The certificate is not correctly signed by the trusted CA

If you are asking a question, please follow this template:

  1. My goal is: [describe your goal]
    Using mongoose os on Ollimex esp32-gateway, connect to AWS IoT core via MQTT. I have created a thing in the AWS console and downloaded the certs and keys and CA. My certs are all in the fs dir with the app.js. I can successfully post to AWS using these certificates and mosquito_pub.
  2. My actions are: [describe your actions - code, commands, etc]
    mos.yml
libs:
  - origin: https://github.com/mongoose-os-libs/boards
  - origin: https://github.com/mongoose-os-libs/bt-common
  - origin: https://github.com/mongoose-os-libs/bt-service-config
  - origin: https://github.com/mongoose-os-libs/bt-service-debug
  - origin: https://github.com/mongoose-os-libs/rpc-gatts
  - origin: https://github.com/mongoose-os-libs/rpc-uart
  - origin: https://github.com/mongoose-os-libs/rpc-service-config
  - origin: https://github.com/mongoose-os-libs/rpc-service-fs
  - origin: https://github.com/mongoose-os-libs/mjs
  - origin: https://github.com/mongoose-os-libs/wifi 
  - origin: https://github.com/mongoose-os-libs/mqtt
  - origin: https://github.com/mongoose-os-libs/aws

config_schema:
  - ["wifi.sta.enable", true]
  - ["wifi.sta.ssid", "YourMom"]
  - ["wifi.sta.pass", "xxxx"]
  - ["aws.thing_name", "tangerine_test_schroffel"]
  - ["mqtt.enable", true]
  - ["mqtt.server", "xxx.iot.us-east-1.amazonaws.com:8883"]
  # - ["mqtt.client_id", "blinking machine"]
  - ["mqtt.ssl_ca_cert", "AmazonRootCA1.pem"]
  - ["mqtt.ssl_cert", "trouble-certificate.pem.crt"]
  - ["mqtt.ssl_key", "trouble-private.pem.key"]
  - ["bt.gatt_mtu", 30]  # To test long reads/writes.
  - ["foo", "o", {title: "my cool guy app"}]
  - ["foo.bbq", "i", 33, {title: "GPIO status LED"}]

app.js

load('api_config.js');
load('api_events.js');
load('api_gpio.js');
load('api_timer.js');
load('api_sys.js');
load('api_mqtt.js');
load('api_aws.js');

let led = Cfg.get('foo.bbq');

GPIO.set_mode(led, GPIO.MODE_OUTPUT);
Timer.set(2000, Timer.REPEAT, function() {
  GPIO.toggle(led);
  print('connected?', MQTT.isConnected(), AWS.isConnected())
  let res = MQTT.pub('taco/tuesday', JSON.stringify({ taco: "asada", burrito: "el pastor" }), 1);
  print(res)
}, null);


  1. The result I see is: [show the result - log, etc]
mgos_mqtt_conn.c:435    MQTT0 connecting to xxx.us-east-1.amazonaws.com:8883
[Mar 10 12:32:30.356] connected? false false 
[Mar 10 12:32:30.362] mgos_mqtt_conn.c:547    MQTT0 queue overflow!
[Mar 10 12:32:30.367] 6 
[Mar 10 12:32:30.367] mongoose.c:4906         0x3ffdb504 ciphersuite: TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
[Mar 10 12:32:30.986] mongoose.c:4906         0x3ffdb504 x509_verify_cert returned -9984
[Mar 10 12:32:30.991] mongoose.c:4906         0x3ffdb504   The certificate is not correctly signed by the trusted CA
[Mar 10 12:32:31.000] 
[Mar 10 12:32:31.000] mongoose.c:5082         0x3ffdb504 mbedTLS error: -0x2700
[Mar 10 12:32:31.003] mgos_mqtt_conn.c:188    MQTT0 TCP connect error (-3)
[Mar 10 12:32:31.010] mgos_mqtt_conn.c:214    MQTT0 Disconnect
[Mar 10 12:32:31.013] mgos_mqtt_conn.c:519    MQTT0 connecting after 7827 ms
  1. My expectation & question is: [describe your expectation and your question]
    I am very new to Mongoose, I don’t know what I am missing here, but any help would be greatly appreciated. Thank you!

Do use mos tool to create your device as described in the tutorial, due to hardware limitations there is only a reduced set of cryptographic algorithms (cyphersuites) supported.

mos aws-iot-setup --aws-region yourregion

(you need aws installed)

1 Like

Amazing thank you. Is there a way to specify a profile from .aws/credentials?

I ask because the AWS account this has to be created in has an assumed role. Or can I create my own CSR specifying a cyphersuite?

mos tool creates the device, generates an ECDSA private key locally and asks AWS for a signed certificate. Then it generates a policy, associates it with the certificate and that with the device.
Create a new role for this if needed, that is as far as my AWS-fu goes, and I haven’t played with that for 1.5 years now.

1 Like

Thank you for your help on this one. It was in fact the CA certificate. I was not using the ca-bundle.