• State TI Thinks Resolved
  • Locked Locked
  • Replies 37 replies
  • Answers 2 answers
  • Subscribers 46 subscribers
  • Views 26072 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220: Creating Certs for CC3220 using Amazon AWS

Blake Carpenter
Expert 6455 points

Part Number: CC3220

I’m struggling with the certificates.  I know I have valid certificates as I can use MQTT.fx to connect to our AWS broker using the certificates I made for the launchpad.  I think it has something to do with how/where I am storing the certs in the example projects. 

I’m using the subscribe_publish_sample_CC3220SF_LAUNCHXL_freertos_ccs project.  I’ve modified the aws_iot_config.h file to use our host and client id/thing name.  I’ve also modified the wifi config so that it can connect to the network. Attached is the certs.h file that I have modified in the project directory.  Do I need to create a cert directory somewhere and store the certs in there as well? 

If so, what is format of the certs in that directory? Should they be exactly as downloaded from AWS?  Or modified to be a string like the certs.h file?

Is there some documentation that tells how to flash Certs using Uniflash?

  • 0
    TI__Guru 61416 points
    Hi Blake,

    Instruction for using the uniflash can be found in www.ti.com/.../swru461.pdf.
    The certificate should be loaded to the root folder.
    The CC3220 suports both DER and PEM formats.
    If you keep facing issues - please provide error codes.

    br,
    Kobi
  • 0
    TI__Expert 3410 points
    Hi Blake,

    The sample applications, should flash the certs at run-time, so you shouldn't need to flash them manually with uniflash.

    Are you getting an error when connecting?

    ~roger
  • 0 in reply to RogerMonk
    TI__Expert 3410 points

    Blake,

    Another thing to check... The AWS sample applications are configured for production environment, and require the production certificate 'catalog' to be loaded with uniflash before loading and running the sample application, so that the AWS server can be validated as a trusted server.

    If you are using the development 'playground' certificate catalog, you will see an error when connecting since the certificate root validity can't be checked.  You'll need to make a small change in network_sl.c to allow the connection to continue.

    The following code change in network_sl.c might help :-

    static int getErrno(int ret) {
        if (ret == -1) {
             return (errno);
        }
        else {
            return (ret);
        }
    }

    IoT_Error_t iot_tls_connect(Network *pNetwork, TLSConnectParams *TLSParams)
    {

    int retConnect;

    ...

    if (Ssock_startTLS(tlsDataParams->ssock, tlsDataParams->tlsH) != 0) {

    ret = NETWORK_SSL_CERT_ERROR;
    goto QUIT;
    }

    address.sin_family = AF_INET;
    address.sin_port = htons(tlsParams->DestinationPort);
    address.sin_addr.s_addr = htonl(ip);

    retConnect = connect(skt, (struct sockaddr *)&address, sizeof(address));
    if ((retConnect< 0) && (getErrno(retConnect) != SL_ERROR_BSD_ESECUNKNOWNROOTCA)) {
        ret = NETWORK_ERR_NET_CONNECT_FAILED;  
        goto QUIT;
    }

    ...

    }

    Hope that helps,

    ~roger

  • 0
    TI__Mastermind 45025 points

    Blake,

    What is your policy like? (AWS policy).

    I've seen this error in the past and it was due to a problem with the AWS policy.

    Please see this related post.

    Steve

  • 0 in reply to RogerMonk
    Intellectual 260 points

    Roger,

    Blake reported this issue for me, but I'll just respond to it directly.  I applied the changes you suggested to network_sl.c and I'm still getting an error connecting.  Below is the full output when the sample application is run (extra line breaks removed and broker address masked).  I think my policy and certs are good since I can connect with MQTT.fx using the same certs.  I was thinking that since it says it is flashing the cert files that I wouldn't have to use Uniflash.  Currently, I'm just building the app in CCS and then clicking the Debug button and running it that way.

