ERROR - Exception occured while connecting to broker
com.amazonaws.services.iot.client.AWSIotTimeoutException: Request timed out when processing request null
at com.amazonaws.services.iot.client.core.AwsIotCompletion.get(AwsIotCompletion.java:216)
at com.amazonaws.services.iot.client.core.AbstractAwsIotClient.connect(AbstractAwsIotClient.java:112)
at com.amazonaws.services.iot.client.AWSIotMqttClient.connect(AWSIotMqttClient.java:501)
at com.amazonaws.services.iot.client.core.AbstractAwsIotClient.connect(AbstractAwsIotClient.java:101)
at com.amazonaws.services.iot.client.AWSIotMqttClient.connect(AWSIotMqttClient.java:480)
**After enabling some more log levels I came to know the reason is something like "certificate_unknown"
Error traces are as follows :**
%% Invalidated: [Session-5, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384]
MQTT Con: XXXXXXSubscriber, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
MQTT Con: XXXXXXSubscriber, WRITE: TLSv1.2 Alert, length = 2
MQTT Con: XXXXXXSubscriber, called closeSocket()
MQTT Con: XXXXXXSubscriber, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
MQTT Con: XXXXXXSubscriber, called close()
MQTT Con: XXXXXXSubscriber, called closeInternal(true)
Apr 17, 2018 4:32:09 PM com.amazonaws.services.iot.client.mqtt.AwsIotMqttConnectionListener onFailure
WARNING: Connect request failure
MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:664)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:93)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:650)
... 1 more
My application uses its own JCEKS based truststore and I already have added downloaded certificate to this store. but when I tried this with default truststore i.e. java cacerts, it connects successfully.
SDK : aws-iot-device-sdk-java-1.1.1.jar
Paho : org.eclipse.paho.client.mqttv3-1.1.0.jar
Hi @snshukla ,
Can you try to re-install the root CA in your customized truststore? Details can be found here:
https://docs.oracle.com/cd/E19906-01/820-4916/geygn/index.html
Root CA for AWS IoT is available here:
https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem
Thanks,
Liusu
Hi @liuszeng ,
It's already present in my customized truststore.
When I tried to connect using my local windows machine this shows following error
Apr 19, 2018 4:04:33 PM com.amazonaws.services.iot.client.mqtt.AwsIotMqttConnectionListener onFailure
WARNING: Connect request failure
MqttException (0) - javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:664)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:93)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:650)
... 1 more
Caused by: java.security.cert.CertificateException: No X509TrustManager implementation available
at sun.security.ssl.DummyX509TrustManager.checkServerTrusted(SSLContextImpl.java:1119)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
... 10 more
Apr 19, 2018 4:04:33 PM com.amazonaws.services.iot.client.core.AwsIotConnection onConnectionFailure
INFO: Connection temporarily lost
Apr 19, 2018 4:04:33 PM com.amazonaws.services.iot.client.core.AbstractAwsIotClient onConnectionFailure
INFO: Client connection lost: XXXXPublisher
Apr 19, 2018 4:04:36 PM com.amazonaws.services.iot.client.core.AwsIotConnection$1 run
INFO: Connection is being retried
Apr 19, 2018 4:04:38 PM com.amazonaws.services.iot.client.mqtt.AwsIotMqttConnectionListener onFailure
WARNING: Connect request failure
MqttException (0) - javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:664)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No X509TrustManager implementation available
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:93)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:650)
... 1 more
Caused by: java.security.cert.CertificateException: No X509TrustManager implementation available
at sun.security.ssl.DummyX509TrustManager.checkServerTrusted(SSLContextImpl.java:1119)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
... 10 more
Apr 19, 2018 4:04:38 PM com.amazonaws.services.iot.client.core.AwsIotConnection onConnectionFailure
INFO: Connection temporarily lost
Apr 19, 2018 4:04:38 PM com.amazonaws.services.iot.client.core.AbstractAwsIotClient onConnectionFailure
INFO: Client connection lost: XXXXPublisher
Thanks,
snshukla
Hi @snshukla ,
Finally I was able to find some solutions.
You will need to specify a customized truststore file location, the password and its type as JVM args like the following when you run the SDK samples:
-Djavax.net.ssl.trustStore="/Users/liuszeng/self/customized_java_truststore/MyTrustStore4"
-Djavax.net.ssl.trustStorePassword="123456"
-Djavax.net.ssl.trustStoreType="JCEKS"
After adding these configurations, I was able to run samples with normal IoT certificate and private key along with the customized JCEKS TrustStore.
I used the following command to create a JCEKS typed TrustStore and import AWS IoT CA:
keytool -import -file ~/Desktop/aws-iot-rootCA.crt -alias awsiot -keystore MyTrustStore4 -storetype jceks
Outputs when I try to list the content:
$ keytool -list -keystore MyTrustStore4
keytool error: java.io.IOException: Invalid keystore format // This is because the storetype is default to jks
$ keytool -list -keystore MyTrustStore4 -storetype jceks
Enter keystore password:
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 1 entry
awsiot, Apr 27, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5
Hope the above helps.
Thanks,
Liusu
