aws-iot-device-sdk-python: CERTIFICATE_VERIFY_FAILED on Own CA
For my solution I want to use X.509 device certificates, as illustrated in http://docs.aws.amazon.com/iot/latest/developerguide/device-certs-your-own.html
When I’m trying to connect I get the following error: SSLError(1, u’[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)')
I’m running: certifi (2017.1.23) cryptography (1.7.2) AWSIoTPythonSDK (1.1.1) boto3 (1.4.4) botocore (1.5.11)
On python 2.7.13 with OpenSSL 1.0.2j. I got X.509 working with via configure a device on the IOT section. But I want to generate the certificates.
The Root CA is Generated via:
openssl genrsa -out rootCA.key 2048
root_subject="/C=NL/ST=City/L=City/O=Organisation/OU=Part/CN=Part"
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "$root_subject"
#Registration Code
aws_registration_code=$(aws iot get-registration-code)
registration_code=$(python -c "from sys import argv; import json;\
script, data = argv;\
data_dict = json.loads(data);\
print data_dict['registrationCode']" "$aws_registration_code")
echo "registration code: $registration_code"
#Key Pair
openssl genrsa -out verificationCert.key 2048
#CSR
csr_subject="/C=NL/ST=City/L=City/O=Organisation/OU=Part/CN=$registration_code"
echo $csr_subject
openssl req -new -key verificationCert.key -out verificationCert.csr -subj "$csr_subject"
#private key verification cert
openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 500 -sha256
#register with AWS
reg_response=$(aws iot register-ca-certificate --ca-certificate file://rootCA.pem --verification-cert file://verificationCert.pem)
cert_id=$(python -c "from sys import argv; import json; script, data = argv; item = json.loads(data); print item['certificateId']" "$reg_response")
aws iot update-ca-certificate --certificate-id $cert_id --new-status ACTIVE
The Device CA:
def create_certificate_on_disk(self):
''' Check if Certificate folder & certificates are available otherwise generate '''
#check folder
try:
os.makedirs(self.device_cert_folder)
except OSError:
pass
if not os.path.isfile(self.device_pem):
#device key
call(["openssl", "genrsa", "-out", self.device_key, "2048"])
#device csr
device_subject = "/C=NL/ST=City/L=City/O=Organisation/OU=Part/CN=%s" % self.identifier
call(["openssl", "req", "-new", "-key", self.device_key, "-out", self.device_csr, "-subj", device_subject])
#device pem
call(["openssl", "x509", "-req", "-in", self.device_csr, "-CA", self.root_pem, "-CAkey", "root_ca/rootCA.key", "-CAcreateserial", "-out", self.device_pem, "-days", "500", "-sha256"])
else:
raise Exception("pem already created")
The device cert is then registered and set Active.
The debug I get is:
2017-02-15 16:54:21,461 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Paho MQTT Client init.
2017-02-15 16:54:21,461 - AWSIoTPythonSDK.core.protocol.mqttCore - INFO - ClientID: basicPubSub
2017-02-15 16:54:21,461 - AWSIoTPythonSDK.core.protocol.mqttCore - INFO - Protocol: MQTTv3.1.1
2017-02-15 16:54:21,461 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Register Paho MQTT Client callbacks.
2017-02-15 16:54:21,462 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - mqttCore init.
2017-02-15 16:54:21,462 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Load CAFile from: root_ca/rootCA.pem
2017-02-15 16:54:21,462 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Load Key from: device_certificates/deviceCert.key
2017-02-15 16:54:21,462 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Load Cert from: device_certificates/deviceCert.pem
2017-02-15 16:54:21,462 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for backoff timing: baseReconnectTime = 1 sec
2017-02-15 16:54:21,462 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for backoff timing: maximumReconnectTime = 32 sec
2017-02-15 16:54:21,462 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for backoff timing: minimumConnectTime = 20 sec
2017-02-15 16:54:21,462 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for publish queueing: queueSize = -1
2017-02-15 16:54:21,462 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for publish queueing: dropBehavior = Drop Newest
2017-02-15 16:54:21,462 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Custom setting for draining interval: 0.5 sec
2017-02-15 16:54:21,462 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Set maximum connect/disconnect timeout to be 10 second.
2017-02-15 16:54:21,462 - AWSIoTPythonSDK.core.protocol.mqttCore - DEBUG - Set maximum MQTT operation timeout to be 5 second
2017-02-15 16:54:21,462 - AWSIoTPythonSDK.core.protocol.mqttCore - INFO - Connection type: TLSv1.2 Mutual Authentication
2017-02-15 16:54:21,544 - AWSIoTPythonSDK.core - INFO - iOT Server error: SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)')
I’m a missing a step?
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 16 (2 by maintainers)
Hi everyone,
Thanks for sharing all the information here. The following blogs describe the details about using self-signed CA/Device certificate and Just-In-Time-Registration (JITR) for device certificates: https://aws.amazon.com/blogs/mobile/use-your-own-certificate-with-aws-iot/ https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/
Some take-away:
Sorry for the inconvenience that has been caused here. Hope the above helps.
Thanks, Liusu