MQTT Client unable to connect to AWS IoT MQTT Broker

Question

I'm unable to connect my C# code to AWS IoT MQTT Broker, however I'm able to connect using AWS MQTT Client to MQTT broker. I'm using M2MQTT as the MQTT Client in my C# code (https://www.nuget.org/packages/M2Mqtt). Note that .pfx file is created using openSSL using the certificate and private key downloaded from AWS IoT. The certificate is activated and attached to a thing. The rootca.crt is Amazon's root CA.  
  
I keep getting error at Client.Connect(clientId)  
  
"{uPLibrary.Networking.M2Mqtt.Exceptions.MqttCommunicationException: Exception of type 'uPLibrary.Networking.M2Mqtt.Exceptions.MqttCommunicationException' was thrown. at uPLibrary.Networking.M2Mqtt.MqttClient.SendReceive(Byte\[] msgBytes, Int32 timeout) at uPLibrary.Networking.M2Mqtt.MqttClient.Connect(String clientId, String username, String password, Boolean willRetain, Byte willQosLevel, Boolean willFlag, String willTopic, String willMessage, Boolean cleanSession, UInt16 keepAlivePeriod) at uPLibrary.Networking.M2Mqtt.MqttClient.Connect(String clientId)  
  
Below is my code  
  
private const string IotEndpoint = "xxvf6ihlpxlxf6.iot.us-east-2.amazonaws.com";  
  
        private const int BrokerPort = 8883;  
  
        private const string Topic = "GaneshM2MQTT/#";  
         var clientCert = new X509Certificate2("C:\Program Files (x86)\GnuWin32\bin\XXXX.pfx", "XXX#");  
  
                var caCert = X509Certificate.CreateFromCertFile("C:\Program Files (x86)\GnuWin32\bin\rootca.crt");  
  
                // create the client  
                var client = new MqttClient(IotEndpoint, BrokerPort, true, caCert, clientCert, MqttSslProtocols.TLSv1_2);  
                //message to publish - could be anything  
                var message = "Test message";  
                string clientId = Guid.NewGuid().ToString();  
                //client naming has to be unique if there was more than one publisher  
                client.Connect(clientId);  
                //publish to the topic  
                client.Publish(Topic, Encoding.UTF8.GetBytes(message));

I'm unable to connect my C# code to AWS IoT MQTT Broker, however I'm able to connect using AWS MQTT Client to MQTT broker. I'm using M2MQTT as the MQTT Client in my C# code (https://www.nuget.org/packages/M2Mqtt). Note that .pfx file is created using openSSL using the certificate and private key downloaded from AWS IoT. The certificate is activated and attached to a thing. The rootca.crt is Amazon's root CA.  
  
I keep getting error at Client.Connect(clientId)  
  
"{uPLibrary.Networking.M2Mqtt.Exceptions.MqttCommunicationException: Exception of type 'uPLibrary.Networking.M2Mqtt.Exceptions.MqttCommunicationException' was thrown. at uPLibrary.Networking.M2Mqtt.MqttClient.SendReceive(Byte\[] msgBytes, Int32 timeout) at uPLibrary.Networking.M2Mqtt.MqttClient.Connect(String clientId, String username, String password, Boolean willRetain, Byte willQosLevel, Boolean willFlag, String willTopic, String willMessage, Boolean cleanSession, UInt16 keepAlivePeriod) at uPLibrary.Networking.M2Mqtt.MqttClient.Connect(String clientId)  
  
Below is my code  
  
   private const string IotEndpoint = "xxvf6ihlpxlxf6.iot.us-east-2.amazonaws.com";  
  
        private const int BrokerPort = 8883;  
  
        private const string Topic = "GaneshM2MQTT/#";  
         var clientCert = new X509Certificate2("C:\Program Files (x86)\GnuWin32\bin\XXXX.pfx", "XXX#");  
  
                var caCert = X509Certificate.CreateFromCertFile("C:\Program Files (x86)\GnuWin32\bin\rootca.crt");  
  
                // create the client  
                var client = new MqttClient(IotEndpoint, BrokerPort, true, caCert, clientCert, MqttSslProtocols.TLSv1_2);  
                //message to publish - could be anything  
                var message = "Test message";  
                string clientId = Guid.NewGuid().ToString();  
                //client naming has to be unique if there was more than one publisher  
                client.Connect(clientId);  
                //publish to the topic  
                client.Publish(Topic, Encoding.UTF8.GetBytes(message));  
  
I also looked at this link     and    where they fixed the issue by converting .crt to .pfx but in my case its Amazon Root CA , I'm not sure how I can convert to .pfx without private key. This looks like an authentication issue but not sure what is wrong.   
  
