how to solve aws connection error for esp32 - aws-iot

I am getting the following error while connecting ESP32 with AWS IOT:-
(error attached following)
I went thru many links but was not able to solve the issue.
I have generated valid certificates that are :-
aws-root-ca.pem
certificate.pem.crt
private.pem.key
E (5446) aws_iot: failed! mbedtls_ssl_handshake returned -0x2700
E (5446) aws_iot: Unable to verify the server's certificate.
E (5456) subpub: Error(-4) connecting to a39wjx7wm5wvia-ats.iot.us-east-2.amazonaws.com:8883

I'm a bit confused with your phrase "I have generated valid certificates that are" - because Amazon Root certificate you should simply downloade from here - it isn't generated. Looking at your error message I would assume that you did something else and use incorrect root certificate for Amazon.

Related

SnowSQL Bad Handshake when running PUT

I am trying to PUT a file from local workstation to a named stage I created but getting an SSL error:
("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)
I am able to run SELECT statements from within SnowSQL and they run with no problems. But when I try to do a PUT I get an error.
I have also installed latest SnowSQL version available but no luck.
Any thoughts on why I would be getting this error?
thanks
My initial thoughts are that the error indicates a firewall or proxy issue. In particular, a proxy might intercept Snowflake's SSL certificate and replace it with their own. The best way to resolve this is to ensure the certificate is trusted in the proxy and the proxy is configured as per Snowflake's documentation so that the Snowflake certificate can pass through.
The documentation below has more information on using a proxy with SnowSQL. You can pass along the error with issuer details to your network engineer and can request to whitelist the required URLs (documentation also below outlining the whitelisting requirements). You can use the SYSTEM$WHITELIST function to get all the URLs to whitelist in a proxy or firewall for your account.
https://docs.snowflake.net/manuals/user-guide/snowsql-start.html#using-a-proxy-server
https://docs.snowflake.net/manuals/user-guide/hostname-whitelist.html

Getting a Certificate error when making a GET request in a VS Code extension webview

I'm creating a VS Code extension with a webview that contains a React application. In the React code, I'm making a GET request to a REST API, but it keeps failing due to the following error:
Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID
Any ideas on why this may be happening or a workaround? Maybe this is a restriction of webviews?
If I make the call in the extension code, it works fine.
I upgrade the version of my browser to the latest and it worked me.
find this below given link to know how to update browser version.
https://www.computerhope.com/issues/ch001388.htm
Assuming that you get this error about the certificate of the remote side (the one serving the REST API), you get this error because of one of the following:
the authority that signed the certificate is not recognized on the client side (ie : the authority is not installed on your PC)
the certificate has expired
your PC has a wrong date
You can correct the above, or as a workaround you can (depending on your tools) explicitly ignore the untrusted remote certificate. But this workaround should remain for test purpose only, as it is a security breach.