    CC3220 has connected to AP and acquired an IP address.
    IP Address: 10.0.1.13
    Current time: Wed May 10 08:31:23 2017
    Flashing certificate file ...
     successfully wrote file /cert/ca.der to flash
    Flashing certificate file ...
     successfully wrote file /cert/cert.der to flash
    Flashing certificate file ...
     successfully wrote file /cert/key.der to flash
    AWS IoT SDK Version 2.1.1-
    Connecting...
    ERROR: runAWSClient L#108
    Error(-24) connecting to maskedforprivacy.iot.us-east-1.amazonaws.com:8883
    Subscribing...
    ERROR: runAWSClient L#126
    Error subscribing (-13)
    ERROR: runAWSClient L#178
    An error occurred in the loop. Error code = -13

  • 0 in reply to RogerMonk
    TI__Mastermind 45025 points

    Hi Matt,

    Could you tell us what the return values / errors are for the connect() call?

    I.e.: When connect() returns in the following code:

    RogerMonk said:
    retConnect = connect(skt, (struct sockaddr *)&address, sizeof(address));
    if ((retConnect< 0) && (getErrno(retConnect) != SL_ERROR_BSD_ESECUNKNOWNROOTCA)) {
        ret = NETWORK_ERR_NET_CONNECT_FAILED;  
        goto QUIT;
    }

    What's the value of the following when it fails:

    1. retConnect
    2. getErrno(retConnect)

    Steve

  • 0 in reply to Steven Connell
    Intellectual 260 points
    1. -1
    2. -456 (which appears to be a bad CA file)

    Since the CA is public, I'll post what I have below for the root CA in my certs.h file in the project root directory. I followed the 'Update the Example to use the certificates' section of the AWS Quick Start Guide included in the aws_cc3220 sdk.

    const char root_ca_pem[] =
    "-----BEGIN CERTIFICATE-----\
    MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB\
    yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL\
    ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp\
    U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW\
    ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0\
    aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL\
    MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW\
    ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln\
    biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp\
    U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y\
    aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1\
    nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex\
    t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz\
    SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG\
    BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+\
    rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/\
    NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E\
    BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH\
    BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy\
    aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv\
    MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE\
    p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y\
    5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK\
    WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ\
    4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N\
    hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq\
    -----END CERTIFICATE-----";
  • 0 in reply to Matt Strong
    Intellectual 260 points

    I noticed that you mentioned that the production catalog needed to be loaded using uniflash.  I attempted to program everything using uniflash and it gets to 98% and then the error below comes up.

    I am using the catalog at:

    C:\ti\simplelink_cc32xx_sdk_1_30_01_03\tools\cc32xx_tools\certificate-catalog\certcatalog20161113.lst

    C:\ti\simplelink_cc32xx_sdk_1_30_01_03\tools\cc32xx_tools\certificate-catalog\certcatalog20161113.lst.signed.bin

    The VeriSign Class 3 Public Primary Certification Authority - G5 is listed in the readme of the catalog and that is the one I'm using.

  • 0 in reply to Matt Strong
    Intellectual 260 points

    I realized I had the wrong service pack selected.

    But now I'm getting a new error:

    What format does the root CA need to be in?  I have it in PEM format as downloaded from symantec.  Do I need to do something to it first?

    https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem

  • 0 in reply to Matt Strong
    TI__Expert 3410 points

    Hello Matt,

    That error relates to RootCA check for your application firmware.  I suggest loading your code through CCS to start with so that we can verify the AWS connectivity.

