Aws-iot-device-sdk-python-v2: AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE pada 1.0.6 (awscrt 0.5.13)
- [x] Saya telah mencari masalah serupa sebelumnya dan tidak menemukan solusi apa pun
Jelaskan bugnya
Setelah memutakhirkan instalasi saya ke awsiotsdk-1.0.6 itu berhenti bekerja dengan awscrt gagal mengotorisasi dengan backend aws. Mungkin terhubung dengan awscrt upgrade ke 0.5.13.
Nomor versi SDK
awsiotsdk-1.0.6
Platform/OS/Perangkat
rpi3b+
Mereproduksi (perilaku yang diamati)
Tingkatkan awsiotsdk ke versi 1.0.6 .
Perilaku yang diharapkan
Harus bekerja seperti yang diharapkan.
Log/keluaran
Apr 15 06:55:01 raspberrypi python3[581]: Connecting to something-east-1.amazonaws.com with client ID 'foo-bar-baz'...
Apr 15 06:55:01 raspberrypi python3[581]: Traceback (most recent call last):
Apr 15 06:55:01 raspberrypi python3[581]: File "app.py", line 86, in <module>
Apr 15 06:55:01 raspberrypi python3[581]: connect_future.result()
Apr 15 06:55:01 raspberrypi python3[581]: File "/usr/lib/python3.7/concurrent/futures/_base.py", line 432, in result
Apr 15 06:55:01 raspberrypi python3[581]: return self.__get_result()
Apr 15 06:55:01 raspberrypi python3[581]: File "/usr/lib/python3.7/concurrent/futures/_base.py", line 384, in __get_result
Apr 15 06:55:01 raspberrypi python3[581]: raise self._exception
Apr 15 06:55:01 raspberrypi python3[581]: awscrt.exceptions.AwsCrtError: AwsCrtError(name='AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE', message='TLS (SSL) negotiation failed', code=1029)
Apr 15 06:55:01 raspberrypi systemd[1]: app.service: Main process exited, code=exited, status=1/FAILURE
mkozjak
Semua 17 komentar
Saya mengalami masalah yang sama.
adolfogc
pada 15 Apr 2020
Berlari melintasi posting Anda saat mencari masalah serupa dengan CPPv2 SDK yang saya yakini didasarkan pada fungsi dasar yang sama. Saya menemukan bahwa CPPv2 SDK mencoba memvalidasi rantai kepercayaan penuh, dan bukan hanya sertifikat CA yang saya berikan -- tetapi rantai kepercayaan penuh tidak ada di perangkat saya. Dengan menyalin /etc/ssl/certs/ca-certificates.crt dari mesin Ubuntu saya ke perangkat saya dan meneruskannya ke metode Aws::Iot::MqttClientConnectionConfigBuilder::WithCertificateAuthority() saya dapat menyediakan toko kepercayaan lengkap yang berfungsi . Tidak yakin apa yang setara dengan Python untuk metode ini, tetapi harus ada di sana -- semoga petunjuk ini membantu Anda!
Pembaruan: pada versi terakhir C++ SDK, saya juga melihat bahwa S2N (tumpukan AWS TLS) akan memilih ECDSA untuk ditandatangani, yang tidak didukung pada versi rilis basis kode.
jsakwa
pada 17 Apr 2020
Saran @jsakwa sepertinya masuk akal.
Apakah Anda dapat menjalankan samples/pubsub.py dengan set --root-ca ? Biasanya Anda akan melewati file Amazon Root CA 1 yang tersedia di sini
graebm
pada 22 Apr 2020
@graebm , tidak punya bandwidth untuk menguji atm. Apakah itu bekerja untuk Anda? Jika berhasil, itu akan terasa tidak wajar karena dokumen dengan jelas mengatakan bahwa sakelar harus digunakan jika root kepercayaan belum diinstal pada mesin Anda dan itu ada pada saya (berfungsi setelah diturunkan).
mkozjak
pada 22 Apr 2020
@graebm saya baru saja menguji lagi. Versi 1.0.5 berjalan dengan baik. Masalah terjadi saat menggunakan versi 1.0.6. Saya menggunakan sertifikat yang ditandatangani dengan CA yang Anda sebutkan (bukan yang sudah usang).