Struggling with this issue for a while. Any help or implementation is appreciated.  
  
Edited by: smanickam1983 on Jan 24, 2018 7:33 AM  
  
Edited by: smanickam1983 on Jan 24, 2018 7:56 AM  
  
Edited by: smanickam1983 on Jan 24, 2018 7:57 AM

Answer

Just in case you still looking for an answer  
You MUST make a change in policy to allow to connect  
The easiest one.  
{  
      "Effect": "Allow",  
      "Action": \[  
        "iot:Publish",  
        "iot:Subscribe",  
        "iot:Receive",  
        "iot:Connect"  
      ],  
      "Resource": "*"  
    }

Answer

Quick and speedy response. Question asked in Jan 2018 and response in June 2018. Does aws ever answer question in a day or two.. ? Disappointing..  
  
Edited by: smanickam1983 on Nov 18, 2018 4:48 PM

Answer

Guys , Any help will be appreciated , however I try using my C# code I get an exception. Is there an issue with Topic or Rules Engine?  
  
Latest update is tried the below to diagnose the connectivity to Aws IOt and I get the below   
OpenSSL> s_client -connect a2vf6ihlpxlxf6.iot.us-east-2.amazonaws.com:8443 -CAfi  
le rootca.pem -cert 848511847e-certificate.pem.crt -key 848511847e-private.pem.k  
ey  
CONNECTED(00000180)  
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 200  
6 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primar  
y Certification Authority - G5  
verify return:1  
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Syma  
ntec Class 3 ECC 256 bit SSL CA - G2  
verify return:1  
depth=0 C = US, ST = Washington, L = Seattle, O = "Amazon.com, Inc.", CN = *.iot  
.us-east-2.amazonaws.com  
verify return:1  
---  
Certificate chain  
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-east-2.amazona  
ws.com  
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3  
ECC 256 bit SSL CA - G2  
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3  
ECC 256 bit SSL CA - G2  
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc.  
 - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Auth  
ority - G5  
---  
Server certificate  
-----BEGIN CERTIFICATE-----  
MIIEkDCCBDagAwIBAgIQPHX+MAHdo7nvctz2elyiVDAKBggqhkjOPQQDAjCBgDEL  
MAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYD  
VQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQDEyhTeW1hbnRlYyBD  
bGFzcyAzIEVDQyAyNTYgYml0IFNTTCBDQSAtIEcyMB4XDTE3MTAxMjAwMDAwMFoX  
DTE4MTAxMzIzNTk1OVowdzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0  
b24xEDAOBgNVBAcMB1NlYXR0bGUxGTAXBgNVBAoMEEFtYXpvbi5jb20sIEluYy4x  
JjAkBgNVBAMMHSouaW90LnVzLWVhc3QtMi5hbWF6b25hd3MuY29tMFkwEwYHKoZI  
zj0CAQYIKoZIzj0DAQcDQgAE2Lsr3j7KdnkNDgajBtnsgGiZn+4KNPT1gQeUNKPS  
gBGaaBol6tJ8xDLIwXlKw4OkevyPUYP5FxjHTmYWzciZmqOCApgwggKUMEUGA1Ud  
EQQ+MDyCG2lvdC51cy1lYXN0LTIuYW1hem9uYXdzLmNvbYIdKi5pb3QudXMtZWFz  
dC0yLmFtYXpvbmF3cy5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwHQYD  
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdIARaMFgwVgYGZ4EMAQIC  
MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF  
BwICMBkMF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMB8GA1UdIwQYMBaAFCXwiuFL  
etkBlQrtxlPxjHgf2fP4MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9yYy5zeW1j  
Yi5jb20vcmMuY3JsMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDov  
L3JjLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3JjLnN5bWNiLmNvbS9y  
Yy5jcnQwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwDd6x0reg1PpiCLga2BaHB+  
Lo6dAdVciI09EcTNtuy_zAAAAV8SiCRyAAAEAwBIMEYCIQDmOnouIp_qOjqKTJH+  
L498RmggrqeYSkHKypZSWRM1CwIhAJ+RYaTdepptcIbmaleKuDp0dNfhKPhA4Fgw  
EuQVY/G7AHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFfEogk  
pgAABAMARzBFAiAN6ptj++R2uRuVfLxMAd3ZIz3RtboR9Yo/WraUILg4GgIhAJm0  
g7CsP3o3Gwy9ykrYod2Qw/cHTDZQ9BDhPgeM8ZYCMAoGCCqGSM49BAMCA0gAMEUC  
IQD+3PGoXbXmTgKABms0IGg3vS7kFVGeEIOvXBtgB7pHpQIgYP4wms/d59KnYUAZ  
YmUc7a45PjzqGWllA9Pb29yJ1fs=  
-----END CERTIFICATE-----  
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.us-east-2.amaz  
onaws.com  
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class  
3 ECC 256 bit SSL CA - G2  
---  
No client certificate CA names sent  
Client Certificate Types: RSA sign, DSA sign, ECDSA sign  
Requested Signature Algorithms: ECDSA_SHA512:RSA_SHA512:ECDSA_SHA384:RSA_SHA384:  
ECDSA_SHA256:RSA_SHA256:DSA_SHA256:ECDSA_SHA224:RSA_SHA224:DSA_SHA224:ECDSA+SHA1  
:RSA_SHA1:DSA_SHA1  
Shared Requested Signature Algorithms: ECDSA_SHA512:RSA_SHA512:ECDSA_SHA384:RSA_  
SHA384:ECDSA_SHA256:RSA_SHA256:DSA_SHA256:ECDSA_SHA224:RSA_SHA224:DSA_SHA224:ECD  
SA_SHA1:RSA_SHA1:DSA+SHA1  
Peer signing digest: SHA512  
Server Temp Key: ECDH, P-256, 256 bits  
---  
SSL handshake has read 2646 bytes and written 1448 bytes  
Verification: OK  
---  
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384  
Server public key is 256 bit  
Secure Renegotiation IS supported  
Compression: NONE  
Expansion: NONE  
No ALPN negotiated  
SSL-Session:  
    Protocol  : TLSv1.2  
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384  
    Session-ID: 5A6966ECD373E7987DCF2239470B3B65BF5F4BBE77264B1FCACB98C39616937C  
  
