CD
Cloudflare Developers9mo ago
apolodoro

TLS issue - WORKER to AWS IoT Core

EDIT: THIS WORKS NOW! Just follow the steps bellow... EDIT: Make sure the compatibility_date = "2024-09-30" in your wrangler.toml is at least september 2024. I am trying to communicate to the AWS IoT core HTTPS endpoint through a cloudflare worker (using hono). I created a certificate and I tested successfully sending a message with curl and the downloaded certificates - https://docs.aws.amazon.com/iot/latest/developerguide/http.html 
curl --tlsv1.2 \
    --cacert Amazon-root-CA-1.pem \
    --cert device.pem.crt \
    --key private.pem.key \
    --request POST \
    --data "{ \"message\": \"Hello, world\" }" \
    "https://IoT_data_endpoint:8443/topics/topic?qos=1"
curl --tlsv1.2 \
    --cacert Amazon-root-CA-1.pem \
    --cert device.pem.crt \
    --key private.pem.key \
    --request POST \
    --data "{ \"message\": \"Hello, world\" }" \
    "https://IoT_data_endpoint:8443/topics/topic?qos=1"
Then I configured the binding with wrangler 
pnpx wrangler mtls-certificate upload --cert device.pem.crt --key private.pem.key --name AWS_IOT
pnpx wrangler mtls-certificate upload --cert device.pem.crt --key private.pem.key --name AWS_IOT
And then I configured an endpoint in hono 
iotPublish.post("/", async (c) => {
  try {
    let topic = "test";
    let message = { message: "hello" };

    return await c.env.AWS_IOT.fetch(
      `https://xxxxxx.iot.eu-central-1.amazonaws.com:8443/topics/topic?qos=1`,
      {
        method: "POST",

        body: JSON.stringify(message),
      }
    );
  } catch (e) {
    console.log(e);
    return Response.json({ error: JSON.stringify(e) }, { status: 500 });
  }
});
iotPublish.post("/", async (c) => {
  try {
    let topic = "test";
    let message = { message: "hello" };

    return await c.env.AWS_IOT.fetch(
      `https://xxxxxx.iot.eu-central-1.amazonaws.com:8443/topics/topic?qos=1`,
      {
        method: "POST",

        body: JSON.stringify(message),
      }
    );
  } catch (e) {
    console.log(e);
    return Response.json({ error: JSON.stringify(e) }, { status: 500 });
  }
});
The result is always 
{
  "message": "Missing authentication",
  "traceId": "8c6b18f4-b3d5-42c7-8edb-e2b0bbc09ad3"
}
{
  "message": "Missing authentication",
  "traceId": "8c6b18f4-b3d5-42c7-8edb-e2b0bbc09ad3"
}
Edit: you should get 
{"message":"OK","traceId":"f6353148-67b1-707f-c50c-40e723b4c0d4"}
{"message":"OK","traceId":"f6353148-67b1-707f-c50c-40e723b4c0d4"}
Enjoy
12 Replies
Chaika
Chaika9mo ago
You're testing on a deployed worker, I assume? and you configured the binding in your wrangler.toml? https://developers.cloudflare.com/workers/runtime-apis/bindings/mtls/
Cloudflare Docs
mTLS · Cloudflare Workers docs
Configure your Worker to present a client certificate to services that enforce an mTLS connection.
apolodoro
apolodoroOP2mo ago
Yes and yes. I heard that might be an issue with the port. Did you manage to test it @Chaika ? Reference experience form another use https://community.cloudflare.com/t/tls-issue-workers-to-aws-iot-core/631845/5 @Chaika any news on this? @Community Champion Anyone can help with this?
Peps
Peps2mo ago
?pings
Flare
Flare2mo ago
Please do not ping community members for non-moderation reasons. Doing so will not solve your issue faster and will make people less likely to want to help you.
DaniFoldi
DaniFoldi2mo ago
You might have luck if you update your compatibility date: https://developers.cloudflare.com/workers/configuration/compatibility-dates/#allow-specifying-a-custom-port-when-making-a-subrequest-with-the-fetch-api Meaning this should now be supported I think
Cloudflare Docs
Compatibility dates | Cloudflare Workers docs
Opt into a specific version of the Workers runtime for your Workers project.
apolodoro
apolodoroOP2mo ago
Thank you and sorry for the ping... I should have read the rules before doing that.
DaniFoldi
DaniFoldi2mo ago
Did that solve the issue you were having?
apolodoro
apolodoroOP2mo ago
Could it be related to this https://community.cloudflare.com/t/tls-issue-workers-to-aws-iot-core/631845/5 ? Sadly still the same result: { "message": "Missing authentication", "traceId": "8c6b18f4-b3d5-42c7-8edb-e2b0bbc09ad3" } ... Could it be related to this https://community.cloudflare.com/t/tls-issue-workers-to-aws-iot-core/631845/5 ?
DaniFoldi
DaniFoldi2mo ago
originally, that was indeed the case, fetch ignored custom ports and always went to :443 for https there is a compat flag that is enabled by default now, which should let you fetch custom ports
Isaac McFadyen
Isaac McFadyen2mo ago
That sounds like an error coming from AWS, as in the port that is being fetched but your authentication is wrong. I suspect AWS IoT needs some auth to send a message, you can't just hit it with an unauthenticated POST request Yeah, you definitely need (and are missing) auth, see the docs page: https://docs.aws.amazon.com/iot/latest/apireference/API_iotdata_Publish.html and https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html#protocol-port-mapping
Requires permission to access the Publish action. HTTPS Publish only X.509 client certificate 8443 N/A~~
Scratch that, I should have read your original post better - but still yeah, the fetch is working but something's wrong with auth for sure. Maybe a bad certificate?
apolodoro
apolodoroOP2mo ago
Actually the solution did work! It was a fault in my code that i didint change back after testing... I changed the description so that if someone stumbles here understands that it works now
DaniFoldi
DaniFoldi2mo ago
Neat! Glad you got it working
Want results from more Discord servers?
Add your server