Tes ini dijalankan menggunakan pubsub.py dengan --root-ca dalam wadah Docker.
Ini adalah kutipan dari output debug:
(...)
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfc006320: Scheduling attempt_connection task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfc006320: Running attempt_connection task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: initializing with domain 1 and type 0
Unsupported setsockopt level=1 optname=16384
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: setting socket options to: keep-alive 0, keep idle 0, keep-alive interval 0, keep-alive probe count 0.
[WARN ] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: setsockopt() for NO_SIGNAL failed with errno 92. If you are having SIGPIPE signals thrown, you may want to install a signal trap in your application layer.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: beginning connect.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: connecting to endpoint [redacted]:443.
[ERROR] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: connect failed with error code 99.
[INFO ] [2020-04-25T22:14:14Z] [fdeff460] [dns] - id=0xff2df650: recording failure for record [redacted] for [redacted].iot.us-east-1.amazonaws.com, moving to bad list
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [dns] - static: purging address [redacted] for host [redacted].iot.us-east-1.amazonaws.com from the cache due to cache eviction or shutdown
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: is still open, closing...
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: closing
[ERROR] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: failed to create socket with error 1055
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfc006450: Scheduling attempt_connection task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfc006450: Running attempt_connection task with <Running> status
Unsupported setsockopt level=1 optname=16384
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: initializing with domain 0 and type 0
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: setting socket options to: keep-alive 0, keep idle 0, keep-alive interval 0, keep-alive probe count 0.
[WARN ] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: setsockopt() for NO_SIGNAL failed with errno 92. If you are having SIGPIPE signals thrown, you may want to install a signal trap in your application layer.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: beginning connect.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: connecting to endpoint [redacted]:443.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503440: Scheduling (null) task for future execution at time 3166071860135
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503488: Scheduling epoll_event_loop_unsubscribe_cleanup task for immediate execution
[INFO ] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: connection success
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: local endpoint 172.17.0.2:58438
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: assigning to event loop 0xff281f60
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: client connection on socket 0xfd502a50 completed with error 0.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: Beginning creation and setup of new channel.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503c48: Scheduling on_channel_setup_complete task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503488: Running epoll_event_loop_unsubscribe_cleanup task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503c48: Running on_channel_setup_complete task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: setup complete, notifying caller.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: no message pool is currently stored in the event-loop local storage, adding 0xfd504740 with max message size 16384, message count 4, with 4 small blocks of 128 bytes.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: channel 0xfd504088 setup succeeded: bootstrapping.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket-handler] - id=0xfd514e68: Socket handler created with max_read_size of 16384
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd515038: Scheduling tls_timeout task for future execution at time 3165183175311
[WARN ] [2020-04-25T22:14:14Z] [fdeff460] [tls-handler] - id=0xfd515020: negotiation failed with error Invalid signature algorithm (Error encountered in /tmp/pip-wheel-tiv_gdev/awscrt/aws-common-runtime/s2n/tls/s2n_client_cert_verify.c line 96)
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: tls negotiation result 1029 on channel 0xfd504088
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5041c8: Scheduling channel_shutdown task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: Channel shutdown is already pending, not scheduling another.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5041c8: Running channel_shutdown task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: beginning shutdown process
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: handler 0xfd514e68 shutdown in read dir completed.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [tls-handler] - id=0xfd515020: Shutting down read direction with error code 1029
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: handler 0xfd515020 shutdown in read dir completed.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5040a0: Scheduling (null) task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5040a0: Running (null) task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [tls-handler] - id=0xfd515020: Shutting down write direction
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: handler 0xfd515020 shutdown in write dir completed.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [socket] - id=0xfd502a50 fd=6: closing
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503c00: Scheduling epoll_event_loop_unsubscribe_cleanup task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd514ec8: Scheduling socket_handler_close task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd503c00: Running epoll_event_loop_unsubscribe_cleanup task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd514ec8: Running socket_handler_close task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: handler 0xfd514e68 shutdown in write dir completed.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5040a0: Scheduling (null) task for immediate execution
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd5040a0: Running (null) task with <Running> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: during shutdown, canceling task 0xfd515038
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [task-scheduler] - id=0xfd515038: Running tls_timeout task with <Canceled> status
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel-bootstrap] - id=0xff3109a0: channel 0xfd504088 shutdown with error 1029.
