"Server Certificate Verification failed" with Custom Domain #213
Labels
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
p3
This is a minor priority issue
Describe the bug
Hi,
I wanted to report this issue we have been experiencing while trying to switch the IoT Core to custom domain.
Understood that V2 is the solution and should have resolved most issues, we do plan to gradually migrate to V2.
However the thing is we still do have a large number of legacy hardware (Ubuntu 18.04) deployed in the field that we need to support, which makes it a major risk & high cost for us to bring those to V2.
Therefore, we would really appreciate if anyone could provide some insights on the issues with the IoT Core custom domain work with V1, so we can save our legacy hardware.
Issue
We are experiencing
Server Certificate Verification failed.
during the SSL handshake when connecting to our custom domain, which is also reproducible with the PubSub example.However, the SDK works perfectly when simply connects to the ATS endpoint.
The only thing we swapped is the endpoint URL in the config file of the SDK, from ATS endpoint to our custom domain. Everything else is properly configured including the ACM SSL certs, VPC endpoint to the iot:data plane, etc.
What we have tried
openssl s_client -connect <ipv4_addr>:443 -CAfile certs/rootCA.crt
as well asopenssl s_client -connect <custom_domain>:443 -CAfile certs/rootCA.crt
: Both showed verificationOK
.However we did notice without specifying the SNI, the s_client always uses the amazonaws SSL cert over our custom domain cert. The results are the following:
Detailed logs are (The
Error resolving hostname: -5
andSSL Error Code: 2
are fine because they also exist when we connect to the ATS endpoint which works. However theSSL Error Code: 1
seems to be the cause, which maps toSSL_ERROR_SSL
in our environment):Summary
Sorry if I didn't make this concise enough but at this point seemingly we have run out of what to try and we are hammering a wall right now... All points to be an SDK V1 specific issue that may be lack of support of custom domain (which would be surprising if it is)?
Could you suggest anything else to check or try?
Expected Behavior
After switching the endpoint in the config file from ATS to custom domain, it should connect to IoT Core data plane with no issue
Current Behavior
SDK gives
Server Certificate Verification failed.
which seems to be related to SSLReproduction Steps
endpoint
property and run the PubSub example, and it getsServer Certificate Verification failed.
Possible Solution
No response
Additional Information/Context
No response
SDK version used
Compiled from the latest master branch
Environment details (OS name and version, etc.)
Ubuntu 18.04, OpenSSL 1.1.0g
The text was updated successfully, but these errors were encountered: