• State Verified Answer
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 74 subscribers
  • Views 5492 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 222969
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

SSL: Certificate verify failure

Thom van Zeijl

Hello,

I'm using the nRF9160DK (PCA10090 0.8.2). I was able to see the data coming from the nRF9160DK in the nrfcloud, but now I want to be able to see the data published by the nRF9160DK in another place (for example in a terminal). Using the SDK located in: https://github.com/aws/aws-iot-device-sdk-python I was able to create a small script in python:

# Import SDK packages
from AWSIoTPythonSDK.MQTTLib import AWSIoTMQTTClient

# For certificate based connection
myMQTTClient = AWSIoTMQTTClient("nrf-xxxxxxxxxxxxxxx")
#myMQTTClient = AWSIoTMQTTClient("arn:aws:iot:us-east-1:xxxxxxxxxxxx:cert/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx")
# For Websocket connection
# myMQTTClient = AWSIoTMQTTClient("myClientID", useWebsocket=True)
# Configurations
# For TLS mutual authentication
myMQTTClient.configureEndpoint("xxxxxxxxxxxwix-ats.iot.us-east-1.amazonaws.com", 8883)
# For Websocket
# myMQTTClient.configureEndpoint("YOUR.ENDPOINT", 443)
# For TLS mutual authentication with TLS ALPN extension
# myMQTTClient.configureEndpoint("YOUR.ENDPOINT", 443)
myMQTTClient.configureCredentials("ca.txt", "privatekey.txt", "certificate.txt")
# For Websocket, we only need to configure the root CA
# myMQTTClient.configureCredentials("YOUR/ROOT/CA/PATH")
myMQTTClient.configureOfflinePublishQueueing(-1)  # Infinite offline Publish queueing
myMQTTClient.configureDrainingFrequency(2)  # Draining: 2 Hz
myMQTTClient.configureConnectDisconnectTimeout(10)  # 10 sec
myMQTTClient.configureMQTTOperationTimeout(5)  # 5 sec
print("Step1")
myMQTTClient.connect()
print("Connect")
myMQTTClient.subscribe("$SYS/#", 1, customCallback)

When I run this script in a terminal using "python ./client3.py" (name of the python file is client3.py) I get the following error message:

Step1
Traceback (most recent call last):
  File "./client3.py", line 24, in <module>
    myMQTTClient.connect()
  File "/home/thom/Documents/nRF9160devkit/eclipse/aws-iot-device-sdk-python/AWSIoTPythonSDK/MQTTLib.py", line 485, in connect
    return self._mqtt_core.connect(keepAliveIntervalSecond)
  File "/home/thom/Documents/nRF9160devkit/eclipse/aws-iot-device-sdk-python/AWSIoTPythonSDK/core/protocol/mqtt_core.py", line 192, in connect
    self.connect_async(keep_alive_sec, self._create_blocking_ack_callback(event))
  File "/home/thom/Documents/nRF9160devkit/eclipse/aws-iot-device-sdk-python/AWSIoTPythonSDK/core/protocol/mqtt_core.py", line 219, in connect_async
    raise e
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)

So there is a certificate verification failure and I do not know how to solve this. The operating system is Ubuntu 18.04.1 LTS running on a virtual machine (using Oracle Virtualbox) with native os Windows 10.

The client ID, endpoint, certificate and privatekey all are retrieved using the commands from https://docs.api.nrfcloud.com/MQTT/ 

The certificate and privatekey are provided in the relative .txt files.

The certificate.txt file looks like:

-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----

The privatekey.txt looks exactly like the certificate.txt file except for the fact that it is 27 lines instead of 20 lines and the first and last line is different (-----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----). The content of the ca.txt file is supplied by the link https://github.com/aws/aws-iot-device-sdk-python#id3 under "Credentials/X.509 certificate", and then the link "AWS IoT root CA". 

