TLS issue - WORKER to AWS IoT Core

EDIT: THIS WORKS NOW! Just follow the steps bellow...

EDIT: Make sure the compatibility_date = "2024-09-30" in your wrangler.toml is at least september 2024.

I am trying to communicate to the AWS IoT core HTTPS endpoint through a cloudflare worker (using hono).

I created a certificate and I tested successfully sending a message with curl and the downloaded certificates - https://docs.aws.amazon.com/iot/latest/developerguide/http.html

curl --tlsv1.2 \
    --cacert Amazon-root-CA-1.pem \
    --cert device.pem.crt \
    --key private.pem.key \
    --request POST \
    --data "{ \"message\": \"Hello, world\" }" \
    "https://IoT_data_endpoint:8443/topics/topic?qos=1"

curl --tlsv1.2 \
    --cacert Amazon-root-CA-1.pem \
    --cert device.pem.crt \
    --key private.pem.key \
    --request POST \
    --data "{ \"message\": \"Hello, world\" }" \
    "https://IoT_data_endpoint:8443/topics/topic?qos=1"

curl --tlsv1.2 \
    --cacert Amazon-root-CA-1.pem \
    --cert device.pem.crt \
    --key private.pem.key \
    --request POST \
    --data "{ \"message\": \"Hello, world\" }" \
    "https://IoT_data_endpoint:8443/topics/topic?qos=1"

curl --tlsv1.2 \
    --cacert Amazon-root-CA-1.pem \
    --cert device.pem.crt \
    --key private.pem.key \
    --request POST \
    --data "{ \"message\": \"Hello, world\" }" \
    "https://IoT_data_endpoint:8443/topics/topic?qos=1"

Then I configured the binding with wrangler

pnpx wrangler mtls-certificate upload --cert device.pem.crt --key private.pem.key --name AWS_IOT

pnpx wrangler mtls-certificate upload --cert device.pem.crt --key private.pem.key --name AWS_IOT

pnpx wrangler mtls-certificate upload --cert device.pem.crt --key private.pem.key --name AWS_IOT

pnpx wrangler mtls-certificate upload --cert device.pem.crt --key private.pem.key --name AWS_IOT

And then I configured an endpoint in hono

iotPublish.post("/", async (c) => {
  try {
    let topic = "test";
    let message = { message: "hello" };

    return await c.env.AWS_IOT.fetch(
      `https://xxxxxx.iot.eu-central-1.amazonaws.com:8443/topics/topic?qos=1`,
      {
        method: "POST",

        body: JSON.stringify(message),
      }
    );
  } catch (e) {
    console.log(e);
    return Response.json({ error: JSON.stringify(e) }, { status: 500 });
  }
});

iotPublish.post("/", async (c) => {
  try {
    let topic = "test";
    let message = { message: "hello" };

    return await c.env.AWS_IOT.fetch(
      `https://xxxxxx.iot.eu-central-1.amazonaws.com:8443/topics/topic?qos=1`,
      {
        method: "POST",

        body: JSON.stringify(message),
      }
    );
  } catch (e) {
    console.log(e);
    return Response.json({ error: JSON.stringify(e) }, { status: 500 });
  }
});

iotPublish.post("/", async (c) => {
  try {
    let topic = "test";
    let message = { message: "hello" };

    return await c.env.AWS_IOT.fetch(
      `https://xxxxxx.iot.eu-central-1.amazonaws.com:8443/topics/topic?qos=1`,
      {
        method: "POST",

        body: JSON.stringify(message),
      }
    );
  } catch (e) {
    console.log(e);
    return Response.json({ error: JSON.stringify(e) }, { status: 500 });
  }
});

iotPublish.post("/", async (c) => {
  try {
    let topic = "test";
    let message = { message: "hello" };

    return await c.env.AWS_IOT.fetch(
      `https://xxxxxx.iot.eu-central-1.amazonaws.com:8443/topics/topic?qos=1`,
      {
        method: "POST",

        body: JSON.stringify(message),
      }
    );
  } catch (e) {
    console.log(e);
    return Response.json({ error: JSON.stringify(e) }, { status: 500 });
  }
});

The result is always

{
  "message": "Missing authentication",
  "traceId": "8c6b18f4-b3d5-42c7-8edb-e2b0bbc09ad3"
}

{
  "message": "Missing authentication",
  "traceId": "8c6b18f4-b3d5-42c7-8edb-e2b0bbc09ad3"
}

{
  "message": "Missing authentication",
  "traceId": "8c6b18f4-b3d5-42c7-8edb-e2b0bbc09ad3"
}

{
  "message": "Missing authentication",
  "traceId": "8c6b18f4-b3d5-42c7-8edb-e2b0bbc09ad3"
}

Edit: you should get

{"message":"OK","traceId":"f6353148-67b1-707f-c50c-40e723b4c0d4"}

{"message":"OK","traceId":"f6353148-67b1-707f-c50c-40e723b4c0d4"}

{"message":"OK","traceId":"f6353148-67b1-707f-c50c-40e723b4c0d4"}

{"message":"OK","traceId":"f6353148-67b1-707f-c50c-40e723b4c0d4"}

Enjoy

Aapolodoro EDIT: THIS WORKS NOW! Just follow the steps bellow... EDIT: Make sure the compa...

