software.amazon.awssdk.crt.mqtt.MqttException: TLS (SSL) negotiation failed

0

I built an MQTT client in Java using Amazon's provided SDK (software.amazon.awssdk.crt.mqtt.MqttClientConnection, and related classes).

I've been testing it by running it on my workstation, and it's been working fine.

Today I tried running the same code on an EC2 instance, and got this exception. I can't figure out why.

java.util.concurrent.ExecutionException: software.amazon.awssdk.crt.mqtt.MqttException: TLS (SSL) negotiation failed at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357) at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1928) at cgp.aws.IOTSubscriber.<init>(IOTSubscriber.java:105) at cgp.Thing.main(Thing.java:23) Caused by: software.amazon.awssdk.crt.mqtt.MqttException: TLS (SSL) negotiation failed at software.amazon.awssdk.crt.mqtt.MqttClientConnection.onConnectionComplete(MqttClientConnection.java:139)

Frank
已提问 2 年前1382 查看次数
1 回答
0

Hi Frank. Are you sure you're using the same device cert, same private key, same root CA, same endpoint and same client ID as what you used on your workstation?

profile pictureAWS
专家
Greg_B
已回答 2 年前
  • Yes, I double-checked all of those things. Could it be some sort of a permissions issue where the EC2 user doesn't have permission to open the required TCP ports?

  • TLS negotiation occurs after the TCP connection is established. So if the error can be taken it face value, it strongly suggests a problem with one of the certificates or with the private key. TLS handshake can also fail due to a timeout, but if your EC2 instance and IoT Core are in the same region, this should not be a factor. What timeout are you using?

  • Ten seconds, but the error appears much sooner than that. I'll check the certificates again. Maybe it's a permissions issue on the certificate files.

  • I tried renaming my certificate and key files to see if this would produce a different error, and it did. So that tells me that Java is able to read the files. I also tried editing the files and changing one of the characters in the key or certificate itself, and this again produced a different error. So that tells me it's probably interpreting the key and certificate correctly.

  • I also tried running the Java command as superuser, figuring the issue might be related to permissions, but that didn't help.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则