By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Greengrass and mosquitto client

0

Has anyone got mosquitto to connect to your Greengrass core?
When we try with a registered device client certificate/key and root CA certificate it works in NODE-RED and our own
simulator client.
But, we fail with the exact same files in mosquitto (1.4.5 in case it matters) and Eclipse Paho Python client:

% ~/mimic/iot/mosquitto-1.4.5/mosquitto_sub -h 192.9.192.119 -i monitor-1 -p 8883 -t # --cafile root.ca.pem --cert d6eb066f72.cert.pem --key d6eb066f72.private.key --insecure --tls-version tlsv1.2 -V mqttv311 -d
Client monitor-1 sending CONNECT
Error: A TLS error occurred.

and in GGConnManager.log:

[2019-06-19T14:48:19.356-04:00][ERROR]-MQTT message decoding error: unable to decode received MQTT message. {"errorString": "remote error: tls: unknown certificate authority"}

Could not find anything on the Internet that remotely addressed this issue. Strange that compatibility with
ubiquitous open-source utilities is not a priority...

Topics
Internet of Things (IoT)
Tags
AWS IoT Greengrass
Language
English
rePost-user-uwegambitcomm
asked 5 years ago666 views
9 Answers
0
Accepted Answer

Hi uwegambitcomm,

I apologize for the delay getting back to you. Mosquitto can be used to connect to Greengrass. I've just tested this with libmosquitto 1.4.15 and Greengrass 1.9.2 and everything is working as expected.

Based on what you've tried so far, it looks like you're very close to getting this working. You've retrieved the Greengrass group CA and seem to be passing the correct options to mosquitto_sub (conceptually, at least). The error message you're currently seeing ("Error: Problem setting TLS options.") suggests that Mosquitto is unable to process your command line arguments. Are you sure your file paths are correct?

In my test environment, I added a single device to my Greengrass group and added subscriptions between the device and IoT Cloud on topic 'my/topic'.

Subscribing:

$ mosquitto_sub -h <GGC IP> -i <DeviceThingName> -p 8883 -t my/topic --cert <DeviceCertFile> --key <DeviceKeyFile> -d --cafile <GroupCAFile
>```

Publishing:

$ mosquitto_pub -h <GGC IP> -i <DeviceThingName> -p 8883 -t my/topic -m "Hello, IoT" --cert <DeviceCertFile> --key <DeviceKeyFile> -d --cafile <GroupCAFile

I hope this helps. Let us know if you see any more issues.

Thanks,
-joe

AWS
JoeAtAWS
answered 5 years ago
0

The only way we found to get the Python client to work was to disable certificates with tls_set

https://github.com/eclipse/paho.mqtt.python#tls_set

and set cert_reqs=ssl.CERT_NONE . This in effect disables certificates.

Edited by: uwegambitcomm on Jul 1, 2019 5:01 AM

rePost-user-uwegambitcomm
answered 5 years ago
0

"remote error: tls: unknown certificate authority" This error usually means that the CA is not correct. Could you please check your CA to connect GGC? It is group CA not the root CA

awsjinbo
answered 5 years ago
0

awsjinbo wrote:
"remote error: tls: unknown certificate authority" This error usually means that the CA is not correct. Could you please check your CA to connect GGC? It is group CA not the root CA

It is the same as that defined in AWS Greengrass config.json:

"caPath" : "file:///usr/local/greengrass/certs/root.ca.pem"

% md5sum /usr/local/greengrass/certs/root.ca.pem
7095142f080d1d25221eec161ff14223 /usr/local/greengrass/certs/root.ca.pem

and on the mosquitto side:

% ~/mimic/iot/mosquitto-1.4.5/mosquitto_sub -h 192.9.192.119 -i monitor-1 -p 8883 -t # --cafile root.ca.pem --cert d6eb066f72.cert.pem --key d6eb066f72.private.key --insecure --tls-version tlsv1.2 -V mqttv311 -d
Client monitor-1 sending CONNECT
Error: A TLS error occurred.

