How to fix #aws #iot ERR_CERT_SYMANTEC_LEGACY? #AWS #AWSAmplify #AWSIoT @AWSMobile

By Jun - Support me on Amazon Canada

If you use AWS IoT / AWS Amplify PubSub and haven't updated to use Amazon Trust Services (ATS) (Signed Certificates) endpoints, you will receive `ERR_CERT_SYMANTEC_LEGACY` and `errorCode 7: AMQJS0007E Socket error:undefined.` error when it runs on Chrome 70 and Firefox 60.

ERR_CERT_SYMANTEC_LEGACY and AMQJS0007E Socket error:undefined on Chrome 70+


Steps to fix ERR_CERT_SYMANTEC_LEGACY / attain Amazon Trust Services endpoint for AWS IoT / PubSub service for use on websites

1) set up aws cli if you haven't. 
Note:
In the second step (2. Add an export command to your profile script.) of To modify your PATH variable (Linux, macOS, or Unix) section, if your Python executable is at ~/Library/Python/3.6/bin/python3.6, you should add the following to your profile script.
export PATH=~/Library/Python/3.6/bin/:$PATH 

2) run `aws iot describe-endpoint --endpoint-type iot:Data-ATS`

$ aws iot describe-endpoint --endpoint-type iot:Data-ATS
{
    "endpointAddress": "***-ats.iot.us-east-1.amazonaws.com"

3) update your Amplify PubSub configuration in your project:

Amplify.addPluggable(new AWSIoTProvider({
  aws_pubsub_region: 'us-east-1',
  aws_pubsub_endpoint: 'wss://***.iot.us-east-1.amazonaws.com/mqtt'
})); 
Check out this Amplify PubSub doc to see how to use aws Amplify IoT PubSub

4) test on localhost and deploy

Note:

1) Aws forum thread that leads to this solution.

2) Aws blog article on how to attain Amazon Trust Services endpoint: How AWS IoT Core is Helping Customers Navigate the Upcoming Distrust of Symantec Certificate Authorities

3) According to Google Security Blog: Distrust of the Symantec PKI: Immediate action needed by site operators on Mar 7 2018, with the update to Chrome 70 in mid October 2018, Symantec Legacy certificates won't be supported anymore.
Update October 17, 2018: Chrome 70 has now been released to the Stable Channel, and users will start to see full screen interstitials on sites which still use certificates issues by the Legacy Symantec PKI. Initially this change will reach a small percentage of users, and then slowly scale up to 100% over the next several weeks. 

4) On Google Security Blog: Chrome’s Plan to Distrust Symantec Certificates on Sep 11 2017, you can see the timeline (added here for reference convenience)

5) On Mozilla Security Blog: Distrust of Symantec TLS Certificates:
A Certification Authority (CA) is an organization that browser vendors (like Mozilla) trust to issue certificates to websites. Last year, Mozilla published and discussed a set of issues with one of the oldest and largest CAs run by Symantec. The discussion resulted in the adoption of a consensus proposal to gradually remove trust in all Symantec TLS/SSL certificates from Firefox.

6) Firefox Release Calendar

Thanks for reading!