Getting AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE error only in docker container

[ericxinzhang]

Following the Node: PubSub sample I've created an IoT client to provision IoT thing and then publish messages.

It's working fine on my MacBook Pro, but after I built a docker image and run it in docker, I got the following error from connection.connect():

 Failed to connect: aws-c-io: AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE, TLS (SSL) negotiation failed

Connection config:

{
  client_id: 'IoTSpike-1',
  host_name: 'xxxx-ats.iot.ap-southeast-2.amazonaws.com',
  socket_options: SocketOptions { handle: [External: 7f3e1c20be90] },
  port: 8883,
  use_websocket: false,
  clean_session: false,
  keep_alive: undefined,
  will: undefined,
  username: '?SDK=NodeJSv2&Version=1.21.2',
  password: undefined,
  tls_ctx: ClientTlsContext { handle: [External: 7f3e1c2514f0] },
  reconnect_min_sec: 1,
  reconnect_max_sec: 128
}

I am using macOS 14.4, Docker version 25.0.3.

I tried different base images including node:18, node:18-alpine, node:18-slim, all the same.

Any advice is appreciated!

[bretambrose]

Please include trace-level logs from a failed run:

https://github.com/awslabs/aws-crt-nodejs/blob/main/lib/native/io.ts#L87

Not knowing more, the most likely reason is AmazonRootCA1.pem not being in the container's trust store.

[ericxinzhang]

Hi Bret,

Thank you so much for your prompt reply. I enabled trace log and attached in the end. So you are right the error was because the certificate is untrusted.

I did think of this possibility yesterday, double checked and made sure the root CA cert was in the docker image, and the path passed to AwsIotMqttConnectionConfigBuilder.with_certificate_authority_from_path was correct.

I just tried reading the root CA file and passing the content as string by calling AwsIotMqttConnectionConfigBuilder.with_certificate_authority and it's working! Really werid :-(

[TRACE] [2024-04-16T23:40:33Z] [00007fda6deadb30] [channel] - id=0x7fda6bd9b2d0: acquired message 0x7fda6bc8c5f0 of capacity 16384 from pool 0x7fda6bbef5b0. Requested size was 16384
[TRACE] [2024-04-16T23:40:33Z] [00007fda6deadb30] [socket] - id=0x7fda6bd05620 fd=27: read of 1448
[TRACE] [2024-04-16T23:40:33Z] [00007fda6deadb30] [socket-handler] - id=0x7fda6bc02d20: read 1448 from socket
[TRACE] [2024-04-16T23:40:33Z] [00007fda6deadb30] [channel] - id=0x7fda6bd9b2d0: sending read message of size 1448, from slot 0x7fda70f54c50 to slot 0x7fda70f54d40 with handler 0x7fda6bd6cd20.
[TRACE] [2024-04-16T23:40:33Z] [00007fda6deadb30] [channel] - id=0x7fda6bd9b2d0: acquired message 0x7fda6bc8c5f0 of capacity 14936 from pool 0x7fda6bbef5b0. Requested size was 14936
[TRACE] [2024-04-16T23:40:33Z] [00007fda6deadb30] [socket] - id=0x7fda6bd05620 fd=27: read of 2497
[TRACE] [2024-04-16T23:40:33Z] [00007fda6deadb30] [socket-handler] - id=0x7fda6bc02d20: read 2497 from socket
[TRACE] [2024-04-16T23:40:33Z] [00007fda6deadb30] [channel] - id=0x7fda6bd9b2d0: sending read message of size 2497, from slot 0x7fda70f54c50 to slot 0x7fda70f54d40 with handler 0x7fda6bd6cd20.
[WARN] [2024-04-16T23:40:33Z] [00007fda6deadb30] [tls-handler] - id=0x7fda6bd6cd20: negotiation failed with error Certificate is untrusted (Error encountered in /codebuild/output/src2727173685/src/aws-crt-nodejs/crt/s2n/tls/s2n_x509_validator.c:721)