Establishing SSL connection between IOT Bridge for Snowflake and MQTT Server

Hi Everyone,
I’m just a beginner and have no experience in networks. I need to connect the IOT Bridge for Snowflake to the Chariot MQTT Server.

The document I’m referring to for IOT Bridge setup: https://docs.chariot.io/display/CLD80/IBSNOW%3A+AWS+Quickstart

Both IOT Bridge and chariot mqtt server are free trial versions I got from AWS Marketplace and have been set up as Cloud Formation templates. I have created and uploaded self-signed certificates and keys to the server. The ports and everything have been set as per https://docs.chariot.io/display/CHAR2x/Chariot+MQTT+Server+Configuration
I have also added my Root CA cert to the JVMs cacerts trust store in the MQTT server’s EC2 instance.
I was still unable to establish an SSL connection between the two.
The error I was getting was:
finest|107464/0||24-05-02 17:45:56|17:45:56.915 [thread-9] warn org.eclipse.tahu.mqtt.tahuclient - ibsnow-fde10698-697e-4b: connect failed - retrying finest|107464/0||24-05-02 17:45:57|17:45:57.001 [mqtt con: ibsnow-fde10698-697e-4b] warn org.eclipse.tahu.mqtt.tahuclient - ibsnow-fde10698-697e-4b: connect with retry failed due to mqttexception finest|107464/0||24-05-02 17:45:57|org.eclipse.paho.client.mqttv3.mqttexception: mqttexception finest|107464/0||24-05-02 17:45:57| at org.eclipse.paho.client.mqttv3.internal.exceptionhelper.createmqttexception(exceptionhelper.java:38) finest|107464/0||24-05-02 17:45:57| at org.eclipse.paho.client.mqttv3.internal.clientcomms$connectbg.run(clientcomms.java:738) finest|107464/0||24-05-02 17:45:57| at java.base/java.lang.thread.run(thread.java:829) finest|107464/0||24-05-02 17:45:57|caused by: java.net.sockettimeoutexception: connect timed out finest|107464/0||24-05-02 17:45:57| at java.base/java.net.plainsocketimpl.socketconnect(native method) finest|107464/0||24-05-02 17:45:57| at java.base/java.net.abstractplainsocketimpl.doconnect(abstractplainsocketimpl.java:412) finest|107464/0||24-05-02 17:45:57| at java.base/java.net.abstractplainsocketimpl.connecttoaddress(abstractplainsocketimpl.java:255) finest|107464/0||24-05-02 17:45:57| at java.base/java.net.abstractplainsocketimpl.connect(abstractplainsocketimpl.java:237) finest|107464/0||24-05-02 17:45:57| at java.base/java.net.sockssocketimpl.connect(sockssocketimpl.java:392) finest|107464/0||24-05-02 17:45:57| at java.base/java.net.socket.connect(socket.java:609) finest|107464/0||24-05-02 17:45:57| at java.base/sun.security.ssl.sslsocketimpl.connect(sslsocketimpl.java:305) finest|107464/0||24-05-02 17:45:57| at org.eclipse.paho.client.mqttv3.internal.tcpnetworkmodule.start(tcpnetworkmodule.java:74) finest|107464/0||24-05-02 17:45:57| at org.eclipse.paho.client.mqttv3.internal.sslnetworkmodule.start(sslnetworkmodule.java:132) finest|107464/0||24-05-02 17:45:57| at org.eclipse.paho.client.mqttv3.internal.clientcomms$connectbg.run(clientcomms.java:724) finest|107464/0||24-05-02 17:45:57| … 1 common frames omitted finest|107464/0||24-05-02 17:45:57|17:45:57.001 [mqtt con: ibsnow-fde10698-697e-4b] warn org.eclipse.tahu.mqtt.tahuclient - ibsnow-fde10698-697e-4b: mqtt client details: mqtt server name = my mqtt server :: mqtt server url = ssl://54.209.86.105:8883 :: mqtt client id = ibsnow-fde10698-697e-4b :: using birth = true :: using lwt = true

After this, based on the suggestions of some weblinks, I added the IOT bridge’s EC2 instance’s Public IP to the inbound rules of the security group in which IOT bridge’s instance is placed.

When I restarted IBSNOW via IOT Bridge’s EC2 instance,

This error was shown: caused by: sun.security.validator.validatorexception: pkix path building failed: sun.security.provider.certpath.suncertpathbuilderexception: unable to find valid certification path to requested target

To avoid this, I added my root CA details to cacerts in the same instance. To do this I needed keytool command, so I installed openjdk-19-jdk-headless to use it.

I’m getting the following error after running it again,
“caused by: java.security.cert.certificateexception: no subject alternative names present”

Any help or suggestion would be great!
Thanks!

The “java.security.cert.certificateexception: no subject alternative names present” exception means the MQTT Server URL/hostname configured in IBSNOW doesn’t match the CN of the server certificate loaded into the Chariot server. Your logs show you are using the IP address of the Chariot server. If you can update the Chariot MQTT Server URL in IBSNOW to point to the CN of the Chariot server certificate, it should allow the bridge to make an MQTT connection over TLS. Also, you can disable the hostname validation check by uncommenting the mqtt_verify_hostname.1 config setting and setting it equal to false in the ibsnow.properties file (disclaimer: always leave this check on in Production). This will require a restart of the IoT Bridge service.

mqtt_verify_hostname.1 = false

Also, you should not need to modify the JVM cacerts keystore in most cases for either Chariot or the IoT Bridge to enable MQTT over TLS (MQTTS) even when using self-signed certs.

For Chariot, you should only need to upload your Chariot server SSL/TLS certificate, the private key and the “CA chain” file through the Chariot web UI - details here.

For the IoTBridge for Snowflake, you should only need to secure copy (scp) the same CA chain file you uploaded into Chariot to the bridge instance, then update ibsnow.properties so the bridge can load the “chain-of-trust”. This will require a restart of the IoT Bridge service.

mqtt_ca_cert_chain_path.1 = /opt/ibsnow/conf/certs/myCACertChain.pem

I hope this helps. Reach back out with any other issues or follow up questions.

Hi Nathan,

Sorry for being MIA.

I’d follow the process as told, but it still can’t establish the SSL connection.

Is there a possibility of not using an SSL connection and completing the flow using a non-secure connection?

You can certainly use MQTT over MQTTS for your PoC, though we wouldn’t recommend that configuration for a Production deployment. If you want to debug why you cannot get the ‘MQTT over TLS/SSL’ connection working using the workflow I described above, I recommend reaching out to support@cirrus-link.com. We’ll likely need logs from the IoT Bridge instance and Chariot, plus a short description of your configuration. You can also refer back to this forum post and that will be helpful for the support engineer working the issue. Thanks.

Thanks!
Would reach out to the support email.