Developer

I created a websocket server as an IoT transport and it worked perfectly when serverUrl is ws://something/ws but then I made the server require TLS.  The server seems to be working perfectly, and AOS 8.7.17 takes wss://something/wss as a server URL, yet for some reason they don't connect.  I'm using a proper certificate signed by Entrust, and I'm wondering if my 9500 controller just doesn't recognize or accept that.

Is there a way to debug this?  I don't see anything in the logs on the AOS side.  On my server side, I see the controller make a TCP connection but it immediately drops.




------------------------------
Christopher Piggott
------------------------------

Hi Christopher,

If you use secure websocket for the IoT server connection you have to import the root CA certificate chain in your controllers trusted CA list, otherwise the controller will not accept your servers certificate.

Use the following commands to see if this is the root cause of your issue:

show ble_relay iot-profile
show ble_relay ws-log <iot-profile>


The ws-log command will show you what happens when the controller tries to establish the websocket connection. You will see error messages like "server cert does not look good" or similar if the controller cannot verify you servers TLS cert.

Regards,

Jens


------------------------------
Jens Fluegel
------------------------------

Original Message:
Sent: Jan 01, 2022 01:34 PM
From: Christopher Piggott
Subject: TLS transport for Http-Websocket

I created a websocket server as an IoT transport and it worked perfectly when serverUrl is ws://something/ws but then I made the server require TLS.  The server seems to be working perfectly, and AOS 8.7.17 takes wss://something/wss as a server URL, yet for some reason they don't connect.  I'm using a proper certificate signed by Entrust, and I'm wondering if my 9500 controller just doesn't recognize or accept that.

Is there a way to debug this?  I don't see anything in the logs on the AOS side.  On my server side, I see the controller make a TCP connection but it immediately drops.




------------------------------
Christopher Piggott
------------------------------

Roger, and thank you - that worked.  For some reason I thought that the "big player" root CAs would already be in there but maybe not, or maybe Comodo isn't as big as I think :-)

------------------------------
Christopher Piggott
------------------------------

Original Message:
Sent: Jan 04, 2022 03:25 AM
From: Jens Fluegel
Subject: TLS transport for Http-Websocket

Hi Christopher,

If you use secure websocket for the IoT server connection you have to import the root CA certificate chain in your controllers trusted CA list, otherwise the controller will not accept your servers certificate.

Use the following commands to see if this is the root cause of your issue:

show ble_relay iot-profile
show ble_relay ws-log <iot-profile>


The ws-log command will show you what happens when the controller tries to establish the websocket connection. You will see error messages like "server cert does not look good" or similar if the controller cannot verify you servers TLS cert.

Regards,

Jens


------------------------------
Jens Fluegel

Original Message:
Sent: Jan 01, 2022 01:34 PM
From: Christopher Piggott
Subject: TLS transport for Http-Websocket

I created a websocket server as an IoT transport and it worked perfectly when serverUrl is ws://something/ws but then I made the server require TLS.  The server seems to be working perfectly, and AOS 8.7.17 takes wss://something/wss as a server URL, yet for some reason they don't connect.  I'm using a proper certificate signed by Entrust, and I'm wondering if my 9500 controller just doesn't recognize or accept that.

Is there a way to debug this?  I don't see anything in the logs on the AOS side.  On my server side, I see the controller make a TCP connection but it immediately drops.




------------------------------
Christopher Piggott
------------------------------

There is no list similar to in Windows, Mac, or other OSses. It would take quite some storage in the firmware (check the amount of CAs in your computer) and is quite maintenance sensitive. Good to hear that it worked.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 04, 2022 09:44 AM
From: Christopher Piggott
Subject: TLS transport for Http-Websocket

Roger, and thank you - that worked.  For some reason I thought that the "big player" root CAs would already be in there but maybe not, or maybe Comodo isn't as big as I think :-)

------------------------------
Christopher Piggott

Original Message:
Sent: Jan 04, 2022 03:25 AM
From: Jens Fluegel
Subject: TLS transport for Http-Websocket

Hi Christopher,

If you use secure websocket for the IoT server connection you have to import the root CA certificate chain in your controllers trusted CA list, otherwise the controller will not accept your servers certificate.

Use the following commands to see if this is the root cause of your issue:

show ble_relay iot-profile
show ble_relay ws-log <iot-profile>


The ws-log command will show you what happens when the controller tries to establish the websocket connection. You will see error messages like "server cert does not look good" or similar if the controller cannot verify you servers TLS cert.

Regards,

Jens


------------------------------
Jens Fluegel

Original Message:
Sent: Jan 01, 2022 01:34 PM
From: Christopher Piggott
Subject: TLS transport for Http-Websocket

I created a websocket server as an IoT transport and it worked perfectly when serverUrl is ws://something/ws but then I made the server require TLS.  The server seems to be working perfectly, and AOS 8.7.17 takes wss://something/wss as a server URL, yet for some reason they don't connect.  I'm using a proper certificate signed by Entrust, and I'm wondering if my 9500 controller just doesn't recognize or accept that.

Is there a way to debug this?  I don't see anything in the logs on the AOS side.  On my server side, I see the controller make a TCP connection but it immediately drops.




------------------------------
Christopher Piggott
------------------------------

The ws-log command will show you what happens when the controller tries to establish the websocket connection. You will see error messages like "server cert does not look good" or similar if the controller cannot verify you servers TLS cert.

------------------------------
Mary Houck
------------------------------

Original Message:
Sent: Jan 01, 2022 01:34 PM
From: Christopher Piggott
Subject: TLS transport for Http-Websocket

I created a websocket server as an IoT transport and it worked perfectly when serverUrl is ws://something/ws but then I made the server require TLS.  The server seems to be working perfectly, and AOS 8.7.17 takes wss://something/wss as a server URL, yet for some reason they don't connect.  I'm using a proper certificate signed by Entrust, and I'm wondering if my 9500 controller just doesn't recognize or accept that.

Is there a way to debug this?  I don't see anything in the logs on the AOS side.  On my server side, I see the controller make a TCP connection but it immediately drops.

QuickPayPortal


------------------------------
Christopher Piggott
------------------------------