    Here's procedure that I would recommend for initial testing :-

    1.  Create Uniflash project, device type CC3220SF, mode development

    2.  Add the Service Pack (C:\ti\simplelink_cc32xx_sdk_1_30_01_03\tools\cc32xx_tools\servicepack-cc3x20\sp_3.3.0.0_2.0.0.0_2.2.0.4.bin)

    3.  Add the development playground catalog (C:\ti\simplelink_cc32xx_sdk_1_30_01_03\tools\cc32xx_tools\certificate-playground\certcatalogPlayGround20160911.lst (with signature .signed.bin))

    4. Create and Program the launchpad with this image.

    5. Import the aws project, set the SSID/password in wificonfig.h, add certs in certs.h, update aws_iot_config.h for credentials

    6. Update network_sl.c (as above) to ignore the rootCA hash check.

    7. Build, Connect with CCS, Load and Run

    Hopefully that should should work - please let us know,

    ~roger

    (p.s. your rootca certificate in certs.h pasted above looks fine)

  • 0 in reply to RogerMonk
    Intellectual 260 points
    I followed those steps (thank you for that) and I'm still getting the -456 error (SL_ERROR_BSD_ESECBADCAFILE)
  • 0 in reply to Matt Strong
    TI__Expert 3410 points

    Hmm - thanks for checking those steps - very strange.

    Could you print the length of the certs when flashing them please?

    void flashCerts(uint8_t *certName, uint8_t *buffer, uint32_t bufflen)
{
   ...

    /* If the cert doesn't exist, write it (or overwrite if specified to) */
    if (slStatus == SL_ERROR_FS_FILE_NOT_EXISTS || overwriteCerts == true) {

        Display_printf(AWSIOT_display, 0, 0, "Flashing certificate file ..., len = %d", bufflen);

    ~roger

  • 0 in reply to RogerMonk
    Intellectual 260 points
    Flashing certificate file ..., len = 1920
    successfully wrote file /cert/ca.der to flash

    Flashing certificate file ..., len = 1356
    successfully wrote file /cert/cert.der to flash

    Flashing certificate file ..., len = 1860
    successfully wrote file /cert/key.der to flash
  • 0 in reply to Matt Strong
    TI__Expert 3410 points
    Ok, so that looks different :-

    Flashing certificate file ..., len = 1704
    successfully wrote file root-CA.crt to flash

    Can you paste your root_ca_pem[] again please?

    ~roger
  • 0 in reply to RogerMonk
    Intellectual 260 points 
    const char root_ca_pem[] =
        "-----BEGIN CERTIFICATE-----\
        MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB\
        yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL\
        ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp\
        U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW\
        ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0\
        aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL\
        MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW\
        ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln\
        biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp\
        U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y\
        aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1\
        nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex\
        t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz\
        SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG\
        BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+\
        rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/\
        NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E\
        BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH\
        BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy\
        aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv\
        MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE\
        p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y\
        5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK\
        WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ\
        4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N\
        hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq\
        -----END CERTIFICATE-----";

    Got it directly from AWS IoT:

  • 0 in reply to RogerMonk
    TI__Expert 3410 points

    Is it possible that your editor is adding an 8 character tab at the front of each line?

    const char root_ca_pem[] =
    "        -----BEGIN CERTIFICATE-----\

    ~roger

  • 0 in reply to RogerMonk
    TI__Expert 3410 points

    Thanks for paste'ing. I think it's the 8 spaces. Could you try without those please (for the ca, and your cert and key) please?

    ~roger

  • 0 in reply to RogerMonk
    Intellectual 260 points

    that was the problem. I changed it to the below and it can connect now. At some point i'll need to figure out how to load it with uniflash properly, but this gets me going. Thanks!

