• State Resolved
  • Locked Locked
  • Replies 5 replies
  • Subscribers 40 subscribers
  • Views 368 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

LAUNCHXL-CC3235S: -111 Error HTTPClient_connect AWS Provisioning Project Cannot complete HTTP POST Request

LAUNCHXL-CC3235S: SSL / TLS Connection Errors - Likely from Private Key SecAttrib Object

MicroTechEE
Prodigy 120 points
Part Number: LAUNCHXL-CC3235S
Other Parts Discussed in Thread: SYSCONFIG

Hello Again,

I'm seeking guidance for my AWS Provisioning project. I have several tickets that are resolved, but the largest and most comprehensive is here. I was initially having this exact same issue from the HTTP Client side. I found a workaround that you can read about in the last posts on the linked thread.

This time around, I cannot seem to work any magic. I am getting -464 and -688 SL Socket errors which usually just translate to a generic Connection Error. 

The Private Key Attribute is suspect to me, especially given my experience with problem inside the linked thread.

When attempting to connect to AWS MQTT using 
rc = aws_iot_mqtt_connect(&client, &connectParams);  ,

I am experiencing these errors at the TLS handshake.

I did a deep dive, and have observed that when tlsDataParams->secAttrib = SlNetSock_secAttribCreate(); is called (line 190 network_sl.c), the object created looks odd. The private key object is very large, length 65,305. I saw that when I was having HTTP issues, and it was because the Private key attribute wasn't created properly.


When I go a few lines down further, the attribute is "set" using  

/* Set this device's private key */
status |= SlNetSock_secAttribSet(tlsDataParams->secAttrib,
SLNETSOCK_SEC_ATTRIB_PRIVATE_KEY,
tlsParams->pDevicePrivateKeyLocation,
strlen(tlsParams->pDevicePrivateKeyLocation) + 1);

The object looks okay, when the object is set. The path to the private key is correct and the length is correct. This private key is confirmed good, because the HTTP connections succeed.

I finally get my failure with a status code of -464 from 
/* Start the TLS handshake */
status = SlNetSock_startSec(clientSd, NULL,
SLNETSOCK_SEC_START_SECURITY_SESSION_ONLY);

Would someone mind lending a hand? I have had nothing but problems with this project since day 0, but I'm very close to fixing all the issues. At some point, I will document the errors, and contribute towards fixing them for others.

Things I've Tried:
Confirming AWS Permissions are open and relaxed
Changing between several Root CA Certs
Confirming correct Endpoint + confirmed endpoint on aws.cfg file.
Using latest SDK 5.30 and Service Pack 4.12

Thank you.

  • 0
    TI__Mastermind 31810 points

    Hello,

    I'll look into your issue and get back to you early next week. 

  • 0 in reply to Sabeeh Khan1
    Prodigy 120 points

    Thank you Sabeeh,

    If I come up with anything, I'll post it here. Feel free to ask me about anything else. I'll try to be as detailed as possible.

    Thank you.

  • +1 in reply to MicroTechEE
    TI__Mastermind 31810 points

    Hi,

    Just some initial thoughts, have you had success with the examples, like "shadow_sample"? 

    Were you able to successfully get the time from a NTP server?

  • 0 in reply to Sabeeh Khan1
    Prodigy 120 points

    Sabeeh,

    I tried for a few hours each day for about 3 days to run the AWS Shadow Example, but just like the rest of the AWS projects, there are errors everywhere. I am mainly getting errors in sysconfig 1.10 and Error 1, when attempting to build the project. No clues are given as to what the actual problem is. I've tried using SDK 5.20 and SDK 5.30, each with their own TIRTOS project being referenced. I am aware how to change the 'product' being used in properties, but nothing I have tried will result in a built project. I am also aware how to change the dependencies, and I am still unable to resolve gmake Error 1 in the AWS_Shadow project after several hours of ample troubleshooting. This project is not getting build, so I cannot answer your question.

    To answer your second question, I am able to get a time from the NTP server in my aws_provisioning project. I can connect to the NTP server, and I am able to connect to the AWS server using a POST request using HTTP Client. My problem is when I attempt a TLS connection/handshake.

    Thank you for any help. I feel as if I have done everything I can to connect using TLS.

    PS: I apologize for marking that your reply is a resolution. My webpage shifted just as I was clicking, and it happened to check your response as being a resolution, but of course, it is not. Thanks again for any guidance you can provide.

  • 0
    Prodigy 120 points

    I had to update my Thing Policy.

    My policy looks more like this now:
    {
    "Effect": "Allow",
    "Action": [
    "iot:Connect"
    ],
    "Resource": [
    "arn:aws:iot:<REGION_CODE>:<AWS_ID>:client/sdk-java",                           --> wasn't what I needed
    "arn:aws:iot:<REGION_CODE>:<AWS_ID>:client/basicPubSub",                   --> wasn't what I needed
    "arn:aws:iot:<REGION_CODE>:<AWS_ID>:client/sdk-nodejs-",                      --> wasn't what I needed
    "arn:aws:iot:<REGION_CODE>:<AWS_ID>:client/    "                               --> covers all bases so it worked (idk what I really need here)
    }

    I am using the GitHub referenced in Step 2, found here. I am provisioning with the iot-core lambdas which are proving to be very lacking. The main contributor has been working to improve the provisioning scripts, but they are still in need of help. I have reported my findings to the GitHub project which can be seen here.

    Thank you.