Nowadays, I’m focused on using AWS IoT MQTT over websockets to interact with IoT devices real-time on the browser. When use MQTT on a browser, the browser is actually being an MQTT client to subscribe messages from the broker. But when the broker is AWS IoT, it’s not easy like connecting to a “plain” broker (like iot.eclipse.org)

The first thing, all AWS IoT protocols are SSL/TLS enabled; HTTPS, MQTTS and WSS. So, certificate validation is vital for an encrypted and secure connection. Your client checks certificates of the endpoint, including root CA’s. For AWS IoT; endpoints were signed by Symantec Certificate Authorities. Recently, Symantec Certificate Authorities (CAs) are distrusted by Google (announcement), Apple (announcement), and Mozilla (announcement); AWS says.

If you’re having trouble about AWS IoT certificate problems, you’re probably using Symantec signed endpoint instead of ATS (Amazon Trust Services) signed ones. If you’re running any of browser examples, your browser will check the root CA and will say ERR_CERT_AUTHORITY_INVALID for the Symantec signed AWS IoT endpoint which they’re formed in <PREFIX>.iot.<REGION>.amazonaws.com format. ATS signed ones are formed in <PREFIX>-ats.iot.<REGION>.amazonaws.com format and you should use them especially for browsers.

I’ve pushed this notices as a pull request to the aws-iot-device-sdk-js official repo. I hope this saves everyone’s hours.