% md5sum root.ca.pem
7095142f080d1d25221eec161ff14223 root.ca.pem

Edited by: uwegambitcomm on Jul 1, 2019 12:25 PM

rePost-user-uwegambitcomm
answered 5 years ago
0

The CA for GGAD to connect to GGC core is different from CA for GGC to connect to cloud.

https://docs.aws.amazon.com/greengrass/latest/developerguide/gg-discover-api.html

This is the doc how you can get the CA to connect to core.

And this is the python code to get that CA
https://github.com/aws/aws-iot-device-sdk-python#basicdiscovery

awsjinbo
answered 5 years ago
0

Does not work:

% curl --cert certs/0b0de924d7.cert.pem --key certs/0b0de924d7.private.key -X GET https://greengrass-ats.iot.us-east-1.amazonaws.com:8443/greengrass/discover/thing/monitor-1
{"GGGroups":[{"GGGroupId":"95b85005-95ec-43e9-8c24-1136440ccf95","Cores":[{"thingArn":"arn:aws:iot:us-east-1:409128494776:thing/GG_group2_Core","Connectivity":[{"Id":"3bc7aa76-07de-48bc-a434-70cb8d4829c2","HostAddress":"192.9.192.119","PortNumber":8883}]}],"CAs":["-----BEGIN CERTIFICATE-----\nMIIEFTCCAv2gAwIBAgIVALSsQrg25tvgKKAk560EMQ488I6FMA0GCSqGSIb3DQEB\nCwUAMIGoMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPQW1hem9uLmNvbSBJbmMuMRww\nGgYDVQQLDBNBbWF6b24gV2ViIFNlcnZpY2VzMRMwEQYDVQQIDApXYXNoaW5ndG9u\nMRAwDgYDVQQHDAdTZWF0dGxlMTowOAYDVQQDDDE0MDkxMjg0OTQ3NzY6OTViODUw\nMDUtOTVlYy00M2U5LThjMjQtMTEzNjQ0MGNjZjk1MCAXDTE5MDYwNzE0MjkwOFoY\nDzIwOTkwNjA3MTQyOTA3WjCBqDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0FtYXpv\nbi5jb20gSW5jLjEcMBoGA1UECwwTQW1hem9uIFdlYiBTZXJ2aWNlczETMBEGA1UE\nCAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTE6MDgGA1UEAwwxNDA5MTI4\nNDk0Nzc2Ojk1Yjg1MDA1LTk1ZWMtNDNlOS04YzI0LTExMzY0NDBjY2Y5NTCCASIw\nDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIGvwsZRDWutliSCUOXySNJ+TRXC\nPrPY1OCJy6sI+YYVF1fOlaCKhBNxhhTo7fEghFHs1/7A2k2Tw7Bgftt61l5xDLoO\nSvJXeNt//R8cKnAHbIBSOs0wcHcUuwLP4IVTsuzVdn4zZvEJPt1+cRh/qXHydQQB\ndFfZ2UtwyLlg7kYHuyWqh7EDyGop2Y/TXjEtUjTvgRMMFt9DN2kvS+/97BYfqtxd\niHr/e7TnJD0hksMfGbEpL6d20TH8z6MUvLPwCXsp0jsiznuwMNNofxHG3ODT8V92\nk6iNiA8nHHVAVdOy14TjAIdQCHszevLEb8yWoeJZ3tgpUAg4htdz364QWu0CAwEA\nAaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUlnSM9duIiiD5jz+4ywUr\nuTzR0WgwDQYJKoZIhvcNAQELBQADggEBAFpTgIaFAqQAt4IwVR05GCgqyup9i2yS\ndi8gtuSuO7735YS8T4a8pCTMZ9oOOzFAbgKhsIDv1eQWxMnRd0OPESzoQEdEQLSJ\nyGiLNxjXDuU6zRCydFVVDGZ6CU3q3SrhqecYfg5q+HrJ+Br0/kLVznkYPAh7Dwj2\nUXf73tzsTScKe/pEFqi5kcodQO363xbzntoyxgeoSPAaDBb75C3P31OPUJqcrf2S\npWuk0OZruje/6RlRmUK+sVKeKwj/y6PCa/sm2w760e3wYMXEBpNg1mJIZtXSZCDe\ntikAvSCt7djDbEAOhwHhcHSW/BnkGDiHJqJa3bvNo8jPQWUNvbgCkWo=\n-----END CERTIFICATE-----\n"]}]}

