ExAWS unexpected certificate failure for IoT Service

flash4syth · December 2, 2021, 7:10pm

I need to send an operation to an IoT device via AWS’s IoT Service (get a device’s shadow), but I’m getting a bad cert/ hostname error although I’ve checked the cert with AWS, and it is valid and active with the proper IAM privileges to perform the requested operation. The hostname is the same as returned with this cli command: aws iot describe-endpoint Below is a manual version from an iex -S mix session of what the code is doing. What steps can someone recommend to trouble shoot?

ex_aws version 2.1.6
elixir 1.11.1

iex(6)> operation
%ExAws.Operation.JSON{
  before_request: nil,
  data: %{},
  headers: [],
  http_method: :get,
  params: %{},
  parser: nil,
  path: "/things/<THING_NAME>/shadow",
  service: :iotdata,
  stream_builder: nil
}
iex(7)> config
%{
  access_key_id: "AWS_ACCESS_KEY_ID",
  host: "<CUSTOM_PART>.iot.us-east-1.amazonaws.com",
  http_client: ExAws.Request.Hackney,
  json_codec: Jason,
  normalize_path: true,

   scheme: "https://",
  secret_access_key: "AWS_SECRET_ACCESS_KEY"
}
iex(8)> ExAws.Operation.perform(operation, config)
[info] TLS :client: In state :certify at ssl_handshake.erl:1952 generated CLIENT ALERT: Fatal - Handshake Failure
 - {:bad_cert, :hostname_check_failed}
[warn] ExAws: HTTP ERROR: {:tls_alert, {:handshake_failure, 'TLS client: In state certify at ssl_handshake.erl:1952 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}'}} for URL: "https://<CUSTOM_PART>.iot.us-east-1.amazonaws.com/things/<THING_NAME>/shadow" ATTEMPT: 1
[info] TLS :client: In state :certify at ssl_handshake.erl:1952 generated CLIENT ALERT: Fatal - Handshake Failure
 - {:bad_cert, :hostname_check_failed}

[...]

 [info] TLS :client: In state :certify at ssl_handshake.erl:1952 generated CLIENT ALERT: Fatal - Handshake Failure
 - {:bad_cert, :hostname_check_failed}
[warn] ExAws: HTTP ERROR: {:tls_alert, {:handshake_failure, 'TLS client: In state certify at ssl_handshake.erl:1952 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}'}} for URL: "https://<CUSTOM_PART>.iot.us-east-1.amazonaws.com/things/<THING_NAME>/shadow" ATTEMPT: 10
{:error,
 {:tls_alert,
  {:handshake_failure,
   'TLS client: In state certify at ssl_handshake.erl:1952 generated CLIENT ALERT: Fatal - Handshake Failure\n {bad_cert,hostname_check_failed}'}}}