[DEBUG] [2020-04-25T22:14:14Z] [fdeff460] [channel] - id=0xfd504088: destroying channel.
Traceback (most recent call last):
File "/opt/controller/pubsub.py", line 141, in <module>
connect_future.result()
File "/usr/local/lib/python3.7/concurrent/futures/_base.py", line 435, in result
return self.__get_result()
File "/usr/local/lib/python3.7/concurrent/futures/_base.py", line 384, in __get_result
raise self._exception
awscrt.exceptions.AwsCrtError: AwsCrtError(name='AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE', message='TLS (SSL) negotiation failed', code=1029)
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-client] - id=0xff3408e0: user called disconnect.
[ERROR] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-client] - id=0xff3408e0: Connection is not open, and may not be closed
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-client] - id=0xff3408e0: Destroying connection
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-topic-tree] - tree=0xff340960: Cleaning up topic tree
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [mqtt-client] - client=0xfe8bff28: Cleaning up MQTT client
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [channel-bootstrap] - id=0xff3109a0: releasing bootstrap reference
[DEBUG] [2020-04-25T22:14:14Z] [ff37c010] [channel-bootstrap] - id=0xff3109a0: destroying
Hmm.... kami memperbarui preferensi sandi kami baru-baru ini. Adakah kemungkinan Anda bisa mendapatkan tangkapan wire shark dari jabat tangan TLS dan memposting pesan halo klien dan server?
JonathanHenson
pada 26 Apr 2020
Hai @JonathanHenson @graebm jika ini menggunakan tumpukan S2N yang sama dengan SDK CPPv2, saya mengamati bahwa dalam versi SDK terbaru v1.5.5 di sistem saya, ini juga gagal karena perangkat mengiklankan dukungan untuk ECDSA, tetapi tumpukan S2N hanya mendukung RSA, dan selama negosiasi ECDSA dipilih. log adolfogc terlihat sama dengan milik saya selama mode kegagalan tertentu.
Saya mencoba menarik versi S2N pada master, yang seharusnya mendukung ECDSA, tetapi setidaknya pada sistem saya ini juga gagal, karena entah bagaimana akan mencoba menggunakan kunci ECDSA dari kode RSA. Saya berencana untuk memperbaikinya dan mengirimkan permintaan tarik ke S2N, tetapi belum sempat melakukannya.
Saat ini saya menggunakan SDK CPPv2 v1.5.1 yang bernegosiasi untuk selalu menggunakan RSA selama langkah tantangan
jsakwa
pada 26 Apr 2020
Oke, saya tahu ke mana harus mencari sekarang, tetapi adakah kesempatan Anda bisa memberi saya tangkapan jabat tangan sehingga saya bisa melihat ke sisi s2n ini?
JonathanHenson
pada 26 Apr 2020
Hai @JonathanHenson , apakah yang berikut ini cukup?
klien halo:
Server halo:
Jabat tangan:
adolfogc
pada 26 Apr 2020
Apakah peringatan dikirim dari klien atau server?
Juga sepertinya SNI kosong? Itu juga akan menyebabkan negosiasi gagal. Apa yang Anda atur untuk nama server?