Chaika•3/23/24, 9:37 PM

You're testing on a deployed worker, I assume?
and you configured the binding in your wrangler.toml? https://developers.cloudflare.com/workers/runtime-apis/bindings/mtls/

Cloudflare Docs

mTLS · Cloudflare Workers docs

Configure your Worker to present a client certificate to services that enforce an mTLS connection.

apolodoroOP•6/13/24, 7:38 AM

Yes and yes. I heard that might be an issue with the port. Did you manage to test it @Chaika ?

apolodoroOP•6/13/24, 8:39 AM

Reference experience form another use https://community.cloudflare.com/t/tls-issue-workers-to-aws-iot-core/631845/5

apolodoroOP•6/28/24, 8:53 AM

@Chaika any news on this?

apolodoroOP•9/30/24, 3:21 PM

@Community Champion Anyone can help with this?

Peps•9/30/24, 3:22 PM

?pings

Flare•9/30/24, 3:22 PM

Please do not ping community members for non-moderation reasons. Doing so will not solve your issue faster and will make people less likely to want to help you.

Aapolodoro @Community Champion Anyone can help with this?

DaniFoldi•9/30/24, 3:25 PM

You might have luck if you update your compatibility date:
https://developers.cloudflare.com/workers/configuration/compatibility-dates/#allow-specifying-a-custom-port-when-making-a-subrequest-with-the-fetch-api
Meaning this should now be supported I think

Cloudflare Docs

Compatibility dates | Cloudflare Workers docs

Opt into a specific version of the Workers runtime for your Workers project.

apolodoroOP•9/30/24, 8:09 PM

Thank you and sorry for the ping... I should have read the rules before doing that.

Aapolodoro Thank you and sorry for the ping... I should have read the rules before doing th...

DaniFoldi•9/30/24, 8:22 PM

Did that solve the issue you were having?

apolodoroOP•9/30/24, 8:52 PM

DDaniFoldi Did that solve the issue you were having?

apolodoroOP•9/30/24, 9:15 PM

Sadly still the same result: {
"message": "Missing authentication",
"traceId": "8c6b18f4-b3d5-42c7-8edb-e2b0bbc09ad3"
} ... Could it be related to this https://community.cloudflare.com/t/tls-issue-workers-to-aws-iot-core/631845/5 ?

DaniFoldi•9/30/24, 9:16 PM

originally, that was indeed the case, fetch ignored custom ports and always went to :443 for https

DaniFoldi•9/30/24, 9:16 PM

there is a compat flag that is enabled by default now, which should let you fetch custom ports

Aapolodoro Sadly still the same result: { "message": "Missing authentication", "traceId...

Isaac McFadyen•9/30/24, 9:17 PM

~~That sounds like an error coming from AWS, as in the port that is being fetched but your authentication is wrong.~~

Isaac McFadyen•9/30/24, 9:17 PM

~~I suspect AWS IoT needs some auth to send a message, you can't just hit it with an unauthenticated POST request~~

Isaac McFadyen•9/30/24, 9:19 PM

~~Yeah, you definitely need (and are missing) auth, see the docs page:~~ https://docs.aws.amazon.com/iot/latest/apireference/API_iotdata_Publish.html and https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html#protocol-port-mapping

Requires permission to access the Publish action.
HTTPS Publish only X.509 client certificate 8443 N/A~~

Isaac McFadyen•9/30/24, 9:20 PM

Scratch that, I should have read your original post better - but still yeah, the fetch is working but something's wrong with auth for sure. Maybe a bad certificate?

IIsaac McFadyen Scratch that, I should have read your original post better - but still yeah, the...

apolodoroOP•10/1/24, 9:10 AM

Actually the solution did work! It was a fault in my code that i didint change back after testing...
I changed the description so that if someone stumbles here understands that it works now

DaniFoldi•10/1/24, 9:48 AM

Neat! Glad you got it working

TLS issue - WORKER to AWS IoT Core

Similar Threads

Similar Threads

Similar Threads