5

I am following https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/ and have a problem when executing the following command:

$ mosquitto_pub --cafile root.cert --cert deviceCertAndCACert.crt --key deviceCert.key -h .iot.us-east-1.amazonaws.com -p 8883 -q 1 -t foo/bar -i anyclientID --tls-version tlsv1.2 -m "Hello" -d

It gives me the error

Error: Problem setting TLS options.

I could not find what does this error mean and how to fix it. Do I need to "install" TLSv1.2 on my unbutu 16.04? Actually there is no information on how to install TLS1.2. There are some information regarding enable TLSv1.2 for apache or nginx, etc. Is TLSv1.2 built in Unbutu?

Donald Duck
  • 8,409
  • 22
  • 75
  • 99
Charles Ju
  • 1,095
  • 1
  • 9
  • 28

4 Answers4

1

It's not a very useful error message. I found I was getting it with having a misspelled filename, in my case the --key option. Make sure you download the aws root.cert file per the instructions. You also do not show a value for the host name, but I assume that is because you are redacting that value. You will need to have the correct aws IoT Endpoint hostname for your account.

evenchayah
  • 11
  • 1
1

This is still an open issue in mosquitto github repository. The error message is not clear.

If you're following their JITR or JITP (the new way of auto-provisioning AWS IoT resources like certificates, policies, thing, etc), you should use the latest and preferred certificates. The one in the tutorial is using the legacy certificate which is VeriSign Class 3 Public Primary G5 root CA certificate.

You should use the ATS CA certificates. Like this one RSA 2048 bit key: Amazon Root CA 1 (Download it and save it as root.cert. That should fix your issue with Error: Problem setting TLS options.

Joshua Tonga
  • 31
  • 6
1

I had the same issue, but I was able to solve it, by following these three steps:

  1. Locate your <yourCertificate>.crt file.
  2. Create a symlink in the folder /etc/ssl/certs/ pointing to your <yourCertificate>.crt file.
  3. Use the --capath option instead of the --cafile option.

So your command should look like this:

$ mosquitto_pub --capath /etc/ssl/certs/ -h .iot.us-east-1.amazonaws.com -p 8883 -q 1 -t foo/bar -i anyclientID --tls-version tlsv1.2 -m "Hello" -d

Source: this specific comment in the issue pointed out by Joshua Tonga.

Mena
  • 47,782
  • 11
  • 87
  • 106
Kolo
  • 17
  • 5
0

You'll get this error on older versions of the mosquitto-clients tools.

Install 1.4.13 or higher and your connection to AWS IoT should work (providing your certificates are setup correctly).

ddewaele
  • 22,363
  • 10
  • 69
  • 82