IoT Core MQTT Sample - Error: self signed certificate

[prenna]

Trying the mqtt example, but when I run and try to connect I get the following error through to client.on('error', error...

Message: Error: self signed certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
    at TLSSocket.emit (events.js:210:5)
    at TLSSocket._finishInit (_tls_wrap.js:794:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12)

I've generated a device key pair as per the docs, checked that the JWT is valid etc. I can't find any mention of this being an issue for anyone else anywhere. Please help.

[fhinkel]

@gguuss Can you have a look at this IoT problem please. Thanks

[gguuss]

Did you set the CA certificate configuration to a custom one at the registry level? I am not sure I have seen this error when using the default cert setup. Also are you using the LTS MQTT bridge or the mqtt.googleapis.com server? I believe the cert setup for each is different.

[gguuss]

@prenna Let me know if checking whether you're using the root certificate matches the MQTT server you're using works.

[prenna]

Hi, sorry about the delay...

So, it turns out, I was trying to be too clever.

Since I'm using Typescript, I was getting told that secureProtocol does not exist in type 'IClientOptions' and decided I should try the only other property that did exist but wasn't being used ('protocolId' as below).

const connectionArgs: mqtt.IClientOptions = {
  host: mqttBridgeHostname,
  port: mqttBridgePort,
  clientId: mqttClientId,
  username: deviceId,
  password: createJWT(projectId, privateKeyFile, algorithm),
  protocol: 'mqtts',
  protocolId: 'TLSv1_2_method'
}

mqtt.connect(opts)

I changed 'protocolId' back to 'secureProtocol' and told typescript to ignore it and all is working as expected now.

As a side note

I feel like something is missing in the docs here: https://cloud.google.com/iot/docs/how-tos/mqtt-bridge#downloading_mqtt_server_certificates

At the end of the section 'Downloading MQTT server certificates' the sentence

After downloading Google root CA certificates to your device, you can configure an MQTT client to authenticate the device, connect to the MQTT server, and communicate over the MQTT bridge.

'configure an MQTT client to authenticate the device' is a link to a section on the page that doesn't exist.

There's nothing else in the documentation or in the code samples that explains or demonstrates what to do with the Google root CA certificate. Is it even needed?

[gguuss]

The root certificate is needed to verify that the Google server "says who you think it is" but this check can be disabled.