Python Paho Mqtt cannot connect AWS IoT use JITP

Question

Python Paho Mqtt cannot connect AWS IoT use JITP

InfiniteYuan opened this issue 4 years ago · 1 comments

I developed a JITP certificate generation tool on another computer, which has these functions:

Generate a self-signed device certificate
Try to connect to AWS (for automatic registration of things)

Packaged this software:

pyinstaller -F Tool.py

Test and verify that the entire process is correct on the development computer.
However, when I packaged this software and ran it on other computers, an error occurred:

Traceback (most recent call last):
  File "aws_thing_register.py", line 62, in aws_thing_jitp
  File "site-packages\paho\mqtt\client.py", line 937, in connect
  File "site-packages\paho\mqtt\client.py", line 1100, in reconnect
  File "ssl.py", line 1139, in do_handshake
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1076)

This is the code snippet to connect to AWS-IOT:

    client = mqtt.Client(protocol=mqtt.MQTTv311, clean_session=True, userdata=None)

    client.on_connect = on_connect
    client.on_message = on_message
    client.on_publish = on_publish
    client.on_subscribe = on_subscribe
    client.on_disconnect = on_disconnect

    try:
        client.tls_set(ca_certs=os.path.join(os.getcwd(), "CA", VERISIGN_CA),
                   certfile=os.path.join(os.getcwd(), DEVICE_CERTIFICATE_PATH, str_mac, str_mac + "androot.pem"),
                   keyfile=os.path.join(os.getcwd(), DEVICE_CERTIFICATE_PATH, str_mac, str_mac + ".key"),
                   cert_reqs=ssl.CERT_REQUIRED, tls_version=ssl.PROTOCOL_SSLv23)
        if not os.path.exists(os.path.join(os.getcwd(), "CA", VERISIGN_CA)):
            print(os.path.join(os.getcwd(), "CA", VERISIGN_CA))
        if not os.path.exists(os.path.join(os.getcwd(), DEVICE_CERTIFICATE_PATH, str_mac, str_mac + "androot.pem")):
            print(os.path.join(os.getcwd(), DEVICE_CERTIFICATE_PATH, str_mac, str_mac + "androot.pem"))
        if not os.path.exists(os.path.join(os.getcwd(), DEVICE_CERTIFICATE_PATH, str_mac, str_mac + ".key")):
            print(os.path.join(os.getcwd(), DEVICE_CERTIFICATE_PATH, str_mac, str_mac + ".key"))
        client.connect(HOST, PORT, 60)
        time.sleep(2)
    except Exception:
        print("Connect error, Reconnect")
        client.connect(HOST, PORT, 60)
        time.sleep(2)

    client.publish("helloworld", "{\"hello\": \"Hello from AWS IoT " + str_mac + "\"}", 1)
    client.loop_forever(100)

This software is developed with python and uses these packages: OpenSSL, paho, ssl, etc

Use AmazonRootCA1.pem as ca_certs、240ac4ea2972androot.pem as certfile、240ac4ea2972.key as keyfile.
Example:
240ac4ea2972androot.pem contain device certificate and self CA certificate.
240ac4ea2972.key contain device privacy key

Answer 1 · 2020-09-22T15:59:27.000Z

Assuming you can connect with AWS-generated certs, it would seem that the problem is likely with how you're generating the certs you're using, and that's not something we're really likely to be able to help with even if we had information on what you're doing. Perhaps consider asking on the AWS forums, as there might be users who have done something similar.