Aws-iot-device-sdk-python-v2: AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE en 1.0.6 (awscrt 0.5.13)
- [x] Busqué problemas similares anteriores y no encontré ninguna solución.
Describe el error
Después de actualizar mi instalación a awsiotsdk-1.0.6 , dejó de funcionar con awscrt sin poder autorizar con el backend de aws. Podría estar conectado con la actualización awscrt a 0.5.13.
Número de versión del SDK
awsiotsdk-1.0.6
Plataforma / SO / Dispositivo
rpi3b +
Reproducir (comportamiento observado)
Actualice awsiotsdk a la versión 1.0.6 .
Comportamiento esperado
Debería funcionar como se esperaba.
Registros / salida
Apr 15 06:55:01 raspberrypi python3[581]: Connecting to something-east-1.amazonaws.com with client ID 'foo-bar-baz'...
Apr 15 06:55:01 raspberrypi python3[581]: Traceback (most recent call last):
Apr 15 06:55:01 raspberrypi python3[581]: File "app.py", line 86, in <module>
Apr 15 06:55:01 raspberrypi python3[581]: connect_future.result()
Apr 15 06:55:01 raspberrypi python3[581]: File "/usr/lib/python3.7/concurrent/futures/_base.py", line 432, in result
Apr 15 06:55:01 raspberrypi python3[581]: return self.__get_result()
Apr 15 06:55:01 raspberrypi python3[581]: File "/usr/lib/python3.7/concurrent/futures/_base.py", line 384, in __get_result
Apr 15 06:55:01 raspberrypi python3[581]: raise self._exception
Apr 15 06:55:01 raspberrypi python3[581]: awscrt.exceptions.AwsCrtError: AwsCrtError(name='AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE', message='TLS (SSL) negotiation failed', code=1029)
Apr 15 06:55:01 raspberrypi systemd[1]: app.service: Main process exited, code=exited, status=1/FAILURE
mkozjak
Todos 17 comentarios
Experimenté el mismo problema.
adolfogc
en 15 abr. 2020
Encontré su publicación mientras buscaba un problema similar con CPPv2 SDK que creo que se basa en las mismas funciones subyacentes. Descubrí que el SDK de CPPv2 estaba tratando de validar la cadena de confianza completa, y no solo mi certificado de CA proporcionado, sino que la cadena de confianza completa no existía en mi dispositivo. Al copiar /etc/ssl/certs/ca-certificates.crt de mi máquina Ubuntu a mi dispositivo y pasarlo al método Aws :: Iot :: MqttClientConnectionConfigBuilder :: WithCertificateAuthority (), pude proporcionar un almacén de confianza completo que funcionó . No estoy seguro de cuál es el equivalente de Python para este método, pero debe estar ahí, ¡espero que esta sugerencia te ayude!
Actualización: en la última versión del SDK de C ++, también veo que S2N (la pila de AWS TLS) seleccionará ECDSA para firmar, que no es compatible con la versión de lanzamiento del código base.
jsakwa
en 17 abr. 2020
El consejo de @jsakwa parece sólido.
¿Puede ejecutar samples/pubsub.py con --root-ca set? Por lo general, pasaría el archivo Amazon Root CA 1 disponible aquí
graebm
en 22 abr. 2020
@graebm , no tengo ancho de banda para probar el
mkozjak
en 22 abr. 2020
@graebm Acabo de probar de nuevo. La versión 1.0.5 funciona bien. El problema ocurre cuando se usa la versión 1.0.6. Estoy usando un certificado firmado con esa CA que menciona (no el obsoleto).
Esta prueba se ejecutó usando pubsub.py con --root-ca en un contenedor Docker.
Este es un extracto de la salida de depuración:
(...)
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfc006320: Scheduling attempt_connection task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfc006320: Running attempt_connection task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: initializing with domain 1 and type 0
Unsupported setsockopt level=1 optname=16384
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: setting socket options to: keep-alive 0, keep idle 0, keep-alive interval 0, keep-alive probe count 0.
[WARN ] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: setsockopt() for NO_SIGNAL failed with errno 92. If you are having SIGPIPE signals thrown, you may want to install a signal trap in your application layer.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: beginning connect.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: connecting to endpoint [redacted]:443.
[ERROR] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: connect failed with error code 99.
[INFO ] [2020-04-25T22:14:14Z] [fdeff460] [dns] - id=0xff2df650: recording failure for record [redacted] for [redacted].iot.us-east-1.amazonaws.com, moving to bad list
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [dns] - static: purging address [redacted] for host [redacted].iot.us-east-1.amazonaws.com from the cache due to cache eviction or shutdown
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: is still open, closing...