    const char client_cert_pem[] = "\
-----BEGIN CERTIFICATE-----\
MIIDWjCCAkKgAwIBAgIVAOUs3g3aCkSh59VVWCJo+zFRSOILMA0GCSqGSIb3DQEB\
CwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t\
IEluYy4gTD1TZWF0dGxlIFNUPVdhc2hpbmd0b24gQz1VUzAeFw0xNzA0MDMxODA3\
MDRaFw00OTEyMzEyMzU5NTlaMB4xHDAaBgNVBAMME0FXUyBJb1QgQ2VydGlmaWNh\
dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBmuaDHVYUUahF903K\
UBU7ugRbnvXhzyu7oNYqoMl9RiOD585eOX9XwqZLgH/1iYJ3YTTCabvo9EBHkQrX\
NPpJulq5A/pgmUWTKZeVqC7hVQAhH+vJiIPefanobAH8Z4xAY+EgX8IsRMi0iw2w\
Ra/snIjZs39Je0lvGCL9nno6yM5IRmiLvwSzQIUOlcuRe4cWzBISVl7NPGI4UMnc\
BA+Bvlq4GfNUxKkvvMsXFGWpwaaYjxq49MAo0w0S9oy/63NOBQKP73aLomrgFmLV\
kaZ8zt8UbQ/I/jhAGmBoZbaKotPm6P8juK9mcHet+cjPeanIoBAIVOyQWJtztolQ\
bjsbAgMBAAGjYDBeMB8GA1UdIwQYMBaAFH5bj4EX7skMdBFlzcuLZ7OgoLNSMB0G\
A1UdDgQWBBStkwnMMfj6v1XvK03j0305SA30YTAMBgNVHRMBAf8EAjAAMA4GA1Ud\
DwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAvoUNEBaE8/97v3mGQ2vVjdt6\
L31mioG4HJcKbcvJg85O6b42yI43ESIVlgaNJ1IKfksUPzcO64MRkUpMTPsjig6u\
lL5CTqQBbWohNvp7JiskNzOX0Szm8X6rwQzMyn3cKdsXjplXRuq/k87A6TN997Mg\
et/rdyhgqAxGFXBkJ13L5RxYBhJb2qlOKyeEvjas6I96q0BLP7oBoSTMAH8BKS8K\
i4McWL6NWY/3izcx17bgYqE4URYpiHK/dy6NyI5sl88xYnk1CJAWdpNSt0Jmo/JG\
XNNiMIVv8/x8t4fy26T5daGdIw3lIvxDFBvGryXI6Zo6QeoljyOQ8YGbhWHeYw==\
-----END CERTIFICATE-----\
";

  • 0 in reply to Matt Strong
    TI__Expert 3410 points

    Great!

    [ It also shows that our E2E forum strips the leading spaces of forum posts ;) ]

    To load the certs with uniflash, you'll just need to add those files in the User Files section.  

    You can directly add the files obtained from AWS rather than renaming them, if you like.

    Then configure those file names in your aws_iot_config.h, again as directly obtained from AWS.

    for example :-

    // =================================================
#define AWS_IOT_MQTT_HOST              "a*********4.iot.us-west-2.amazonaws.com"
#define AWS_IOT_MQTT_PORT              8883
#define AWS_IOT_MQTT_CLIENT_ID         "c-sdk-client-id"
#define AWS_IOT_MY_THING_NAME          "****Test"
#define AWS_IOT_ROOT_CA_FILENAME       "root-CA.crt"
#define AWS_IOT_CERTIFICATE_FILENAME   "4********5-certificate.pem.crt"
#define AWS_IOT_PRIVATE_KEY_FILENAME   "4********5-private.pem.key"
// =================================================

    ... and remove the calls to flashCerts() in the application firmware, so they don't get overwritten ;)

    That should be it!

    Hope that helps,

    ~roger

  • 0 in reply to RogerMonk
    Intellectual 260 points
    Thanks roger, that works as well! One last thing, shouldn't I be able to program the MCU image via Uniflash as well? I'm assuming that I'm messing up the Secure aspect of the firmware image. I've tried just unchecking it but it still gives me an error message when I attempt to program.
  • 0 in reply to RogerMonk
    Prodigy 50 points
    Hello Matt,

    I was having the same problem you were having, made the changes to network_sl.c, and got things working. I didn't have to go through the Uniflash steps suggested.

