-https://stackoverflow.com/questions/30207649/address-already-in-use-error-in-mosquitto
In order to create an automated process we must pass trough 2 Steps:
1 - Only on time - Create a Root Certificate. It is not recomended to use the AWS-RootCA1. We should create our own RootCA certificate. It is recomended to create 1 Root Certificate per project. Exemple. The company Master is going to have its master CA Certificate. The company B is going to have the CA Certificate B. And so on .
2 - The second step we will run many times as many things we want to create. Let's say that the company B want to create 100 things linked with is CA Certificate B. Foearch run in the loop will be created 2 files: deviceCertAndCACert.crt and deviceCert.key both associated to its parent CA Certificate B. At the end of the process each thing should hold 3 files in order to connect to aws-IoT: the CA Certificate B, the deviceCertAndCACert.crt and finnaly deviceCert.key .
Having all those 3 files installed into the device, we need to run a connection with aws 2 times. The FIRST time will return an error but this step will publish a message to the AWS-IoT to activate the THING that is already there. After the second connection the PUB/SUB should be working smootly . In order to test the connection we can use a broker MOSQUITTO (https://medium.com/@aegkaluk/install-mqtt-broker-on-ubuntu-18-04-15232ab0ee42).
sudo apt-get update
sudo apt-get install -y mosquitto
sudo apt-get install -y mosquitto-clients
sudo mosquitto_passwd -c /etc/mosquitto/passwd mqtt_user_name
Password: 123456
sudo vi /etc/mosquitto/conf.d/default.conf
Put this inside the default.conf
` allow_anonymous false
password_file /etc/mosquitto/passwd
`
sudo systemctl restart mosquitto
mosquitto -v
1579289477: mosquitto version 1.4.15 (build date Tue, 18 Jun 2019 11:42:22 -0300) starting ...
- Create Role .
- Choose the service that will use this role (IoT) > Select your use case (IoT - Allows IoT to call AWS services on your behalf) .
- Permissions - Automatic (AWSIoTLogging, AWSIoTRuleActions, AWSIoTThingsRegistration) .
- Name (any) - ex:
JITP-MyCompany
. - Copy the arn (
arn:aws:iam::62456361912:role/JITP-MyCompany
). It will be used in the JSON . - Ceate .
Note: the JITPsimemap Role has the follow policy:
- AWSIoTThingsRegistration .
- AWSIoTLogging .
- AWSIoTRuleActions .
Revogar Sessoes
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "*" ], "Resource": [ "*" ], "Condition": { "DateLessThan": { "aws:TokenIssueTime": "[policy creation time]" } } } ] }
This file will pass parameter to create the Root.CA
vi template_JITP.json
Copy and paste the follow JSON in the template_JITP.json file. Note that we should use here the ARN Role that we created in the Step 0, at the last line "roleArn":"<your ARN role created in the Step 0>"
. Replace <your ARN role created in the Step 0>
by arn:aws:iam::62456361912:role/JITP-MyCompany
{ "templateBody":"{ \"Parameters\" : { \"AWS::IoT::Certificate::Country\" : { \"Type\" : \"String\" }, \"AWS::IoT::Certificate::Id\" : { \"Type\" : \"String\" } }, \"Resources\" : { \"thing\" : { \"Type\" : \"AWS::IoT::Thing\", \"Properties\" : { \"ThingName\" : {\"Ref\" : \"AWS::IoT::Certificate::Id\"}, \"AttributePayload\" : { \"version\" : \"v1\", \"country\" : {\"Ref\" : \"AWS::IoT::Certificate::Country\"}} } }, \"certificate\" : { \"Type\" : \"AWS::IoT::Certificate\", \"Properties\" : { \"CertificateId\": {\"Ref\" : \"AWS::IoT::Certificate::Id\"}, \"Status\" : \"ACTIVE\" } }, \"policy\" : {\"Type\" : \"AWS::IoT::Policy\", \"Properties\" : { \"PolicyDocument\" : \"{\\\"Version\\\": \\\"2012-10-17\\\",\\\"Statement\\\": [{\\\"Effect\\\":\\\"Allow\\\",\\\"Action\\\": [\\\"iot:Connect\\\",\\\"iot:Publish\\\"],\\\"Resource\\\" : [\\\"*\\\"]}]}\" } } } }", "roleArn":"<your ARN role created in the Step 0>" }
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
You will be promped to enter the follow information:
Country Name (2 letter code) []:CA
State or Province Name (full name) []:ON
Locality Name (eg, city) []:New York
Organization Name (eg, company) []:MyCompany
Organizational Unit Name (eg, section) []:Digital Departmet
Common Name (eg, fully qualified host name) []: leave empty
Email Address []:
At this point you have in your folder
- template_JITP.json
- rootCA.key (new)
- rootCA.pem (new)
openssl genrsa -out verificationCert.key 2048
aws iot get-registration-code
- OUTPUT your registration code ex: 65610c9482c8fe4ff2c... . Copy it. Yu will uset it inthe next step.
