jamesrkent

jamesrkent

MQTT TLS connection to AWS

I have AWS IoT core set up as an MQTT broker, and I have created a set of Things with accompanying certificates. When I use a desktop MQTT client like MQTTX, I am able to use these certificates to connect to AWS and subscribe to the relevant topics. When subscribing/publishing I see the messages going back and forth.

Now I tried to replicate this in a simple Elixir app, but I cannot establish a TLS connection to AWS using either Tortoise or emqtt. I believe the issue is the same as both library’s use Erlang’s ssl library.

The strange thing is, I am able to establish a connection using emqtt if I compile it and use the CLI. When I debug that connection, I notice there are a few extra ssl_opt’s configured. I am able to set all of those extra opts besides partial_chain. These are the opts I use so far:

[
  host: "abcdef-ats.iot.eu-west-1.amazonaws.com",
  port: 8883,
  client_id: "endeavour",
  clean_start: false,
  name: :endeavour,
  ssl: true,
  version: ~c"tlsv1.3",
  ssl_opts: [
    handshake: :full,
    verify_fun:
      {&:ssl_verify_hostname.verify_fun/3, [check_hostname: ~c"iot.eu-west-1.amazonaws.com"]},
    secure_renegotiation: true,
    certs_keys: [
      %{
        certfile: ~c"/path/to/certfile",
        keyfile: ~c"/path/to/keyfile"
      }
    ],
    reuse_sessions: true,
    customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)],
    protocol: :tls,
    crl_check: false,
    session_tickets: :disabled,
    fallback: false,
    cacertfile: ~c"/path/to/cacertfile",
    verify: :verify_none,
    server_name_indication: ~c"iot.eu-west-1.amazonaws.com",
    log_level: :debug
  ]
]

Marked As Solved

jamesrkent

jamesrkent

Unfortunately the settings mentioned above didn’t work, but in the meantime I got in touch with AWS support and with their help I got it to work.

I made a mistake with respect to the SNI which was causing my connection to crash. We were able to debug it because I was able to make a succesful connection when I used emqtt’s cli.

When I supply the following settings to emqtt it works:

[
  host: "your-ats-domain.iot.eu-west-1.amazonaws.com",
  port: 8883,
  clientid: "yourclientid",
  clean_start: false,
  name: :yourname,
  ssl: true,
  ssl_opts: [
    versions: [:"tlsv1.2"],
    certs_keys: [
      %{
        certfile: ~c"/path/to/certfile",
        keyfile: ~c"/path/to/keyfile"
      }
    ],
    customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)],
    cacertfile: ~c"/path/to/cacertfile",
    verify: :verify_peer,
    server_name_indication: ~c"your-ats-domain.iot.eu-west-1.amazonaws.com"
  ]
]

Also Liked

seb3s

seb3s

Hi James,

Here is a previous answer I gave for something that could be similar.
I’m able to connect to rabbitmq using amqps protocol with such options.
Hope this could help you, cheers,

Sébastien.

Where Next?

Popular in Questions Top

_russellb
I want to try my hand at web scraping. What tools/libraries do I need to use. I’m hoping to turn this into something professional so don’...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
tduccuong
Hi, is there any work on GUI with Elixir, that is similar to Electron/Javascript? My idea is to bundle Phoenix and BEAM into a single se...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
rms.mrcs
Hi, I need to transform a list of numbers into a map where the keys are the indexes and the values are the original values of the list. ...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
dotdotdotPaul
Okay, I’m having a heck of a time trying to figure out how to best handle the validation of belongs_to associations in Ecto. I’m sure I’...
New
joaquinalcerro
Hi there, I am working with Ecto-Postgresql and I need to call all of the records from a specific table but the table has 40,000 records...
New
lanycrost
Hi everyone! I need implement if…else if…else condition from my elixir code, and anymore of this control flow structures not work proper...
New

Other popular topics Top

New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
shahryarjb
Hello, I have map which I want to convert it to string like this: the map: %{last_name: "tavakkoli", name: "shahryar"} the string I ne...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39297 209
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New

We're in Beta

About us Mission Statement