Is possible to use this script to subscribe to the topics on which the nRF9160DK publishes (simulated location and simulated orientation) or is this impossible to do or am I overlooking something?

  • 0 in reply to Thom van Zeijl

    I used the Link Monitor (on native Windows 10 instead of the ubuntu VM) and I followed the steps in the link you mentioned. When I send an AT command to the device, it returns: Error: 'AT+CFUN? ' timed out. I am only able to send AT commands to the device when the AT client sample app is installed. In the top right, only the UART box is green, the Modem, UICC and LTE boxes are red and the PDN box is green. I changed the periodic signal quality request to 1sec. In the chart tab, it does not give any data. This indicates that there is no connection. But when I go to nrfcloud, I can see the device updating and it also returns the simulated orientation of the nrf9160dk. So there is a connection, otherwise the nrfcloud would not return any data. When the nrf9160dk is connected and gives information in nrfcloud, led 4 is turned on.

    I am using a KPN simcard (of type K019) instead of the iBasis sim card that came with the dev kit. The iBasis sim card does not work here in the Netherlands. I don't think this should matter.

  • 0 in reply to Thom van Zeijl

    Using these steps I achieved what you were trying to to:

    1. I created a new device and credentials using the Device API
    2. Use the device id as the client id (note that you must use it exactly as returned in the response, e.g. "c35c5194-c91e-4e52-a8ec-4434850819d7".
    3. Use https://www.amazontrust.com/repository/AmazonRootCA1.pem as ca.txt
    4. Use the returned certificate and private key from (2), I replaced the \n with line breaks int the files
    5. Use "prod/<tenantId>/m/#' to subscribe

    from AWSIoTPythonSDK.MQTTLib import AWSIoTMQTTClient
import time

myMQTTClient = AWSIoTMQTTClient("c35c5194-c91e-4e52-a8ec-4434850819d7") # (2)
myMQTTClient.configureEndpoint("a2n7tk1kp18wix-ats.iot.us-east-1.amazonaws.com", 8883)
myMQTTClient.configureCredentials("ca.txt", "privatekey.txt", "certificate.txt") # (4)
myMQTTClient.configureOfflinePublishQueueing(-1)  # Infinite offline Publish queueing
myMQTTClient.configureDrainingFrequency(2)  # Draining: 2 Hz
myMQTTClient.configureConnectDisconnectTimeout(10)  # 10 sec
myMQTTClient.configureMQTTOperationTimeout(5)  # 5 sec
# Custom MQTT message callback
def customCallback(client, userdata, message):
    print("Received a new message: ")
    print(message.payload)
    print("from topic: ")
    print(message.topic)
    print("--------------\n\n")
print("Step1")
myMQTTClient.connect()
print("Connected")
print("Step2")
myMQTTClient.subscribe("prod/55e78cd0-8fe0-4da8-b73f-0aa72712d886/m/#", 1, customCallback)
print("Subscribed")
time.sleep(2)

while True:
    time.sleep(1)

    Now when I run this script and my 91 DK is connected and sending data, I will see this output:

    Received a new message: 
b'{"appId":"GPS","data":"$GPGGA,134714.200,6325.283,N,01026.197,E,1,12,1.0,0.0,M,0.0,M,,*69","messageType":"DATA"}'
from topic: 
prod/55e78cd0-8fe0-4da8-b73f-0aa72712d886/m/d/nrf-352656100005076/d2c
--------------


Received a new message: 
b'{"appId":"FLIP","data":"UPSIDE_DOWN","messageType":"DATA"}'
from topic: 
prod/55e78cd0-8fe0-4da8-b73f-0aa72712d886/m/d/nrf-352656100005076/d2c
--------------


Received a new message: 
b'{"appId":"FLIP","data":"NORMAL","messageType":"DATA"}'
from topic: 
prod/55e78cd0-8fe0-4da8-b73f-0aa72712d886/m/d/nrf-352656100005076/d2c
--------------

Related
Terms of service