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: closing
[ERROR] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: failed to create socket with error 1055
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfc006450: Scheduling attempt_connection task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfc006450: Running attempt_connection task with <Running> status
Unsupported setsockopt level=1 optname=16384
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: initializing with domain 0 and type 0
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: setting socket options to: keep-alive 0, keep idle 0, keep-alive interval 0, keep-alive probe count 0.
[WARN ] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: setsockopt() for NO_SIGNAL failed with errno 92. If you are having SIGPIPE signals thrown, you may want to install a signal trap in your application layer.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: beginning connect.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: connecting to endpoint [redacted]:443.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503440: Scheduling (null) task for future execution at time 3166071860135
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503488: Scheduling epoll_event_loop_unsubscribe_cleanup task for immediate execution
[INFO ] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: connection success
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: local endpoint 172.17.0.2:58438
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: assigning to event loop 0xff281f60
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: client connection on socket 0xfd502a50 completed with error 0.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: Beginning creation and setup of new channel.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503c48: Scheduling on_channel_setup_complete task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503488: Running epoll_event_loop_unsubscribe_cleanup task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503c48: Running on_channel_setup_complete task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: setup complete, notifying caller.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: no message pool is currently stored in the event-loop local storage, adding 0xfd504740 with max message size 16384, message count 4, with 4 small blocks of 128 bytes.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: channel 0xfd504088 setup succeeded: bootstrapping.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket-handler] - id=0xfd514e68: Socket handler created with max_read_size of 16384
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd515038: Scheduling tls_timeout task for future execution at time 3165183175311
[WARN ] [2020-04-25T22:14:14Z] [fdeff460] [tls-handler] - id=0xfd515020: negotiation failed with error Invalid signature algorithm (Error encountered in /tmp/pip-wheel-tiv_gdev/awscrt/aws-common-runtime/s2n/tls/s2n_client_cert_verify.c line 96)
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: tls negotiation result 1029 on channel 0xfd504088
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5041c8: Scheduling channel_shutdown task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: Channel shutdown is already pending, not scheduling another.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5041c8: Running channel_shutdown task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: beginning shutdown process
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: handler 0xfd514e68 shutdown in read dir completed.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [tls-handler] - id=0xfd515020: Shutting down read direction with error code 1029
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: handler 0xfd515020 shutdown in read dir completed.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5040a0: Scheduling (null) task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5040a0: Running (null) task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [tls-handler] - id=0xfd515020: Shutting down write direction
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: handler 0xfd515020 shutdown in write dir completed.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: closing
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503c00: Scheduling epoll_event_loop_unsubscribe_cleanup task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd514ec8: Scheduling socket_handler_close task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503c00: Running epoll_event_loop_unsubscribe_cleanup task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd514ec8: Running socket_handler_close task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: handler 0xfd514e68 shutdown in write dir completed.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5040a0: Scheduling (null) task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5040a0: Running (null) task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: during shutdown, canceling task 0xfd515038
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd515038: Running tls_timeout task with <Canceled> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: channel 0xfd504088 shutdown with error 1029.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: destroying channel.
Traceback (most recent call last):
File "/opt/controller/pubsub.py", line 141, in <module>
connect_future.result()
File "/usr/local/lib/python3.7/concurrent/futures/_base.py", line 435, in result
return self.__get_result()
File "/usr/local/lib/python3.7/concurrent/futures/_base.py", line 384, in __get_result
raise self._exception
awscrt.exceptions.AwsCrtError: AwsCrtError(name='AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE', message='TLS (SSL) negotiation failed', code=1029)
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-client] - id=0xff3408e0: user called disconnect.
[ERROR] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-client] - id=0xff3408e0: Connection is not open, and may not be closed
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-client] - id=0xff3408e0: Destroying connection
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-topic-tree] - tree=0xff340960: Cleaning up topic tree
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-client] - client=0xfe8bff28: Cleaning up MQTT client
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [channel-bootstrap] - id=0xff3109a0: releasing bootstrap reference
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [channel-bootstrap] - id=0xff3109a0: destroying
Hmm ... actualizamos nuestras preferencias de cifrado recientemente. ¿Alguna posibilidad de que pueda obtener una captura de tiburón del protocolo de enlace TLS y publicar los mensajes de saludo del cliente y del servidor?
JonathanHenson
en 26 abr. 2020
Hola @JonathanHenson @graebm, si esto está usando la misma pila S2N que el SDK CPPv2, observé que en la última versión del SDK v1.5.5 en mi sistema, esto también falla porque el dispositivo anuncia soporte para ECDSA, pero la pila S2N solo es compatible RSA, y durante la negociación se elige ECDSA. El registro de adolfogc se ve igual que el mío durante ese modo de falla en particular.
Traté de ingresar la versión de S2N en el maestro, que se supone que es compatible con ECDSA, pero al menos en mi sistema, esto también falló, porque de alguna manera intentaría usar la clave ECDSA del código RSA. Estaba planeando arreglar eso y enviar una solicitud de extracción a S2N, pero no lo he logrado.
