tedge connect aws with untrusted certificate passes the direct connection step successfully #3640
Description
Describe the bug
When connect to AWS IoT Core using a device certificate that IS NOT trusted by AWS, then the manual MQTT client connection performed in the tedge connect aws shows incorrectly that the verification was successful (via a green tick) when the following connection test fails, see below for the output in question:
Verifying device is connected to cloud... ✓It is possible that the AWS is terminating the MQTT connection abruptly and not via the MQTT Error Code 5 (Connection Refused. The client is not authorized to connect), or whether the client needs to check if the connection is still active after a minimum amount of time (e.g. 2 seconds).
The full connection test does fail (which is expected), however it is difficult to verify the reason for the failure.
Below is the full command output when the device certificate is not trusted by AWS IoT Core
Command: tedge connect aws
connect to Aws cloud.:
device id: tedge0001
cloud profile: <none>
cloud host: a1vto0hq4ubn5n-ats.iot.us-east-1.amazonaws.com:8883
auth type: Certificate
certificate file: /etc/tedge/device-certs/tedge-certificate.pem
cryptoki: false
bridge: mosquitto
service manager: systemd
proxy: Not configured
Restarting mosquitto... ✓
Waiting for mosquitto to be listening for connections... ✓
Verifying device is connected to cloud... ✓
Connection test failed, attempt 1 of 5
Verifying device is connected to cloud... ✓
Connection test failed, attempt 2 of 5
Verifying device is connected to cloud... ✓
Connection test failed, attempt 3 of 5
Verifying device is connected to cloud... ✓
Connection test failed, attempt 4 of 5
Verifying device is connected to cloud... ✓
warning: Bridge has been configured, but Aws connection check failed.
Enabling tedge-mapper-aws... ✓
To Reproduce
You can do this manually, however it is easier to get setup using the tedge-demo-container and the c8y-tedge go-c8y-cli extension
-
Start a tedge demo container without running the bootstrapping, and open a shell into it
c8y tedge demo start tedge0001 --skip-bootstrap c8y tedge demo shell tedge0001
-
Create a self-signed certificate
tedge cert create --device-id tedge0001
-
Set a valid AWS IoT Core URL
tedge config set aws.url a1vto0hq4ubn5n-ats.iot.us-east-1.amazonaws.com -
Connect to AWS IoT Core
tedge connect aws
Expected behavior
The "Verifying device is connected to cloud" step should display an error message if the device's certificate is not trusted by the cloud.
Screenshots
Environment (please complete the following information):
| Property | Value |
|---|---|
| OS [incl. version] | Debian GNU/Linux 12 (bookworm) |
| Hardware [incl. revision] | unknown |
| System-Architecture | Linux tedge 6.8.0-39-generic #39-Ubuntu SMP PREEMPT_DYNAMIC Sat Jul 6 02:50:39 UTC 2024 aarch64 GNU/Linux |
| thin-edge.io version | tedge 1.5.1 |
Additional context