save the certificate in certs/GG_group2.ca.pem

% cat certs/GG_group2.ca.pem
-----BEGIN CERTIFICATE-----
MIIEFTCCAv2gAwIBAgIVALSsQrg25tvgKKAk560EMQ488I6FMA0GCSqGSIb3DQEB
CwUAMIGoMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPQW1hem9uLmNvbSBJbmMuMRww
GgYDVQQLDBNBbWF6b24gV2ViIFNlcnZpY2VzMRMwEQYDVQQIDApXYXNoaW5ndG9u
MRAwDgYDVQQHDAdTZWF0dGxlMTowOAYDVQQDDDE0MDkxMjg0OTQ3NzY6OTViODUw
MDUtOTVlYy00M2U5LThjMjQtMTEzNjQ0MGNjZjk1MCAXDTE5MDYwNzE0MjkwOFoY
DzIwOTkwNjA3MTQyOTA3WjCBqDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0FtYXpv
bi5jb20gSW5jLjEcMBoGA1UECwwTQW1hem9uIFdlYiBTZXJ2aWNlczETMBEGA1UE
CAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTE6MDgGA1UEAwwxNDA5MTI4
NDk0Nzc2Ojk1Yjg1MDA1LTk1ZWMtNDNlOS04YzI0LTExMzY0NDBjY2Y5NTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIGvwsZRDWutliSCUOXySNJ+TRXC
PrPY1OCJy6sI+YYVF1fOlaCKhBNxhhTo7fEghFHs1/7A2k2Tw7Bgftt61l5xDLoO
SvJXeNt//R8cKnAHbIBSOs0wcHcUuwLP4IVTsuzVdn4zZvEJPt1+cRh/qXHydQQB
dFfZ2UtwyLlg7kYHuyWqh7EDyGop2Y/TXjEtUjTvgRMMFt9DN2kvS+/97BYfqtxd
iHr/e7TnJD0hksMfGbEpL6d20TH8z6MUvLPwCXsp0jsiznuwMNNofxHG3ODT8V92
k6iNiA8nHHVAVdOy14TjAIdQCHszevLEb8yWoeJZ3tgpUAg4htdz364QWu0CAwEA
AaMyMDAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUlnSM9duIiiD5jz+4ywUr
uTzR0WgwDQYJKoZIhvcNAQELBQADggEBAFpTgIaFAqQAt4IwVR05GCgqyup9i2yS
di8gtuSuO7735YS8T4a8pCTMZ9oOOzFAbgKhsIDv1eQWxMnRd0OPESzoQEdEQLSJ
yGiLNxjXDuU6zRCydFVVDGZ6CU3q3SrhqecYfg5q+HrJ+Br0/kLVznkYPAh7Dwj2
UXf73tzsTScKe/pEFqi5kcodQO363xbzntoyxgeoSPAaDBb75C3P31OPUJqcrf2S
pWuk0OZruje/6RlRmUK+sVKeKwj/y6PCa/sm2w760e3wYMXEBpNg1mJIZtXSZCDe
tikAvSCt7djDbEAOhwHhcHSW/BnkGDiHJqJa3bvNo8jPQWUNvbgCkWo=
-----END CERTIFICATE-----

% ~/mimic/iot/mosquitto-1.4.5/mosquitto_sub -h 192.9.192.119 -i monitor-1 -p 8883 -t # --cafile certs/GG_group2.ca.pem --cert d6eb066f72.cert.pem --key d6eb066f72.private.key --insecure --tls-version tlsv1.2 -V mqttv311 -d -v
Error: Problem setting TLS options.
rePost-user-uwegambitcomm
answered 5 years ago
0

Error: Problem setting TLS options.

I think this error is related to your client. Can you check how to set your client? I do not think it is related to mqtt broker

awsjinbo
answered 5 years ago
0

We got the Python client (using Eclipse Paho Python) to work, but still no luck with mosquitto.

https://www.youtube.com/watch?v=li3oiabEfD8

It seems no one has tried the universal mosquitto?

rePost-user-uwegambitcomm
answered 5 years ago
0

Thank you.
We retried, and it works.
Now it's documented that it works.

rePost-user-uwegambitcomm
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content