9

I am using AWS IOT MQTT protocol for realtime update on my web app, I'm getting this certificate error net::ERR_CERT_SYMANTEC_LEGACY on Chrome, it's only working on localhost.

Faraz Sarwar
  • 238
  • 1
  • 9
  • [Symantec certificates won't work from Chrome 70](https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html). Most AWS services have migrated but I don't know about IoT, [I've asked in the AWS forum](https://forums.aws.amazon.com/thread.jspa?threadID=287062&tstart=25) but I received no answer. – nachoab Aug 24 '18 at 15:34

2 Answers2

12

Symantec certificates won't work from Chrome 70

AWS just posted a solution:

  • IoT endpoints can't be changed automatically like other AWS services because IoT devices need to be updated too.
  • IoT now provides a new endpoint to Amazon Trust Services (ATS), which uses a trusted certificate. They have -ats at the end, i.e. example-ats.iot.us-east-2.amazonaws.com. Both new and old endpoints are interoperable (the only difference is the certificate).
  • New regions launched after May, 2018 serve Amazon Trust Services signed certificates only.

How to update:

  • Run aws iot describe-endpoint --endpoint-type iot:Data-ATS
  • Update the endpoint on your web app with that new URL.

More info at: How AWS IoT Core is Helping Customers Navigate the Upcoming Distrust of Symantec Certificate Authorities

nachoab
  • 1,908
  • 1
  • 23
  • 36
  • This is basically a link only answer that will become useless once the links break. Please update the answer to include the significant information here. – hardillb Sep 03 '18 at 09:16
0

Easiest way to get your new endpoint if you're worried about adding -ats to wrong place in url:

  1. Login to AWS account
  2. Go to IoT service page
  3. Select Settings from sidebar
  4. Copy-paste new endpoint

It only displays updated AST endpoint, so there's no way for you to copy wrong link.

Solo
  • 6,687
  • 7
  • 35
  • 67