    I notice that when you're defining root_ca_pem you include the BEGIN / END CERTIFICATE lines. I think one should only put what's in between those lines, correct? Perhaps that's part of the problem?

    -Brendan
  • 0 in reply to Matt Strong
    TI__Mastermind 45025 points

    Matt,

    Very glad you were able to get past this issue.  I've filed the following Jira to ensure that the documentation is improved and mentions this potential white space issue:

    AWSIOT-26 - Update Quick Start Guide to warn user about white space in cert arrays

    Cheers,

    Steve

  • 0 in reply to Matt Strong
    TI__Expert 3410 points

    Hi Matt,

    Sure, yes, just a couple more steps to do that.

    1.  Add the 'playground root-ca certificate' to the user-files : C:\ti\simplelink_cc32xx_sdk_1_30_01_03\tools\cc32xx_tools\certificate-playground\dummy-root-ca-cert

    2.  Add the mcuimage (subscribe_publish_sample_CC3220SF_LAUNCHXL_tirtos_ccs.bin), signed using the private key of the playground root-ca, and specifying the playground root-ca certificate (loaded in step1) as the corresponding certificate to use for verification.  

    3.  Create, Program, and Go!

    ~roger

  • 0 in reply to RogerMonk
    Intellectual 260 points
    Thanks again that worked well! Is there some documentation somewhere the explains more about that part? I'm assuming I will need to create my own secure root-ca and key down the road when we go to production.
  • 0 in reply to Matt Strong
    TI__Expert 3410 points
    Hi Matt,
    That's right. More info on Security Features here : www.ti.com/.../swra509
    ~roger
  • 0 in reply to RogerMonk
    Prodigy 130 points
    Hi Roger,

    I was seeing the same error as the OP: (-24, NETWORK_ERR_NET_CONNECT_FAILED) from the AWS SDK. I tried the approach you recommended (Uniflashing the service pack and playground cert catalog, along with the code change in network_sl.c). It gets me past the previous error, but now I see error -28 (MQTT_REQUEST_TIMEOUT_ERROR). I got the same error after I added the check for unknown root CA, but before I did the Uniflash work, if that matters.

    I used a software test client to ensure that the AWS MQTT shadow is working properly on the AWS side of things. I'm using the same root CA in certs.h as the OP also.

    Any recommendations?

    Thanks...
  • 0 in reply to SGW_Ken
    TI__Expert 3410 points

    Hello Ken,

    Are you also using the subscribe_publish sample (and unmodified?)?  Which API is returning this error?  i.e. _connect()/_subscribe()/_yield()/_publish()?

    Could you double check your clientId is unique?

    ~roger

  • 0 in reply to RogerMonk
    Prodigy 130 points

    Hi Roger,

    Thanks for the reply. I am indeed using an unmodified (aside from AWS credentials and MQTT IDs) copy of the TI subscribe_publish sample.

    aws_iot_mqtt_connect() is the API call that's returning the error (-28, which is MQTT_REQUEST_TIMEOUT_ERROR). If I drill down from the API call, it's calling _aws_iot_mqtt_internal_connect which sends a packet and calls the blocking aws_iot_mqtt_internal_wait_for_read() method which has a loop that calls aws_iot_mqtt_internal_cycle_read() until it reads something, has an error, or times out. In my case, it times out and throws the aforementioned error.

    The clientId value was unique for the AWS account, but I changed it to something new just to be sure (same results).

    Ken

  • 0 in reply to SGW_Ken
    TI__Expert 3410 points

    Hello Ken,

    Looks like your aren't getting the CONNACK back from the AWS broker for some reason (usually related to bad client connection parameters, or permissions (i.e. policy)), so we need to try to narrow in on the issue.

    I would suggest we first try to test out MQTT, by connecting to another sandbox server, instead of AWS.

    Do you think you could please try the following changes, which will connect to iot.eclipse.org instead of AWS.  (these are the only changes necessary for this test).