openssl req -new -key verificationCert.key -out verificationCert.csr
You will be promped AGAIN to enter the follow information:
Country Name (2 letter code) []:CA
State or Province Name (full name) []:ON
Locality Name (eg, city) []:New York
Organization Name (eg, company) []:MyCompany
Organizational Unit Name (eg, section) []:Digital Departmet
Common Name (eg, fully qualified host name) []:<your aws iot get-registration-code ex: 65610c9482c8fe4ff2c...>
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123DERFGTY (CHOOSE YOUR PASSWORD AND SAVE IT SOMEWHERE)
At this point you have in your folder
- template_JITP.json
- rootCA.key
- rootCA.pem
- verificationCert.csr (new)
- verificationCert.key (new)
openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 500 -sha256
OUTPUT:
Signature ok subject=/C=CA/ST=ON/L=New York/O=MyCompany/OU=Digital Departmet/CN=60d196ac98c3297be11a7eb993f6fae73b8a9218d9f993e910c9482c8fe4ff2c Getting CA Private Key
At this point you have in your folder
- template_JITP.json
- rootCA.key
- rootCA.pem
- rootCA.srl (new)
- verificationCert.csr
- verificationCert.key
- verificationCert.pem (new)
Now it is time to merge all together and register the certificate into aws-IoT > Secure > CAs
aws iot register-ca-certificate --ca-certificate file://rootCA.pem --verification-cert file://verificationCert.pem --set-as-active --allow-auto-registration --registration-config file://template_JITP.json
- OUTPUT a JSON like the follow example:
{ "certificateArn": "arn:aws:iot:us-east-2:650254791912:cacert/35fa21dd704baa3244a777fb97b450828641d7fde1b95c4dd5b8b5e", "certificateId": "35fa21dd704baa3244a777fb97b450828641d7fde1b95c4dd5b8b5e" }
If you have the follow error check the template_JITP.json
file.
` Error parsing parameter --registration-config: Invalid JSON: Expecting , delimiter: line 1 column 22 (char 21) JSON received: { "templateBody":"{ "Parameters" : { "AWS::IoT::Certificate::Country" : { "Type" : "String" }, "AWS::IoT::Certificate::Id" : { "Type" : "String" } }, "Resources" : { "thing" : { "Type" : "AWS::IoT::Thing", "Properties" : { "ThingName" : {"Ref" : "AWS::IoT::Certificate::Id"}, "AttributePayload" : { "version" : "v1", "country" : {"Ref" : "AWS::IoT::Certificate::Country"}} } }, "certificate" : { "Type" : "AWS::IoT::Certificate", "Properties" : { "CertificateId": {"Ref" : "AWS::IoT::Certificate::Id"}, "Status" : "ACTIVE" } }, "policy" : {"Type" : "AWS::IoT::Policy", "Properties" : { "PolicyDocument" : "{"Version": "2012-10-17","Statement": [{"Effect":"Allow","Action": ["iot:Connect","iot:Publish"],"Resource" : ["*"]}]}" } } } }", "roleArn":"arn:aws:iam::366229877060:role/JITP-SciCan" }
`
An error occurred (CertificateValidationException) when calling the RegisterCACertificate operation: CA certificate is not valid. The CA certificate does not have the basicConstraints extension as true
Note the number after cacert/...
and certificateId
. They are the same. At this point the RootCA certificate is cretaed and ready to be used. We can create many RootCA certificates as we want. We could cretate 1 certificate per batch of things or 1 certificate per projects or 1 certificate per company we deal with.
In an automated process this is the moment to save the information about the RootCA certificate in the database.
Step 2 - Create the Thing Certificate MANY TIMES AS YOU WANT (loop), for each thing you want to create.
openssl genrsa -out deviceCert.key 2048
openssl req -new -key deviceCert.key -out deviceCert.csr
openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.crt -days 365 -sha256
cat deviceCert.crt rootCA.pem > deviceCertAndCACert.crt
wget https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem
. This is the moment of certificate download.
mv VeriSign-Class\ 3-Public-Primary-Certification-Authority-G5.pem root.cert
Here is when we must connect 2 times. The first 1 will throw an error but is a message to AWS-IoT to activate the certificates for the thing that was created an the second time you will be ready to publish topics.
Run the mosquito in order to connect the first time:
mosquitto_pub --cafile root.cert --cert deviceCertAndCACert.crt --key deviceCert.key -h <iotEndPoint == ex: sdfggsdfgol5-ats.iot.us-west-2.amazonaws.com > -p 8883 -q 1 -t foo/bar -I anyclientID --tls-version tlsv1.2 -m "Hello" -d