adjervis wrote on December 12, 2017:
uTasker, hello, thank you for using Amazon FreeRTOS. The most common explanation for the broker disconnecting the socket is a misconfiguration of the Thing, certificate, and/or policy in the AWS IoT registry. To understand why, keep in mind that Amazon FreeRTOS and the AWS IoT MQTT broker are using TLS with mutual certificate-based authentication. The broker performs authentication before it performs authorization. If you have a trusted, time-valid certificate from AWS, then TLS negotiation (i.e., authentication) will succeed. But if the authorization is misconfigured, the broker will then reset the connection, so the next thing you’ll see is the TLS alert.
The section entitled “Asymmetric Cryptosystem Support” in http://docs.aws.amazon.com/freertos/latest/userguide/freertos-security.html describes the steps for creating a Thing, certificate, and policy using the AWS command-line interface (CLI). (Those steps specifically describe using an ECDSA key; I can provide instructions for RSA if you prefer.) Building on that, here are the steps for using the CLI to confirm that configuration:
First, I look up my Thing by name. This also serves as a sanity check that I’m in the correct region:
aws iot describe-thing --thing-name dcgecc {
“version”: 1,
“thingName”: “dcgecc”,
“defaultClientId”: “dcgecc”,
“attributes”: {},
“thingArn”: “arn:aws:iot:us-east-1:785484208847:thing/dcgecc”,
“thingId”: “2ed8fce1-c70e-46fe-ab26-dbfc03bd85df”
}
Double-check that your Thing name matches the string you’re using for clientcredentialIOT_THING_NAME in aws_clientcredential.h. Next, confirm that there’s a certificate attached to the thing:
aws iot list-thing-principals --thing-name dcgecc {
“principals”: [
“arn:aws:iot:us-east-1:785484208847:cert/86e41339a6d1bbc67abf31faf455092cdebf8f21ffbc67c4d238d1326c7de729”
]
The latter half of the principal ARN is the certificate ID. Now that I have the that, I request a more detailed description:
aws iot describe-certificate --certificate-id 86e41339a6d1bbc67abf31faf455092cdebf8f21ffbc67c4d238d1326c7de729
{
“certificateDescription”: {
“certificateArn”: “arn:aws:iot:us-east-1:785484208847:cert/86e41339a6d1bbc67abf31faf455092cdebf8f21ffbc67c4d238d1326c7de729”,
“status”: “ACTIVE”,
“certificateId”: “86e41339a6d1bbc67abf31faf455092cdebf8f21ffbc67c4d238d1326c7de729”,
“lastModifiedDate”: 1510943901.24,
“certificatePem”: "-----BEGIN CERTIFICATE-----
MIIC6DCCAdCgAwIBAgIUUgSRCb0VmhLV1cGbwsxQAwWDECswDQYJKoZIhvcNAQEL
BQAwTTFLMEkGA1UECwxCQW1hem9uIFdlYiBTZXJ2aWNlcyBPPUFtYXpvbi5jb20g
SW5jLiBMPVNlYXR0bGUgU1Q9V2FzaGluZ3RvbiBDPVVTMB4XDTE3MTExNzE4MzYy
MVoXDTQ5MTIzMTIzNTk1OVoweDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAw
DgYDVQQHDAdTZWF0dGxlMQwwCgYDVQQKDANBV1MxDDAKBgNVBAsMA0RldjEPMA0G
A1UEAwwGRGNnRWNjMR0wGwYJKoZIhvcNAQkBFg5kY2dAYW1hem9uLmNvbTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABOUWX2DvO308Fg3KVCyPMAuAaTJSs4rBwfs+
gmjsFRtcZoQ5w6HMrzxoNLsRWNnJgIOsDz6V6Q2eXe0fgJd9o2ujYDBeMB8GA1Ud
IwQYMBaAFD4dbtKV39NZIGasMr8dSvBtdJfTMB0GA1UdDgQWBBTa3A4nxYVx8ZgK
MAH/G0cMf3x5ITAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG
9w0BAQsFAAOCAQEAZuHwyS0j4kyaZ6fL4tPo6UDgzyHf95DTsUsMRDbxt4psAM0R
WQsy5uifaGs8ObGi7ydNchUDc5XdN/tatEHV2JDCe9AQEGnoKHswjr7Xij3h0Cgr
hTV/s2dYE3Mn7QzFhZ1f23d/wT5I4E5VV4gk2Ql0gHj1eT0Oz++fhEF76ABZQV7L
EBVNTWQpSj75949JO6PuF7wjxCxC9SLUYOq9K9HDMMrILmy6wYVLerZ9ynIsMWSs
PR40b/yPkH2kOg5ePTwJFaMqIG94EfQlC1ktsXPEc4vtfoKp91EBIYy8oaZMzOnt
h6z+VOvrE5sKPQ48LPDTGXrRyiiU4gWsV86Kjg==
-----END CERTIFICATE-----
",
“transferData”: {},
“ownedBy”: “785484208847”,
“creationDate”: 1510943901.24
}
}
In the above output, note that the contents of the ownedBy field in the certificate description match the serial number that’s embedded in the Thing ARN. As a further sanity check, confirm that the contents of the certificatePem field match your definition for clientcredentialCLIENT_CERTIFICATE_PEM in aws_clientcredential_keys.h in your project.
Next, using the certificate ARN, confirm that there’s a policy attached to it:
aws iot list-principal-policies --principal “arn:aws:iot:us-east-1:785484208847:cert/86e41339a6d1bbc67abf31faf455092cdebf8f21ffbc67c4d238d1326c7de729”
{
“policies”: [
{
“policyName”: “FullControl”,
“policyArn”: “arn:aws:iot:us-east-1:785484208847:policy/FullControl”
}
]
}
Finally, confirm that the rules expressed by that policy are as expected:
aws iot get-policy --policy-name FullControl {
“policyName”: “FullControl”,
“policyArn”: “arn:aws:iot:us-east-1:785484208847:policy/FullControl”,
“policyDocument”: “{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “iot:",
“Resource”: "”
},
{
“Effect”: “Allow”,
“Action”: “greengrass:",
“Resource”: "”
}
]
}”,
“defaultVersionId”: “1”
}
Once you’ve confirmed the above, verify that your clientcredentialMQTT_BROKER_ENDPOINT definition in aws_clientcredential.h matches what you see in the AWS IoT console. In the console, select Manage, Things, then your Thing name. Then select Interact. The URL at the top of the screen, of the form .iot..amazonaws.com, is your endpoint.
Regarding the mistake in the permissions instructions on our Getting Started page, thank you for calling that to our attention. We’ll get it fixed.