SSL certificate for AWS IoT core MQTT connection over Websocket Secure

[datahack336]

I have a Python application that connects to AWS IoT core broker topic using websocket:

credentials_provider = auth.AwsCredentialsProvider.new_default_chain()
mqtt_connection = mqtt_connection_builder.websockets_with_default_aws_signing(
    endpoint=aws_iot_endpoint,
    region="us-east-1",
    credentials_provider=credentials_provider,
    client_id=client_id,
    clean_session=False,
    keep_alive_secs=30)

This works flawlessly from my local machine, but, when I create docker image and run the container in ECS service, I get an error "AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE: TLS (SSL) negotiation failed". When I run from local machine, traffic is behind the company's firewall and setting REQUEST_CA_BUNDLE to a proper .pem file obviously works, as the firewall acts as a middleman behind my local machine and IoT core. But, what certificate should I load into the container and point REQUEST_CA_BUNDLE env var?

I've try adding Amazon Root CA 1 from this page https://www.amazontrust.com/repository/, but still have the same error.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.

[jmklix]

This looks like it might be caused by the hop limit being only 1. Can you try adding the following to your docker machine settings:

amazonec2-metadata-token=required
amazonec2-metadata-token-response-hop-limit=2

Possibly related issue: awslabs/aws-sdk-rust#540 (comment)