Generating GCP compatible Cloudflare SSL certificate

I'm trying to configure SSL for Google Cloud's App Engine.
You can upload your own custom SSL certificate + private key in GCP (see screenshot).
I'm using Cloudflare for DNS, and would like to use the "Full (strict)" SSL policy in Cloudflare. This would mean I have to add a certificate and key, created by Cloudflare, in GCP (in same screenshot).
I've managed to convert the private key to a valid (PEM) format that GCP will accept. The only thing not working is the Certificate part.
When entering both certificate and key in GCP, upon clicking upload, the following error is returned:
The certificate data is invalid. Please ensure that the private key and public certificate match.
After some googling, I found the following resources on GCP's documentation, explaining I need a have the full certificate-chain uploaded in the certificate field. So next thing I tried, is to concat my certificate from cloudflare together with the root certificate of cloudflare itself, as explained in the GCP docs.
So I ran the following command to create this chain:
cat domain.crt cloudflare-root-ca.crt > concat.crt
... and uploaded that one in GCP in the certificate field.
That didn't work either, even while the checksums of both private key and the certificate-chain match as explained by GCP docs, by running:
openssl x509 -noout -modulus -in concat.crt | openssl md5
openssl rsa -noout -modulus -in myserver.key.pem | openssl md5
...and comparing the md5 outputs.
So now I'm completely without Idea's. GCP's error messages are limited to the one above, and one other saying your PK is not a valid format.
Same problems when trying via CLI (gcloud)
When trying this process through the cli gcloud, we get the same errors.
Trying the following command:
gcloud app ssl-certificates create --display-name example.com --certificate ./cloudflare-concat.crt --private-key cloudflare-pk.key
...yields the following error:
ERROR: (gcloud.app.ssl-certificates.create)
INVALID_ARGUMENT: Invalid certificate.
`CertificateRawData` must contain a PEM encoded x.509 public key certificate, with header and footer included,
and an unencrypted PEM encoded RSA private key, with header and footer included and with size at most 2048 bits.
The requested private key and public certificate must match.
Any help on uploading a valid certificate (from Cloudflare) and private key in GCP is much appreciated.
Update 1
I found this (cached) paged describing all the root and intermediate certs of Cloudflare. I've tried a couple of them to concatenate agains my domain cert, but no luck so far. It's also not clear which one to use...
Update 2
I've beginning to think that this won't work, ever. Because I'm using an 'Origin Certificate' from Cloudflare, I believe this is a self-signed cert from Cloudflare itself, meaning that App Engine won't ever recognize this as valid.
The reason I think this is the case, is because I tried to use the cfssl tool from cloudflare to 'create a bundle-cert' automatically. The response I get from running
cfssl bundle -cert domain.crt
Returns the following result:
[INFO] bundling certificate for {Country:[] Organization:[CloudFlare, Inc.] OrganizationalUnit:[CloudFlare Origin CA] Locality:[] Province:[] StreetAddress:[] PostalCode:[] SerialNumber: CommonName:CloudFlare Origin Certificate Names:[{Type:2.5.4.10 Value:CloudFlare, Inc.} {Type:2.5.4.11 Value:CloudFlare Origin CA} {Type:2.5.4.3 Value:CloudFlare Origin Certificate}] ExtraNames:[]}
{"code":1220,"message":"x509: certificate signed by unknown authority"}
Extra info
I'm using a free Cloudflare subscription.
Everything works fine when using the 'flexible' setting from Cloudflare,
But I would like to use the 'full (strict)' setting
I discovered a recent blogpost, describing how to solve this.
After following the steps described, the certificate was accepted in Google Cloud, and everything worked for the 'full (strict) ssl' option in cloudflare!
In short: it involved a bit of tweaking the keys, by manually adding 'RSA' to it, as described in the blogpost.
See this link:
https://blog.woohoosvcs.com/2019/11/running-google-app-engine-behind-cloudflare/
EDIT:
This is probably the same end-result as using the shell commands as described by #Andrei
Can you please verify you are using free Cloudflare or paid Cloudflare account.
Because if you are free using than I think SSL strict is not going to work make it flexible and redirect all HTTP request to https request.

xCode 9 - iOS 11: NSURLConnection - sendAsynchronousRequest fails

I just downloaded the latest version of xCode (9.0 beta (9M136h)).
However, when I try to make a request to my server in iOS 11 simulator (Using NSURLConnection sendAsynchronousRequest), an error is received:
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9807)
NSURLConnection finished with error - code -1202
NSError object contains the message - #"NSLocalizedDescription" : #"The certificate for this server is invalid. You might be connecting to a server that is pretending to be “***” which could put your confidential information at risk."
The plist contains:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
so it is not the problem in this case (I guess)
Needless to say that it is working in iOS 10/9/8
Any suggestions?
Thanks in advance!
You need to allow your application to run HTTP (no S) connections. By default, Apple only allows HTTPS:
go to your info.plist
then press the plus icon on any of them
Search for "App Transport Security Settings"
click the little arrow to the left and find "Allow arbitrary loads", by default it is set to "NO" change it to "YES"
For all of you who get this error in iOS 11, please make sure you're working against valid (secured) certificate in your server.
In our case, the certificate wasn't strict enough.
Once our server guy integrated new valid certificate, the problem has gone.
One way to check if the certificate is secured, is to past the problematic link in the browser.
As a result, you might see that the connection is not secured:
Since you've got an invalid certificate error, I'll make the following suggestion based on my personal security practice.
If you're still in your servicing terms with your CA, ask them to issue a new valid certificate for you.
Check your Keychain setting and make sure no CA cert is missing.
Alternatively, you can issue your own self-signed certificate for testing purposes, and add it to your local Keychain as trust anchor. A search for "how to create self-signed x509 certificate" will return something you might find useful.

Java Mail API Relaying denied error

I am facing some weird problem, I have installed the SMTP server on my AIX box and I am successful to send email using the following command:
mailx -s "Hola Mundo" email#domain.com < /tmp/test.txt
But when I am sending the email using the javamail api I am getting following exception, could you help me how to resolve that.
javax.mail.SendFailedException: Invalid Addresses;
nested exception is:
javax.mail.SendFailedException: 550 5.7.1 <email#domain.com>... Relaying denied
at com.sun.mail.smtp.SMTPTransport.rcptTo(SMTPTransport.java:632)
at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:306)
at SendMailUsage.main(SendMailUsage.java:59)
and I am sure my email address is perfect one.
Check out the RFC 2821 (Simple Mail Transfer Protocol), especially the part about STMP replies: https://www.rfc-editor.org/rfc/rfc2821#section-4.2
Status reply starting with 5xx indicates a permanent error. In your case your SMTP server is not configured to route mails to your given destination address.
Issue has been resolved by modifying the sendMail.cf file on the server side. My aix admin informed me that it was due to some DNS issue, will update the solution as soon as I hear from him

Resources