JonathanHenson
pada 27 Apr 2020
@JonathanHenson Saya menggunakan titik akhir lama ( <endpoint-id>.iot.us-east-1.amazonaws.com ), saya beralih ke ATS ( <endpoint-id>-ats.iot.us-east-1.amazonaws.com ) dan sekarang berfungsi. Terima kasih atas bantuan Anda!
adolfogc
pada 27 Apr 2020
Menurut https://aws.amazon.com/blogs/iot/aws-iot-core-ats-endpoints/ kita harus beralih ke -ats secepatnya, @adolfogc , @JonathanHenson?
mkozjak
pada 27 Apr 2020
@mkozjak saya lakukan dan masalahnya teratasi
adolfogc
pada 27 Apr 2020
Terima kasih Mario telah membagikan tautan ke pos itu di sini. Sekali lagi: https://aws.amazon.com/blogs/iot/aws-iot-core-ats-endpoints/
Konfigurasi default untuk SDK perangkat V2 tidak akan berfungsi lagi dengan titik akhir non-ATS yang lama. Jalankan aws --region <region> iot describe-endpoint --endpoint-type "iot:Data-ATS" untuk mendapatkan titik akhir ATS.
DavidOgunsAWS
pada 6 Mei 2020
Saya mengalami kegagalan negosiasi TLS yang terus-menerus, saat menggunakan aws iot python sdk v2, meskipun menggunakan titik akhir .ats, tetapi seperti yang disarankan di blog aws, dapat menyelesaikan masalah dengan mengalihkan sertifikat root ke sertifikat AmazonRootCA1 dari a Sertifikat G2-RootCA1.
LaurensonR
pada 30 Jun 2020
Hai, yang di sana,
Saya terjebak dengan kesalahan ini selama 2 jam ketika bermigrasi dari sdk lama ke v2 (v1.5.0) bahkan saya mencoba di beberapa lingkungan baik Windows10, Ubuntu18 atau MacOS.
contoh sdk lama basicPubSub.py hanya berfungsi dengan kunci, sertifikat & rootCA1 saya
Tetapi contoh SDK baru pubsub.py tidak berfungsi dengan kunci & kebijakan yang sama
[ERROR] [2020-09-25T11:11:31Z] [00004ed8] [socket] - id=000001A7825DF580 handle=0000000000000320: connect completion triggered with error -1073741305
[ERROR] [2020-09-25T11:11:31Z] [00004ed8] [socket] - id=000001A7825DF580 handle=0000000000000320: connection error with code 1055
[INFO] [2020-09-25T11:11:31Z] [00004ed8] [dns] - id=000001A7802A2780: recording failure for record xxx for xxx-ats.iot.ap-southeast-1.amazonaws.com, moving to bad list
[ERROR] [2020-09-25T11:11:31Z] [00004ed8] [tls-handler] - id=000001A782BE3580: Error during negotiation. SECURITY_STATUS is -2146892953
[ERROR] [2020-09-25T11:11:31Z] [00004ed8] [socket] - id=000001A7825E0C00 handle=000000000000032C: WriteFile() failed with error 64
Saya harus memasukkan port agar dapat berfungsi, semoga dapat membantu Anda juga.
mqtt_connection_builder.mtls_from_path(
...
port=8883)
Salam,
Justin
justindannguyen
pada 25 Sep 2020
Maaf bahwa Anda mengalami masalah Justin. Sudahkah Anda mencoba contoh kebijakan untuk pubsub yang diberikan dalam sampel readme ?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:region:account:topic/test/topic"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:region:account:topicfilter/test/topic"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:region:account:client/test-*"
]
}
]
}
Jika itu tidak berhasil, silakan buka edisi baru jika Anda masih mengalami kesulitan. Kami tidak dapat menjamin bahwa pesan tentang masalah tertutup akan terlihat.
jmklix
pada 25 Sep 2020
Masalah terkait
satay99
·
6Komentar
mkozjak
·
8Komentar
banuprathap
·
10Komentar
GauravPatni
·
4Komentar
qcabrol
·
8Komentar
Komentar yang paling membantu
@JonathanHenson Saya menggunakan titik akhir lama (
<endpoint-id>.iot.us-east-1.amazonaws.com), saya beralih ke ATS (<endpoint-id>-ats.iot.us-east-1.amazonaws.com) dan sekarang berfungsi. Terima kasih atas bantuan Anda!