aws-mqtt icon indicating copy to clipboard operation
aws-mqtt copied to clipboard

Published 20 hours ago verified publisher icon kmamykin

Error in connection establishment

Open DumbledoreD opened this issue 5 years ago • 1 comments

Followed the in-browser usage and got the following error on localhost.

BrowserClient.js:68 WebSocket connection to 'wss://...' failed: Error in connection establishment: net::ERR_CERT_REVOKED

My dev app server is behind an Nginx web server with a self-signed SSL certificate. I'm suspecting this is the reason why it failed to connect, but how do I fix it?

I'm new to the whole message broker, web socket, SSL stuff. Any help is appreciated

DumbledoreD avatar Dec 04 '19 02:12 DumbledoreD

Update: followed this guide and made a ca-signed SSL certificate. Used localhost as the FQDN. Still getting the same error.

The following are the steps that I took to make the certificates:

# Create root CA
# Create private key for generating root certificate
openssl genrsa -out /etc/ssl/private/dev_root_ca.key 2048

# Create root certificate
openssl req -x509 -new -nodes -key /etc/ssl/private/dev_root_ca.key -sha256 -days 1024 \
-out /etc/ssl/certs/dev_root_ca.pem


# Register CA certificate with AWS IoT
# Get a registration code from AWS IoT
aws iot get-registration-code

# Generate a key pair for the private key verification certificate
openssl genrsa -out /etc/ssl/private/aws_verification.key 2048

# Create a CSR for the private key verification certificate.
# Common Name (e.g. server FQDN or YOUR name) []: MY_REGISTRATION_CODE
openssl req -new -key /etc/ssl/private/aws_verification.key -out /etc/ssl/csr/aws_verification.csr

# Use the CSR to create a private key verification certificate
openssl x509 -req -in /etc/ssl/csr/aws_verification.csr -CA /etc/ssl/certs/dev_root_ca.pem \
-CAkey /etc/ssl/private/dev_root_ca.key -CAcreateserial -out /etc/ssl/certs/aws_verification.pem \
-days 1024 -sha256

# Register the CA certificate with AWS IoT
aws iot register-ca-certificate --ca-certificate file:///etc/ssl/certs/dev_root_ca.pem \
--verification-cert file:///etc/ssl/certs/aws_verification.pem

# Use the update-certificate CLI command to activate the CA certificate
aws iot update-ca-certificate --certificate-id xxxxxxxxxxx --new-status ACTIVE


# Create dev site ssl
# Create private key for generating certificate for dev site
openssl genrsa -out /etc/ssl/private/dev_nginx.key 2048

# Create a CSR Certificate Signing Request
openssl req -new -key /etc/ssl/private/dev_nginx.key -out /etc/ssl/csr/dev_nginx.csr

# Create SAN ext config file
# /etc/ssl/ext/dev_san.ext
# authorityKeyIdentifier=keyid,issuer
# basicConstraints=CA:FALSE
# keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
# subjectAltName = @alt_names
# [alt_names]
# DNS.1 = localhost

# Create certificate for dev site
openssl x509 -req -in /etc/ssl/csr/dev_nginx.csr -CA /etc/ssl/certs/dev_root_ca.pem \
-CAkey /etc/ssl/private/dev_root_ca.key -CAcreateserial -out /etc/ssl/certs/dev_nginx.crt \
-days 1024 -sha256 \
-extfile /etc/ssl/ext/dev_san.ext


# Register the dev site certificate with AWS IoT
# Register a device certificate
aws iot register-certificate --certificate-pem file:///etc/ssl/certs/dev_nginx.crt \
--ca-certificate-pem file:///etc/ssl/certs/dev_root_ca.pem

# Use the update-certificate CLI command to activate the device certificate
aws iot update-certificate --certificate-id xxxxxxxxxxx --new-status ACTIVE

DumbledoreD avatar Dec 10 '19 04:12 DumbledoreD