    1. Change the server to point to iot.eclipse.org

    // =================================================
//#define AWS_IOT_MQTT_HOST              "**********.iot.us-west-2.amazonaws.com"
#define AWS_IOT_MQTT_HOST              "iot.eclipse.org"

    2. Switch the rootCA cerificate to DST, as used by iot.eclipse.org (instead of Verisign, as used by AWS)

    // dst (iot.eclipse.org)
const char root_ca_pem[] =
"-----BEGIN CERTIFICATE-----\
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/\
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow\
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD\
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O\
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq\
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b\
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD\
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV\
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG\
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69\
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr\
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz\
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5\
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo\
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\
-----END CERTIFICATE-----";

    Please post the console log from this test, hopefully this will give us some clues,

    ~roger

  • 0 in reply to RogerMonk
    TI__Expert 3410 points

    Hi Ken,

    I reproduced the same error as you with AWS, by removing the policy from my device configuration in the AWS console, so I think this is likely due to a too-restrictive or not configured policy, and would explain why you aren't seeing the CONNACK response.

    Could you please post your configured device policy?

    If there isn't one configured, you could use this 'open' policy for testing.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iot:*"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    }
  ]
}

    ~roger

  • 0 in reply to RogerMonk
    Prodigy 130 points
    Hi Roger,

    You're right -- the problem was with my policy on the AWS side. Apparently I was getting too cute with fine grained controls. The open policy worked, so I'll sort out my custom policy, as it's unrelated to the behavior of the CC3220.

    If anyone else is trying to debug their connection, I'd encourage them to enable and use CloudWatch logs for IoT on AWS (Note: CloudWatch is an additional paid service in AWS). Also, it doesn't hurt to #define ENABLE_IOT_TRACE in aws_iot_log.h to see what's coming out of some of the AWS SDK functions.

    Thanks for the ideas!
    Ken
  • 0 in reply to SGW_Ken
    TI__Expert 3410 points
    Thanks Ken,
    That's great news - glad that's working now,
    ~roger
  • 0 in reply to RogerMonk
    Prodigy 30 points

    1.Do i need to convert (root-CA/Certificate/private.key) file format crt to DER format.

    //========================================================================

    #define AWS_IOT_ROOT_CA_FILENAME "/cert/ca.der" ///< Root CA file name

    #define AWS_IOT_CERTIFICATE_FILENAME "/cert/cert.der" ///< device signed certificate file name

    #define AWS_IOT_PRIVATE_KEY_FILENAME "/cert/key.der" ///< Device private key filename

    //========================================================================

    2. can i flash .crt files using Uniflash or i have to convert these file to DER format before flashing.

  • 0 in reply to jitender singh
    TI__Expert 3410 points

    Hello Jitender.

    The security subsystem on CC3x2x supports both PEM and DER.  When using PEM format files, they are internally converted to DER at runtime when required.

    The AWS examples use a couple of helper functions flashCerts(), and TLS_writeDerFile() which takes a base64 encoded PEM format string and converts and stores it as a DER file to be used by the security subsystem when making the TLS connection.  This one-time conversion saves conversion to DER during connection phase.

    So, to explicitly answer your questions :-

    1. No, you could use PEM or DER.  DER a little more efficient.

    2. Yes, see this earlier post in this thread, showing files programmed with uniflash, directly as received from AWS console.

    Hope that helps,

    ~roger

  • 0 in reply to RogerMonk
    Prodigy 30 points

    Thank you Roger for quick reply.

  • 0 in reply to Matt Strong
    Intellectual 480 points
    I got the same problem even though I've succeeded to connect to AWS IoT using playground catalog.
  • 0 in reply to RogerMonk
    Intellectual 480 points
    Roger, you really saved me! I spent over 3 days struggling to solve this problem, and finally I'm connected with AWS IoT using your code changes.
    Thank you very much!