    Session-ID-ctx:  
    Master-Key: 249B74E8C667B48A9858C9DB7566B4A2147CB479D73DA1049B9525768F425CE1  
5110AE7CBB08EC516A6474F2D083F27E  
    PSK identity: None  
    PSK identity hint: None  
    SRP username: None  
    Start Time: 1516857067  
    Timeout   : 7200 (sec)  
    Verify return code: 0 (ok)  
    Extended master secret: no  
---

Edited by: smanickam1983 on Jan 24, 2018 8:12 PM  
  
Edited by: smanickam1983 on Jan 24, 2018 8:19 PM  
  
Edited by: smanickam1983 on Jan 24, 2018 8:19 PM  
  
Edited by: smanickam1983 on Jan 24, 2018 9:12 PM  
  
Edited by: smanickam1983 on Jan 24, 2018 9:17 PM

Answer

Another Update   
Microsoft Telnet> open a2vf6ihlpxlxf6.iot.us-east-2.amazonaws.com 8883  
Connecting To a2vf6ihlpxlxf6.iot.us-east-2.amazonaws.com...  
  
Connection to host lost.  
  
What could be the problem?

MQTT Client unable to connect to AWS IoT MQTT Broker

SSL handshake has read 2646 bytes and written 1448 bytes Verification: OK

5110AE7CBB08EC516A6474F2D083F27E PSK identity: None PSK identity hint: None SRP username: None Start Time: 1516857067 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no

Relevant content

SSL handshake has read 2646 bytes and written 1448 bytes
Verification: OK

5110AE7CBB08EC516A6474F2D083F27E
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1516857067
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no