By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Custom domain for iot endpoint

0

I want a custom domain for my mqtt endpoint like mqtt.abc.example.org. I followed this guide https://aws.amazon.com/it/blogs/iot/migrating-devices-aws-iot-custom-domains/

All seems to be correct compared with screenshot on guide, but when I do

mosquitto_pub --cert test-2022b.pem --key test-2022b.key -h mqtt.abc.example.org -p 8883 -d -t 'test/pippo' -i pub -m "Ciao mondo" --tls-version tlsv1.2 --cafile AmazonRootCA1.pem

I got: Client pub sending CONNECT OpenSSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Error: Success

I also tried with this Python srcipt:

from AWSIoTPythonSDK.MQTTLib import AWSIoTMQTTClient

myMQTTClient = AWSIoTMQTTClient("myClientID")

myMQTTClient.configureEndpoint("mqtt.abc.example.org", 8883)

myMQTTClient.configureCredentials("AmazonRootCA1.pem", "test-2022b.key", "test-2022b.pem")

myMQTTClient.connect()

Result: ssl.SSLCertVerificationError: ("hostname 'mqtt.abc.example.org' doesn't match either of 'iot.eu-west-3.amazonaws.com', '*.iot.eu-west-3.amazonaws.com'",)

If I use xxxxxxxxx-ats.iot.eu-west-3.amazonaws.com it works. Server side I use a certificate issued by aws.

Topics
Internet of Things (IoT)Security, Identity, & ComplianceNetworking & Content Delivery
Tags
Internet of Things (IoT)AWS Certificate ManagerDomain Name System (DNS)
Language
English
AWS-User-1432942
asked 2 years ago905 views
1 Answer
0

Can you please check the certificate your domain is returning? It should look like this:

$ openssl s_client -showcerts -servername mqtt.abc.example.org -connect mqtt.abc.example.org:8883
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = mqtt.abc.example.org
verify return:1
write:errno=0

Based on your error message though, I think it won't look like that.

profile pictureAWS
EXPERT
Greg_B
answered 2 years ago
  • AWS-User-1432942
    2 years ago

    I have different results. On windows machine I get always
    Verify return code: 20 (unable to get local issuer certificate) On linux machine, 1 works, the other give me the seme error as windows machine.

    If I add to openssl --CAfile AmazonRootCA1.pem it works on every machine.

  • Greg_B EXPERT
    2 years ago

    What is the output when it works? In particular, what CN is returned?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content