2);  
            //message to publish - could be anything  
            var message = "Test message";  
            string clientId = Guid.NewGuid().ToString();  
            //client naming has to be unique if there was more than one publisher  
            client.Connect(clientId);  
            //publish to the topic  
            client.Publish(Topic, Encoding.UTF8.GetBytes(message));  

I also looked at this link https://stackoverflow.com/questions/47793400/getting-authenticationexception-when-connect-m2mqtt-mqttclient-to-mosquitto-brok/48414980#48414980 and https://stackoverflow.com/questions/43993106/a-call-to-sspi-failed-see-inner-exception-paho-m2mqtt-dot-netc-client-ssl-tl?rq=1 where they fixed the issue by converting .crt to .pfx but in my case its Amazon Root CA , I'm not sure how I can convert to .pfx without private key. This looks like an authentication issue but not sure what is wrong.

Struggling with this issue for a while. Any help or implementation is appreciated.

Edited by: smanickam1983 on Jan 24, 2018 7:33 AM

Edited by: smanickam1983 on Jan 24, 2018 7:56 AM

Edited by: smanickam1983 on Jan 24, 2018 7:57 AM

asked 7 years ago2.3K views
4 Answers
0

Guys , Any help will be appreciated , however I try using my C# code I get an exception. Is there an issue with Topic or Rules Engine?

Latest update is tried the below to diagnose the connectivity to Aws IOt and I get the below
OpenSSL> s_client -connect a2vf6ihlpxlxf6.iot.us-east-2.amazonaws.com:8443 -CAfi
le rootca.pem -cert 848511847e-certificate.pem.crt -key 848511847e-private.pem.k
ey
CONNECTED(00000180)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 200
6 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primar
y Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Syma
ntec Class 3 ECC 256 bit SSL CA - G2
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = *.iot
.us-east-2.amazonaws.com
verify return:1

Certificate chain
0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-east-2.amazona
ws.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3
ECC 256 bit SSL CA - G2
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3
ECC 256 bit SSL CA - G2
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc.

  • For authorized use only/CN=VeriSign Class 3 Public Primary Certification Auth
    ority - G5

Server certificate
-----BEGIN CERTIFICATE-----
MIIEkDCCBDagAwIBAgIQPHX+MAHdo7nvctz2elyiVDAKBggqhkjOPQQDAjCBgDEL
MAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYD
VQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQDEyhTeW1hbnRlYyBD
bGFzcyAzIEVDQyAyNTYgYml0IFNTTCBDQSAtIEcyMB4XDTE3MTAxMjAwMDAwMFoX
DTE4MTAxMzIzNTk1OVowdzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0
b24xEDAOBgNVBAcMB1NlYXR0bGUxGTAXBgNVBAoMEEFtYXpvbi5jb20sIEluYy4x
JjAkBgNVBAMMHSouaW90LnVzLWVhc3QtMi5hbWF6b25hd3MuY29tMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAE2Lsr3j7KdnkNDgajBtnsgGiZn+4KNPT1gQeUNKPS
gBGaaBol6tJ8xDLIwXlKw4OkevyPUYP5FxjHTmYWzciZmqOCApgwggKUMEUGA1Ud
EQQ+MDyCG2lvdC51cy1lYXN0LTIuYW1hem9uYXdzLmNvbYIdKi5pb3QudXMtZWFz
dC0yLmFtYXpvbmF3cy5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdIARaMFgwVgYGZ4EMAQIC
MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF
BwICMBkMF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB8GA1UdIwQYMBaAFCXwiuFL
etkBlQrtxlPxjHgf2fP4MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9yYy5zeW1j
Yi5jb20vcmMuY3JsMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDov
L3JjLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3JjLnN5bWNiLmNvbS9y
Yy5jcnQwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwDd6x0reg1PpiCLga2BaHB+
Lo6dAdVciI09EcTNtuy_zAAAAV8SiCRyAAAEAwBIMEYCIQDmOnouIp_qOjqKTJH+
L498RmggrqeYSkHKypZSWRM1CwIhAJ+RYaTdepptcIbmaleKuDp0dNfhKPhA4Fgw
EuQVY/G7AHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFfEogk
pgAABAMARzBFAiAN6ptj++R2uRuVfLxMAd3ZIz3RtboR9Yo/WraUILg4GgIhAJm0
g7CsP3o3Gwy9ykrYod2Qw/cHTDZQ9BDhPgeM8ZYCMAoGCCqGSM49BAMCA0gAMEUC
IQD+3PGoXbXmTgKABms0IGg3vS7kFVGeEIOvXBtgB7pHpQIgYP4wms/d59KnYUAZ
YmUc7a45PjzqGWllA9Pb29yJ1fs=
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-east-2.amaz
onaws.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class
3 ECC 256 bit SSL CA - G2

No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA_SHA512:RSA_SHA512:ECDSA_SHA384:RSA_SHA384:
ECDSA_SHA256:RSA_SHA256:DSA_SHA256:ECDSA_SHA224:RSA_SHA224:DSA_SHA224:ECDSA+SHA1
:RSA_SHA1:DSA_SHA1
Shared Requested Signature Algorithms: ECDSA_SHA512:RSA_SHA512:ECDSA_SHA384:RSA_
SHA384:ECDSA_SHA256:RSA_SHA256:DSA_SHA256:ECDSA_SHA224:RSA_SHA224:DSA_SHA224:ECD
SA_SHA1:RSA_SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 2646 bytes and written 1448 bytes
Verification: OK

New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
Session-ID: 5A6966ECD373E7987DCF2239470B3B65BF5F4BBE77264B1FCACB98C39616937C

Session-ID-ctx:  
Master-Key: 249B74E8C667B48A9858C9DB7566B4A2147CB479D73DA1049B9525768F425CE1  

5110AE7CBB08EC516A6474F2D083F27E
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1516857067
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no

Edited by: smanickam1983 on Jan 24, 2018 8:12 PM

Edited by: smanickam1983 on Jan 24, 2018 8:19 PM

Edited by: smanickam1983 on Jan 24, 2018 8:19 PM

Edited by: smanickam1983 on Jan 24, 2018 9:12 PM

Edited by: smanickam1983 on Jan 24, 2018 9:17 PM

answered 7 years ago
0

Another Update
Microsoft Telnet> open a2vf6ihlpxlxf6.iot.us-east-2.amazonaws.com 8883
Connecting To a2vf6ihlpxlxf6.iot.us-east-2.amazonaws.com...

Connection to host lost.

What could be the problem?

answered 7 years ago
0

Just in case you still looking for an answer
You MUST make a change in policy to allow to connect
The easiest one.
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Subscribe",
"iot:Receive",
"iot:Connect"
],
"Resource": "*"
}

answered 6 years ago
0

Quick and speedy response. Question asked in Jan 2018 and response in June 2018. Does aws ever answer question in a day or two.. ? Disappointing..

Edited by: smanickam1983 on Nov 18, 2018 4:48 PM

answered 6 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions