Copyright © https://mongoose-os.com

Mongoose OS Forum

frame

MBEDTLS_ERR_X509_CERT_VERIFY_FAILED

I'm following the aws iot button instructions and I can't get the ESP-8266 to connect to AWS. Hopefully, somebody can help. I followed the instructions several times. I also used mqtt-spy to successfully connect to aws-iot (with different certs). Publish and subscribe work. I tried using the certs generated by the aws provisioning, but I got an error in mqtt-spy. I suspect mqtt-spy doesn't like parsing the EC key. That's a different problem, but it led me to openssl s_client.

I provisioned the ESP-8266 using aws-iot-setup, which creates the certificates. But, in the mos console, I get the following error:

[Jul 16 14:17:46.606] SW ECDSA verify curve 3 hash_len 32 sig_len 72
[Jul 16 14:17:50.681] mg_ssl_mbed_log 0x3fff194c x509_verify_cert() returned -9984 (-0x2700)
[Jul 16 14:17:50.688] mg_ssl_if_mbed_err 0x3fff194c SSL error: -9984
[Jul 16 14:17:50.691] mgos_mqtt_ev MQTT Connect (0)
[Jul 16 14:17:50.699] mgos_mqtt_ev MQTT Disconnect
[Jul 16 14:17:50.703] mqtt_global_reconnec MQTT connecting after 58786 ms
[Jul 16 14:17:50.713] mongoose_poll New heap free LWM: 20640

-0x2700 means the CERT failed. I found the error by looking through the mbedtls headers.

The cert, ca and key are on the 8266. (mos ls) They are in the config. 'mos config-get mqtt'
{
"clean_session": true,
"client_id": "",
"enable": true,
"keep_alive": 60,
"pass": "",
"reconnect_timeout_max": 60,
"reconnect_timeout_min": 2,
"server": "xxxx.amazonaws.com:8883",
"ssl_ca_cert": "ca.pem",
"ssl_cert": "aws-iot-e3ceee26a5.crt.pem",
"ssl_cipher_suites": "",
"ssl_key": "aws-iot-e3ceee26a5.key.pem",
"ssl_psk_identity": "",
"ssl_psk_key": "",
"user": "",
"will_message": "",
"will_topic": ""
}

Using openssl s_client seems to work. No errors. So the certificates are OK and AWS likes them.

openssl s_client -tls1_2 -connect xxxxxx.amazonaws.com:8883 -CAfile ./ca.pem -cert ./aws-iot-e3ceee26a5.crt.pem -key aws-iot-e3ceee26a5.key.pem

What's going on? Can somebody please help. Thanks!

Comments

  • rojerrojer Dublin, Ireland
    edited July 17

    what is the size of your ca.pem?
    openssl s_client by default will use certs from system ca path in additon to whatever you specify with -CAfile. to really test a ca file, you need to specify -no-CApath.

  • Thanks for helping. There isn't a '-no-CApath' option for s_client. So I used -CApath /tmp to make sure aren't any other certificates in the path. openssl s_client still worked OK. I'm using openssl 1.0.1f

    I downloaded (mos get ca.pem > ca.pem) the ca.pem file from the ESP-8266. The file, ca.pem, is present on the ESP-8266 after the 'mos flash aws-esp8266' operation. ca.pem contains three certificates; Digital Signature Trust Co, CyberTrust and GeoTrust. The file is 4085 bytes.

  • rojerrojer Dublin, Ireland

    that's an old version. after this commit it should be 7845 bytes long

  • That's the problem. Thank you.

    I uploaded (mos put) ca.pem from the mongoos-os/fw/skeleton directory, which replaced the one loaded from mos flash aws-esp8266. Now the ESP8266 connects to AWS MQTT broker. So I guess the aws-esp8266 firmware needs to be updated so the tutorial/example on the web page will go easier for the next guy.

    I'm not sure why openssl s_client worked with the old ca.pem.

  • SergeySergey Dublin, Ireland

    Firmware aws-esp8266 updated, please check it out.

Sign In or Register to comment.