Actualmente estoy usando v1.5.1 del CPPv2 SDK que negocia para usar siempre RSA durante el paso de desafío
jsakwa
en 26 abr. 2020
Bien, sé dónde buscar ahora, pero ¿hay alguna posibilidad de que me consigas una captura de apretón de manos para que pueda ir a ver el lado de este s2n?
JonathanHenson
en 26 abr. 2020
Hola @JonathanHenson , ¿sería suficiente lo siguiente?
Hola cliente:
Hola servidor:
Apretón de manos:
adolfogc
en 26 abr. 2020
¿La alerta se envió desde el cliente o el servidor?
¿También parece que SNI está vacío? Eso también haría que la negociación fracasara. ¿Qué estás configurando para el nombre del servidor?
JonathanHenson
en 27 abr. 2020
@JonathanHenson Estaba usando el antiguo punto final ( <endpoint-id>.iot.us-east-1.amazonaws.com ), cambié al ATS ( <endpoint-id>-ats.iot.us-east-1.amazonaws.com ) y ahora funciona. ¡Gracias por tu ayuda!
adolfogc
en 27 abr. 2020
Según https://aws.amazon.com/blogs/iot/aws-iot-core-ats-endpoints/ deberíamos cambiar a -ats antes posible, @adolfogc , @JonathanHenson?
mkozjak
en 27 abr. 2020
@mkozjak lo hice y el problema se resolvió
adolfogc
en 27 abr. 2020
Gracias Mario por compartir el enlace a esa publicación aquí. Nuevamente: https://aws.amazon.com/blogs/iot/aws-iot-core-ats-endpoints/
La configuración predeterminada para los SDK de dispositivos V2 ya no funcionará con los antiguos puntos finales que no son ATS. Ejecute aws --region <region> iot describe-endpoint --endpoint-type "iot:Data-ATS" para obtener el punto final ATS.
DavidOgunsAWS
en 6 may. 2020
Estaba experimentando una falla persistente en la negociación de TLS, cuando usaba aws iot python sdk v2, a pesar de usar el punto final .ats, pero como se sugiere en el blog de aws, pude resolver el problema cambiando el certificado raíz a un certificado AmazonRootCA1 desde un Certificado G2-RootCA1.
LaurensonR
en 30 jun. 2020
Hola,
Estuve atascado con este error durante 2 horas cuando migré del antiguo sdk a v2 (v1.5.0), incluso lo intenté en varios entornos, tanto Windows10, Ubuntu18 o MacOS.
ejemplo de sdk antiguo basicPubSub.py solo funciona con mi clave, certificado y rootCA1
Pero el nuevo ejemplo de sdk pubsub.py simplemente no funciona con las mismas claves y política
[ERROR] [2020-09-25T11:11:31Z] [00004ed8] [socket] - id=000001A7825DF580 handle=0000000000000320: connect completion triggered with error -1073741305
[ERROR] [2020-09-25T11:11:31Z] [00004ed8] [socket] - id=000001A7825DF580 handle=0000000000000320: connection error with code 1055
[INFO] [2020-09-25T11:11:31Z] [00004ed8] [dns] - id=000001A7802A2780: recording failure for record xxx for xxx-ats.iot.ap-southeast-1.amazonaws.com, moving to bad list
[ERROR] [2020-09-25T11:11:31Z] [00004ed8] [tls-handler] - id=000001A782BE3580: Error during negotiation. SECURITY_STATUS is -2146892953
[ERROR] [2020-09-25T11:11:31Z] [00004ed8] [socket] - id=000001A7825E0C00 handle=000000000000032C: WriteFile() failed with error 64
Tengo que ingresar el puerto para que funcione, espero que también pueda ayudarlo.
mqtt_connection_builder.mtls_from_path(
...
port=8883)
Saludos,
Justin
justindannguyen
en 25 sept. 2020
Lamento que tengas problemas, Justin. ¿Has probado la política de ejemplo para pubsub determinado en las muestras README ?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:region:account:topic/test/topic"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:region:account:topicfilter/test/topic"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:region:account:client/test-*"
]
}
]
}
Si eso no funciona, no dude en abrir un nuevo problema si aún tiene dificultades. No podemos garantizar que se verán los mensajes sobre problemas cerrados.
jmklix
en 25 sept. 2020
Temas relacionados
banuprathap
·
10Comentarios
shravan097
·
6Comentarios
Sanrro10
·
16Comentarios
victorct-pronto
·
3Comentarios
supertick
·
7Comentarios
Comentario más útil
@JonathanHenson Estaba usando el antiguo punto final (
<endpoint-id>.iot.us-east-1.amazonaws.com), cambié al ATS (<endpoint-id>-ats.iot.us-east-1.amazonaws.com) y ahora funciona. ¡Gracias por tu ayuda!